MyCity » Ambulanta -> Arhiva Ambulante » Imam virus koji ne mogu da sklonim

Imam virus koji ne mogu da sklonim

Napisano na dan: 21.7.2008
1

Imam virus koji ne mogu da sklonim
Sledeća strana Pagination

Idi na vrh

Poslao: 21 Jul 2008 18:23
Idi na vrh
offline
  • Pridružio: 18 Feb 2008
  • Poruke: 987
  • Gde živiš: na putu za jedno ostrvo

Danas mi je utrcao AntiVirusXP2008 i blokira sve zivo. Avast ne moze da ga skloni (i njega je zaustavio), SpyBot ga ne registruje kao pretnju. Prakticno je nemoguce zatvoriti ga osim izlaska na net pa onda zatvaranje tog prozora preko close jer ukida x u desnom gornjem uglu. Nece da se skloni iz add/remove programs. Promenio je desktop i preko sredine stoji upozorenje da imam viruse. Koje ne moze da se skloni. Posle restarta internet je proradio. Sta predlazete? Da radim scan koji se ovde uobicajeno predlaze ili nesto drugo? Imam i AVG varijantu, razmisljam da skinem avast i instaliram njega i probam da ga sklonim , ali mi se cini da od toga nema vajde. Hvala.



Poslao: 21 Jul 2008 18:31
Idi na vrh
offline
  • Piksi  Male
  • Elitni građanin
  • Pridružio: 13 Nov 2003
  • Poruke: 2435

@Silija

Isprati ovo uputstvo ->
[Link mogu videti samo ulogovani korisnici]



Poslao: 21 Jul 2008 18:42
Idi na vrh
offline
  • Pridružio: 18 Feb 2008
  • Poruke: 987
  • Gde živiš: na putu za jedno ostrvo

Logfile of HijackThis v1.99.1
Scan saved at 18:40:29, on 21.7.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
D:\ZA CUVANJE\NetLimiter 2 Monitor\nlsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
D:\ZA CUVANJE\NetLimiter 2 Monitor\NLClient.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\MC\TR3.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [Link mogu videti samo ulogovani korisnici]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - D:\ZA CUVANJE\NetLimiter 2 Monitor\nlsvc.exe

Poslao: 21 Jul 2008 21:07
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...



Arrow Potrebno je privremeno isključiti Spybot S&D's Teatimer


Pokrenite Spybot S&D
Kliknite Mode stavku u meniju
Odaberite Advance Mode
Na traci levo kliknite na Tools
Kliknite na Resident
Destiklirajte Resident Tea-Timer
Zatvorite Spybot S&D
Restartujte kompjuter.
Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsimo ciscenje.


-------------------------------------------------------------------------------------



Arrow Zatim klikni desnim tasterom miša na avast! ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Program settings....

U prozoru koji se otvori, pod Troubleshooting, čekiraj opciju Disable avast! self-defence i klikni OK.

Takođe, klikni desnim tasterom miša na avast! ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Stop OnAccess Protection.


Napomena: Ne zaboravi da uključiš ove opcije po završetku čišćenja.



-------------------------------------------------------------------------------------



Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Poslao: 21 Jul 2008 21:46
Idi na vrh
offline
  • Pridružio: 18 Feb 2008
  • Poruke: 987
  • Gde živiš: na putu za jedno ostrvo

ComboFix 08-07-20.A0 - Administrator 2008-07-21 21:40:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.263 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\MC\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\rhcc7jj0eccn
C:\Program Files\rhcc7jj0eccn
C:\WINDOWS\system32\blphc97jj0eccn.scr
C:\WINDOWS\system32\lphc97jj0eccn.exe
C:\WINDOWS\system32\phc97jj0eccn.bmp
C:\WINDOWS\system32\pphc97jj0eccn.exe
C:\WINDOWS\system32\WinCtrl32.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-21 15:59 . 2008-07-21 15:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-21 15:59 . 2008-07-21 15:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-09 13:56 . 2008-07-09 13:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-08 21:17 . 2008-07-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Program Files\ACD Systems
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-07-08 21:04 . 2008-07-08 21:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-08 18:42 . 2008-07-08 18:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-08 18:42 . 2008-07-08 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 18:35 . 2008-07-08 20:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-08 15:09 . 2003-08-19 13:36 65,536 --a------ C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\Audio3D.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\a3d.dll
2008-07-05 14:25 . 2008-07-13 18:20 32 --a------ C:\WINDOWS\hip
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-04 12:54 . 2008-07-04 12:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Locktime
2008-07-04 12:52 . 2008-07-04 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-06-30 17:28 . 2008-06-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 17:27 . 2008-06-30 17:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 10:04 . 2008-06-26 10:04 268 --ah----- C:\sqmdata00.sqm
2008-06-26 10:04 . 2008-06-26 10:04 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-07-19 09:13 --------- d-----w C:\Program Files\mIRC
2008-07-16 21:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 14:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 10:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-08 19:05 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-08 18:50 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-30 15:29 --------- d-----w C:\Program Files\Lavasoft
2008-06-30 15:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-18 16:21 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-16 19:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-14 18:51 0 ----a-w C:\Program Files\temp01
.

------- Sigcheck -------

2007-10-30 19:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2GDR\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2QFE\tcpip.sys
2004-06-17 11:00 360448 65c34c093e839505636954ead50fa315 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-06-17 11:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 22:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 67584 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.X264"= x264vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek06.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-12-18 18:32 25365032 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 18:08]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S0 Winek06;Winek06;C:\WINDOWS\system32\Drivers\Winek06.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2f95a11-c830-11dc-9a01-806d6172696f}]
\Shell\AutoRun\command - E:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Device Detector - DevDetect.exe
MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = [Link mogu videti samo ulogovani korisnici]
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-07-21 21:42:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-21 21:44:22
ComboFix-quarantined-files.txt 2008-07-21 19:43:55

Pre-Run: 15,412,994,048 bytes free
Post-Run: 15,604,768,768 bytes free

138

Poslao: 21 Jul 2008 22:28
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Zaštitni softver opet treba deaktivirati...



Zatim otvoriti Notepad i iskopirati sledeci tekst:


Driver::
Winek06

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek06.sys]




Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 22 Jul 2008 11:58
Idi na vrh
offline
  • Pridružio: 18 Feb 2008
  • Poruke: 987
  • Gde živiš: na putu za jedno ostrvo

Prilikom ponovnog aktiviranja SpyBota pitao me je da li dozvoljavam neku promenu. Prst je bio bio brzi od mozga, ne znam sta sam kliknula. Usledilo je drugo pitanje koje sam shvatila kao da li dozvoljavam promenu preko desktopa i skrinsejvera (sve se desavalo preko desktopa - promena boje, sklanjanje moje slike...), pa sam rekla NE. Kad sam uradila novi scan combom, pitao je da li dozvoljavam sklanjanje promene sa desktopa - rekla sam da. Ako sam ovde bilo sta pogresila....

Kod aktiviranja avasta, kad mu opet dozvolim da bude able, treba li da kliknem i ikonicu i ponovo kliknem na stop on-acess...?

Skeniranja koja sam radila u prethodna 2 posta odnela su mi 70 mb. Da li je to normalno?

Najzad, evo novog skena.


ComboFix 08-07-20.A0 - Administrator 2008-07-22 11:47:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\MC\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-21 15:59 . 2008-07-21 15:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-21 15:59 . 2008-07-21 15:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-09 13:56 . 2008-07-09 13:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-08 21:17 . 2008-07-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Program Files\ACD Systems
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-07-08 21:04 . 2008-07-08 21:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-08 18:42 . 2008-07-08 18:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-08 18:42 . 2008-07-08 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 18:35 . 2008-07-08 20:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-08 15:09 . 2003-08-19 13:36 65,536 --a------ C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\Audio3D.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\a3d.dll
2008-07-05 14:25 . 2008-07-13 18:20 32 --a------ C:\WINDOWS\hip
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-04 12:54 . 2008-07-04 12:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Locktime
2008-07-04 12:52 . 2008-07-04 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-06-30 17:28 . 2008-06-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 17:27 . 2008-06-30 17:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 10:04 . 2008-06-26 10:04 268 --ah----- C:\sqmdata00.sqm
2008-06-26 10:04 . 2008-06-26 10:04 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-07-19 09:13 --------- d-----w C:\Program Files\mIRC
2008-07-16 21:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 14:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 10:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-08 19:05 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-08 18:50 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-30 15:29 --------- d-----w C:\Program Files\Lavasoft
2008-06-30 15:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-18 16:21 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-16 19:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-14 18:51 0 ----a-w C:\Program Files\temp01
.

------- Sigcheck -------

2007-10-30 19:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2GDR\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2QFE\tcpip.sys
2004-06-17 11:00 360448 65c34c093e839505636954ead50fa315 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\Cookies\index.dat
+ 2008-07-22 09:36:04 32,768 ----a-w C:\WINDOWS\TEMP\Cookies\index.dat
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-07-22 09:36:04 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-07-22 09:35:44 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\MSHist012008072220080723\index.dat
+ 2008-07-22 09:35:54 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_688.dat
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-22 09:36:04 32,768 ----a-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-06-17 11:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 22:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 67584 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.X264"= x264vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek06.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-12-18 18:32 25365032 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 18:08]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S0 Winek06;Winek06;C:\WINDOWS\system32\Drivers\Winek06.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2f95a11-c830-11dc-9a01-806d6172696f}]
\Shell\AutoRun\command - E:\Setup.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-07-22 11:48:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-22 11:50:55
ComboFix-quarantined-files.txt 2008-07-22 09:50:19
ComboFix2.txt 2008-07-21 19:44:23

Pre-Run: 15,588,962,304 bytes free
Post-Run: 15,581,757,440 bytes free

134

Poslao: 22 Jul 2008 17:08
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Citat:Skeniranja koja sam radila u prethodna 2 posta odnela su mi 70 mb. Da li je to normalno?

70 MB čega? Prostora na disku?

Trenutno na C disku imaš 15,581,757,440 byte-a slobodno.
Pre prvog skeniranja je bilo 15,412,994,048 byte-a slobodno.

U svakom slučaju, sve je pod kontrolom.


Po ranije datom uputstvu isključi TeaTimer i avast! i nemoj bilo šta dodatno da podešavaš ili uključuješ dok ti ne kažem da to uradiš.


Otvoriti Notepad i iskopirati sledeci tekst:


Driver::
Winek06

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek06.sys]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 22 Jul 2008 19:02
Idi na vrh
offline
  • Pridružio: 18 Feb 2008
  • Poruke: 987
  • Gde živiš: na putu za jedno ostrvo

Negde usput sam shvatila da je trebalo da ponovo ukljucim zastitu. Dakle, evo novog skena bez zastite.

MB su megabajti interneta, 70 mb za kratko vreme sto sam citala sta da uradim i to uradila, sto nije ni pola sata.

U add/remove programs kaze da ga nema vise. Pre ovog skena koji sad saljem. Ikonice su ostale i promene na desktopu, ali mi je dozvoljeno da sve to posklanjam i vratim desktop na staro.



ComboFix 08-07-20.A0 - Administrator 2008-07-22 18:46:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.244 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\MC\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-21 15:59 . 2008-07-21 15:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-21 15:59 . 2008-07-21 15:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-09 13:56 . 2008-07-09 13:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-08 21:17 . 2008-07-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Program Files\ACD Systems
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-07-08 21:04 . 2008-07-08 21:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-08 18:42 . 2008-07-08 18:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-08 18:42 . 2008-07-08 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 18:35 . 2008-07-08 20:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-08 15:09 . 2003-08-19 13:36 65,536 --a------ C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\Audio3D.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\a3d.dll
2008-07-05 14:25 . 2008-07-13 18:20 32 --a------ C:\WINDOWS\hip
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-04 12:54 . 2008-07-04 12:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Locktime
2008-07-04 12:52 . 2008-07-04 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-06-30 17:28 . 2008-06-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 17:27 . 2008-06-30 17:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 10:04 . 2008-06-26 10:04 268 --ah----- C:\sqmdata00.sqm
2008-06-26 10:04 . 2008-06-26 10:04 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-07-19 09:13 --------- d-----w C:\Program Files\mIRC
2008-07-16 21:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 14:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 10:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-08 19:05 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-08 18:50 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-30 15:29 --------- d-----w C:\Program Files\Lavasoft
2008-06-30 15:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-18 16:21 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-16 19:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-14 18:51 0 ----a-w C:\Program Files\temp01
.

------- Sigcheck -------

2007-10-30 19:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2GDR\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2QFE\tcpip.sys
2004-06-17 11:00 360448 65c34c093e839505636954ead50fa315 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\Cookies\index.dat
+ 2008-07-22 16:31:12 32,768 ----a-w C:\WINDOWS\TEMP\Cookies\index.dat
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-07-22 16:31:12 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-07-22 16:30:47 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\MSHist012008072220080723\index.dat
+ 2008-07-22 16:30:56 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_6a0.dat
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-22 16:31:12 32,768 ----a-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-06-17 11:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 22:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 67584 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.X264"= x264vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek06.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-12-18 18:32 25365032 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 18:08]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S0 Winek06;Winek06;C:\WINDOWS\system32\Drivers\Winek06.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2f95a11-c830-11dc-9a01-806d6172696f}]
\Shell\AutoRun\command - E:\Setup.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-07-22 18:47:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-22 18:49:43
ComboFix-quarantined-files.txt 2008-07-22 16:49:37
ComboFix2.txt 2008-07-22 09:50:56
ComboFix3.txt 2008-07-21 19:44:23

Pre-Run: 15,577,796,608 bytes free
Post-Run: 15,570,194,432 bytes free

134

Poslao: 22 Jul 2008 20:43
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skeniranja nemaju bilo kakve veze sa internet protokom (korišćeni programi ne pristupaju netu a ComboFix čak i prekida internet konekciju u toku rada - znači, jedini utrošak oko ovoga je bio download programa a to je manje od 3 MB).
Verovatno je neki program ili Windows vršio update.


No... Ni prethodni postupak nije odradio šta je trebalo.
Probaćemo na drugi način.

Skini file sa [url=https://www.mycity.rs/must-login.png linka[/url] na Desktop.

Dvoklikni na njega - kada se pojavi upit, klikni Yes.



Restartuj kompjuter a zatim dvoklikom pokreni ComboFix i postavi ovde logfile koji on napravi.

MyCity » Ambulanta -> Arhiva Ambulante » Imam virus koji ne mogu da sklonim

Ko je trenutno na forumu
 

Ukupno su 1648 korisnika na forumu :: 128 registrovanih, 9 sakrivenih i 1511 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 15694 - dana 01 Feb 2026 12:23

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 4. Ozrenska, A.R.Chafee.Jr., alberto, Aleksa-, aleph_one, Avalon015, Barista, Bbbggg1979, bbelic, Belac91, Bgd123, bigfoot, bobpp, Bobrock1, bojan_t, bokicacar, Boris.A, Borski1977, Bubimir, CCCP, Chainsaw, chichabg, Cicumile, crnirocko, CVOJ 410.lad PVO, dejan.7951, Dejan_vw, deLacy, Dimitrije Paunovic, DjomlaHomer, Doc, DonRumataEstorski, dunavzed, dushan, Dusko_Dugousko, DuškoMraz, Electron, ElGenius, Fog of War, foka106, fokac, Glauber, Goran_, GT, ikan, ILGromovnik, Inner-Cell, Jakonjveliki, jalos, JOntra, jopicus, Kajzer Soze, KizJ, Kriglord, Kudun, laurusri, LjubisaR, Lošmi, madza, MagicniHerpes, Malik, Marko Marković, mat, mercedesamg, Mile14, Milos82, Milovan Dinic, milutin134, MiroslavD, Mis uz pusku, Mitraljeta, mkkorica, Mldo, Mrav Obrad, mux, nebidrag, nebkv, nemkea71, nevjerna beba, nikolapetkovic, NislijaBre, pceklic, pein, pirke96, porucnik_pasic, Prečanin30, Prometeus, rachmoff, Radoslava, radza1, rebro1974, RileHerc, sajbervulf, samocitam, SamoGledam, sasa87, Sevatar, shiro, shlauf, Sin Boskic, Sinisa76, Sirius, Sr.Stat., Srna, sspp, stalja, Stoorb, Szigetwar, tm, tomo2, Tribal, US_Rank_0, Vanderx, vathra, VBoss, Velizar Laro, vensla, vlad84, Vlada78, vladao75, Vlado82, Volkhov-M, yagosh, yufighter, zdrebac, zlaya011, Zoca, zule2