|
Poslao: 03 Sep 2009 20:09
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
Skenirao sam 3 flasha, bez onog od prijatelja jer je na njemu neki virus sigurno.
Evo loga.
USBNoRisk 2.5 (26 July 2009) by bobby
Started at 3.9.2009 20:03:18
Searching for connected USB Mass storage...
----------------------------------------
========================================
Searching for other storage...
----------------------------------------
F: {5a0c8558-b1a8-11dd-ae3f-0015586553ce}
C: {6df1ddb8-9dfe-11dc-9939-806d6172696f}
E: {6df1ddb9-9dfe-11dc-9939-806d6172696f}
========================================
Scanning fixed storage...
----------------------------------------
No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 6df1ddb8-9dfe-11dc-9939-806d6172696f
No Desktop.ini files found on C:
----------------------------------------
No blocked files found on E:
No Autorun.inf files found on E:
No mountpoint found for E:
No mountpoint found for 6df1ddb9-9dfe-11dc-9939-806d6172696f
No Desktop.ini files found on E:
----------------------------------------
No blocked files found on F:
No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 5a0c8558-b1a8-11dd-ae3f-0015586553ce
----------------------------------------
Desktop.ini found at F:\Fonts - crni komp 28 07 2009\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
----------------------------------------
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
----------------------------------------
========================================
Initial scan finished!
========================================
New device connected at 3.9.2009 20:03:34
Scanning for connected USB mass storage...
----------------------------------------
G: {17e1df09-b3de-11dc-ad36-0015586553ce}
Added G:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
No mountpoint found for 17e1df09-b3de-11dc-ad36-0015586553ce
----------------------------------------
No Desktop.ini files found on G:
----------------------------------------
No mimics found on drive G:
========================================
========================================
Removed G:
========================================
New device connected at 3.9.2009 20:04:14
Scanning for connected USB mass storage...
----------------------------------------
G: {13675a52-21fb-11dd-ada6-0015586553ce}
Added G:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
No mountpoint found for 13675a52-21fb-11dd-ada6-0015586553ce
----------------------------------------
No Desktop.ini files found on G:
----------------------------------------
No mimics found on drive G:
========================================
========================================
Removed G:
========================================
New device connected at 3.9.2009 20:04:58
Scanning for connected USB mass storage...
----------------------------------------
H: {91248615-46bf-11dd-adc4-0015586553ce}
Added H:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on H:
----------------------------------------
No Autorun.inf files found on H:
No mountpoint found for 91248615-46bf-11dd-adc4-0015586553ce
----------------------------------------
----------------------------------------
Desktop.ini found at H:\Fonts - crni komp 28 07 2009\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
----------------------------------------
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
----------------------------------------
Desktop.ini found at H:\Fonts - LAPTOP 13 07 09\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
----------------------------------------
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
----------------------------------------
Desktop.ini found at H:\Fonts sistem 23 08 06\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
----------------------------------------
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
----------------------------------------
No mimics found on drive H:
========================================
========================================
Removed H:
========================================
Reci mi samo kako da obrisem virus sa onog flasha od prijatelja a da mi ne restartuje komp, jer se restartovao cim sam ga ubacio prosli put.
Hvala
|
|
|
|
|
|
|
Poslao: 03 Sep 2009 20:13
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8617
- Gde živiš: Novi Beograd
|
Ma ubaci i taj zarazeni, ali iskluci Antivirus. Pa onda pokreni USBNoRisk.
|
|
|
|
|
|
|
Poslao: 03 Sep 2009 20:19
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
Evo loga od samo zarazenog flasha
USBNoRisk 2.5 (26 July 2009) by bobby
Started at 3.9.2009 20:12:30
Searching for connected USB Mass storage...
----------------------------------------
========================================
Searching for other storage...
----------------------------------------
F: {5a0c8558-b1a8-11dd-ae3f-0015586553ce}
C: {6df1ddb8-9dfe-11dc-9939-806d6172696f}
E: {6df1ddb9-9dfe-11dc-9939-806d6172696f}
========================================
Scanning fixed storage...
----------------------------------------
No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 6df1ddb8-9dfe-11dc-9939-806d6172696f
No Desktop.ini files found on C:
----------------------------------------
No blocked files found on E:
No Autorun.inf files found on E:
No mountpoint found for E:
No mountpoint found for 6df1ddb9-9dfe-11dc-9939-806d6172696f
No Desktop.ini files found on E:
----------------------------------------
No blocked files found on F:
No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 5a0c8558-b1a8-11dd-ae3f-0015586553ce
----------------------------------------
Desktop.ini found at F:\Fonts - crni komp 28 07 2009\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
UICLSID={BD84B380-8CA2-1069-AB1D-08000948F534}
----------------------------------------
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKCR\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\DefaultIcon,@ = %SystemRoot%\System32\fontext.dll,-101
HKLM\Software\Classes\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}\InProcServer32,@ = fontext.dll
----------------------------------------
========================================
Initial scan finished!
========================================
New device connected at 3.9.2009 20:12:41
Scanning for connected USB mass storage...
----------------------------------------
G: {f00be559-25f6-11de-aec5-0015586553ce}
Added G:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
No mountpoint found for f00be559-25f6-11de-aec5-0015586553ce
----------------------------------------
----------------------------------------
Desktop.ini found at G:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
No mimics found on drive G:
========================================
========================================
Removed G:
========================================
|
|
|
|
|
|
|
Poslao: 03 Sep 2009 20:22
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8617
- Gde živiš: Novi Beograd
|
kostolac ::Evo ponovo scan sa Combo fix-om ako si na to mislila ili sam trebao da uradim scan sa onim programom ?
Ako znas da nadjes ovaj log, postavi mi ga.
|
|
|
|
|
|
|
Poslao: 03 Sep 2009 20:25
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
Sorry zaboravio da postavim
ComboFix 09-09-03.01 - AdministratoriNET 03.09.2009 19:39.10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1354 [GMT 2:00]
Running from: c:\documents and settings\AdministratoriNET\Desktop\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.
2009-08-30 09:56 . 2009-08-30 09:56 -------- d-----w- c:\program files\Common Files\EPSON
2009-08-30 09:56 . 2000-06-26 00:20 32768 ----a-w- c:\windows\system32\ECBTEG.DLL
2009-08-30 09:56 . 2000-05-22 00:08 60020 ----a-w- c:\windows\system32\EBPMON2.DLL
2009-08-30 09:56 . 2000-04-18 00:02 110 ----a-w- c:\windows\system32\EBPPORT.DAT
2009-08-30 09:56 . 1999-07-19 08:27 203776 ----a-w- c:\windows\system32\EBAPI.dll
2009-08-30 09:56 . 1999-07-15 23:01 100864 ----a-w- c:\windows\system32\ebpthp.dll
2009-08-30 09:56 . 1998-04-03 15:15 108032 ----a-w- c:\windows\system32\EBUtil.dll
2009-08-30 09:55 . 2009-08-30 09:55 -------- d-----w- C:\EPSON
2009-08-25 19:16 . 2009-08-25 19:16 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-25 19:16 . 2009-08-25 19:16 -------- d-----w- c:\program files\Common Files\Skype
2009-08-05 16:59 . 2009-08-05 16:59 -------- d-----w- c:\program files\Motorola
2009-08-05 16:56 . 2008-03-04 12:43 196608 ----a-w- c:\windows\system32\sm56co6a.dll
2009-08-05 15:27 . 2009-08-05 15:27 -------- d-----w- c:\program files\Common Files\Concord Shared
2009-08-05 15:26 . 2009-08-05 15:26 -------- d-----w- c:\documents and settings\AdministratoriNET\Application Data\Symantec
2009-08-05 15:26 . 1999-06-10 12:50 437528 ----a-w- c:\windows\system32\401COMUPD.EXE
2009-08-05 15:26 . 2009-08-05 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-05 15:26 . 2009-08-05 15:26 -------- d-----w- c:\program files\Symantec
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 21:39 . 2008-04-27 18:52 -------- d-----w- c:\documents and settings\AdministratoriNET\Application Data\uTorrent
2009-08-31 21:06 . 2008-03-01 13:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-28 05:07 . 2009-01-31 18:28 -------- d-----w- c:\program files\Java
2009-08-26 18:08 . 2008-01-02 20:42 -------- d-----w- c:\documents and settings\AdministratoriNET\Application Data\Skype
2009-08-26 15:48 . 2008-01-02 20:43 -------- d-----w- c:\documents and settings\AdministratoriNET\Application Data\skypePM
2009-08-25 19:16 . 2008-01-02 20:41 -------- d-----r- c:\program files\Skype
2009-08-25 19:16 . 2008-01-02 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-23 18:03 . 2009-03-09 18:42 -------- d-----w- c:\documents and settings\AdministratoriNET\Application Data\Corel
2009-08-18 21:40 . 2007-12-23 00:57 -------- d-----w- c:\program files\BitComet
2009-08-08 12:26 . 2009-08-05 15:25 -------- d-----w- c:\program files\WinFax
2009-08-08 12:25 . 2009-04-06 20:35 -------- d-----w- c:\program files\QuickTime
2009-08-08 12:25 . 2009-04-06 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-05 15:28 . 2009-08-05 15:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-05 15:27 . 2007-11-28 21:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 15:25 . 2009-08-05 15:25 -------- d-----w- c:\program files\Common Files\Novell Shared
2009-08-05 15:25 . 2009-08-05 15:25 41 ----a-w- c:\windows\WFXDEL.BAT
2009-08-03 17:38 . 2009-08-03 17:38 -------- d-----w- c:\program files\Venta
2009-07-26 12:51 . 2007-12-16 12:57 -------- d-----w- c:\program files\Trillian
2009-07-25 03:23 . 2009-01-31 18:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 23:50 . 2009-07-22 23:48 -------- d-----w- c:\documents and settings\AdministratoriNET\Application Data\PMCallCenter
2009-07-15 17:23 . 2007-12-16 12:19 1110464 ----a-w- c:\documents and settings\AdministratoriNET\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 15:52 . 2009-07-07 15:51 -------- d-----w- c:\program files\Microsoft Office 2002
2009-06-27 16:11 . 2009-06-27 16:10 253952 ------w- c:\windows\Setup1.exe
2009-06-27 16:11 . 2009-06-27 16:10 73216 ----a-w- c:\windows\ST6UNST.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-12-16 917504]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2005-02-01 1469952]
"CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088]
"WireLessMouse"="c:\program files\Office Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-12-14 221184]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-08-20 40960]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-04 638976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-03-23 14202368]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(3).lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-2-3 222720]
Microsoft Office.lnk - c:\program files\Microsoft Office 2002\Office10\OSA.EXE [2001-2-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^AdministratoriNET^Start Menu^Programs^Startup^ProjectWhois.lnk]
path=c:\documents and settings\AdministratoriNET\Start Menu\Programs\Startup\ProjectWhois.lnk
backup=c:\windows\pss\ProjectWhois.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^AdministratoriNET^Start Menu^Programs^Startup^VentaDrv.lnk]
path=c:\documents and settings\AdministratoriNET\Start Menu\Programs\Startup\VentaDrv.lnk
backup=c:\windows\pss\VentaDrv.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAID Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAID Manager.lnk
backup=c:\windows\pss\RAID Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27159:TCP"= 27159:TCP:BitComet 27159 TCP
"27159:UDP"= 27159:UDP:BitComet 27159 UDP
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [28.11.2007 23:25 25105]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10.10.2006 14:53 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27.2.2007 13:39 51440]
R2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [17.2.2008 21:38 8864]
R2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [17.2.2008 21:38 8864]
R2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [17.2.2008 21:38 8864]
R3 MOUSEWDFilter;MOUSEWDFilter;c:\windows\system32\drivers\MOUSEWD.SYS [21.11.2008 0:28 6528]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16.2.2006 18:51 4096]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25.9.2007 16:59 15152]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
2009-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1390067357-725345543-1003Core.job
- c:\documents and settings\AdministratoriNET\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-11 21:55]
2009-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1390067357-725345543-1003UA.job
- c:\documents and settings\AdministratoriNET\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-11 21:55]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: imon.dll
Trusted Zone: raiffeisenbank.rs\rol
TCP: {078F2A67-650C-42AB-8E0B-39812A506184} = 212.200.191.166,212.200.190.166
FF - ProfilePath - c:\documents and settings\AdministratoriNET\Application Data\Mozilla\Firefox\Profiles\webcw7nt.default\
FF - prefs.js: browser.search.selectedEngine - Pogodak.rs
FF - component: c:\documents and settings\AdministratoriNET\Application Data\Mozilla\Firefox\Profiles\webcw7nt.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - component: c:\documents and settings\AdministratoriNET\Application Data\Mozilla\Firefox\Profiles\webcw7nt.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\AdministratoriNET\Application Data\Mozilla\Firefox\Profiles\webcw7nt.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\AdministratoriNET\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 19:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1004336348-1390067357-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\imon.dll
- - - - - - - > 'explorer.exe'(3552)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-09-03 19:46
ComboFix-quarantined-files.txt 2009-09-03 17:45
ComboFix2.txt 2009-09-03 16:01
ComboFix3.txt 2008-12-16 22:29
Pre-Run: 8.440.565.760 bytes free
Post-Run: 8.378.138.624 bytes free
204
|
|
|
|
|
|
|
Poslao: 03 Sep 2009 20:35
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8617
- Gde živiš: Novi Beograd
|
Klikni Start taster (u levom donjem uglu).
Izaberi My Computer.
Selektuj Tools meni i klikni na Folder Options.
Selektuj View na vrhu, unutar Hidden files and folders grupe selektuj Show hidden files and folders.
Skini kvačicu sa Hide file extensions for known types.
Skini kvačicu sa Hide protected operating system files (recommended).
Klikni YES.
Klikni OK.
Potom ubaci taj zarazeni Flash, koji si poslednji skenirao, nadji folder Recycled i obrisi ga.
Kad to uradis javi se za dalje postupke...
|
|
|
|
|
|
|
Poslao: 03 Sep 2009 23:28
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
uradio, jer sad da cekiram ponovo ono sto sam odcekirao ili ????
|
|
|
|
|
|
|
Poslao: 03 Sep 2009 23:59
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8617
- Gde živiš: Novi Beograd
|
Moze, a i ne mora.
Uradi sledece:
Otvoriti Notepad i iskopirati sledeci tekst:
DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\deartheo.ttf.vir
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\NAUTICAL.ttf.vir
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\TT8729Z_.ttf.vir
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\TT8730Z_.ttf.vir
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\TT8731Z_.ttf.vir
QUIT::
Snimiti na Desktop fajl iz Notepada kao "CFScript"
Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.
|
|
|
|
|
|
|
Poslao: 04 Sep 2009 00:13
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
Uradio i evo loga
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\deartheo.ttf.vir -> C:\WINDOWS\Fonts\deartheo.ttf ( 8152 bytes )
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\NAUTICAL.ttf.vir -> C:\WINDOWS\Fonts\NAUTICAL.ttf ( 5184 bytes )
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\TT8729Z_.ttf.vir -> C:\WINDOWS\Fonts\TT8729Z_.ttf ( 5344 bytes )
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\TT8730Z_.ttf.vir -> C:\WINDOWS\Fonts\TT8730Z_.ttf ( 5368 bytes )
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\TT8731Z_.ttf.vir -> C:\WINDOWS\Fonts\TT8731Z_.ttf ( 5320 bytes )
|
|
|
|
|
|
|
|
