Molim provjeru log-a

1

Molim provjeru log-a

offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:24 PM, on 12/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Predsjednistvo BiH\Desktop\neda.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...

Log je čist. Postoji li neki problem?

offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

To mi je racunar u firmi.
S vremena na vrijeme mi se monitor ugasi, tj. ode u standby, ali ZA VRIJEME rada na racunaru. I onda ga moram ugasiti i upaliti ponovo (monitor).
I Kasperski nece da se update-uje,a licenciran je. Kada probam, samo pise 0Kb update.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pa, to sa monitorom sigurno nema veze sa malware-om.

A za ovo drugo ćemo odraditi još jednu proveru...


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

Pred kraj downloada Kasp mi izbaci da je ovo virus
"Heue.Invader
malicious http object
detected". Kliknem da dopusti download, pa ga pokrenem i onda on izbaci prozor upozorenje i pise corrupt i pise "download fresh copy or retry instalation corrupt file"

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Deaktiviraj Kaspersky pre download-a.

offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

ComboFix 08-12-24.01 - Predsjednistvo BiH 2008-12-25 14:22:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.614 [GMT 1:00]
Running from: c:\documents and settings\Predsjednistvo BiH\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\abk.bat
C:\autorun.inf
C:\lky.exe
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
C:\yannh.cmd
E:\abk.bat
E:\Autorun.inf
E:\lky.exe
E:\yannh.cmd

.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 13:29 2,071,584 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-25 13:28 128,032 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-25 13:26 29,432 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-25 13:26 14,024 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-25 13:08 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-25 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-24 10:11 91,700 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-24 10:11 85,860 ----a-w c:\windows\system32\drivers\klick.dat
2008-11-24 10:11 --------- d-----w c:\program files\Lavasoft
2008-11-24 10:11 --------- d-----w c:\program files\Kaspersky Lab
2008-11-24 10:07 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-12 10:48 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 10:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-12 10:42 --------- d-----w c:\program files\Uniblue
2008-11-12 10:42 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Uniblue
2008-11-12 10:38 74,703 ----a-w c:\windows\system32\mfc45.dll
2008-11-12 10:38 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\iolo
2008-11-12 10:38 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-11-12 10:27 --------- d-----w c:\program files\Innovative Solutions
2008-11-12 10:19 --------- d-----w c:\program files\Alwil Software
2008-11-12 09:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-12 08:33 84,992 --sh--r c:\windows\system32\kav320.dll
2008-11-12 08:26 99,504 --sh--r C:\ogcikeq.com
2008-11-12 08:26 84,992 --sh--r c:\windows\system32\kav321.dll
2008-11-11 10:27 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\oald7
2008-11-11 10:26 90,112 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-11 10:26 126,976 ----a-w c:\windows\system32\UAService7.exe
2008-11-11 10:26 --------- d-----w c:\program files\TEXTware
2008-11-11 10:26 --------- d-----w c:\program files\IDM
2008-11-11 10:26 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\SecuROM
2008-11-11 10:24 --------- d-----w c:\program files\Oxford
2008-11-06 11:37 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Thunderbird
2008-11-06 11:37 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Talkback
2008-10-30 12:56 --------- d-----w c:\program files\Hewlett-Packard
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2006-02-28 13:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2006-01-30 17:00 98304 c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-12 75856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-12 20560]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-12-13 24592]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17214b59-c2a2-11dd-99eb-001a923a6071}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17214b75-c2a2-11dd-99eb-001a923a6071}]
\Shell\AutoOpen\command - f:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39bac86c-aff4-11dd-99c1-001a923a6071}]
\Shell\AutoRun\command - F:\lky.exe
\Shell\explore\Command - F:\lky.exe
\Shell\open\Command - F:\lky.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ffcc7ea-743b-11dd-99a8-001a923a6071}]
\Shell\AutoRun\command - F:\bwpncb6.com
\Shell\explore\Command - F:\bwpncb6.com
\Shell\open\Command - F:\bwpncb6.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4996278e-ab18-11dd-99b7-001a923a6071}]
\Shell\AutoRun\command - F:\i.exe
\Shell\explore\Command - F:\i.exe
\Shell\open\Command - F:\i.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{535b2720-bd24-11dd-99e3-001a923a6071}]
\Shell\AutoRun\command - F:\e8kj.exe
\Shell\explore\Command - F:\e8kj.exe
\Shell\open\Command - F:\e8kj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65ba1eb4-afdd-11dd-99c0-001a923a6071}]
\Shell\AutoRun\command - F:\qquq.bat
\Shell\explore\Command - F:\qquq.bat
\Shell\open\Command - F:\qquq.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94165b8c-00b1-11dd-9985-001a923a6071}]
\Shell\AutoRun\command - F:\0n.bat
\Shell\explore\Command - F:\0n.bat
\Shell\open\Command - F:\0n.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97b1a0ee-8852-11dc-9925-001a923a6071}]
\Shell\AutoRun\command - F:\lky.exe
\Shell\explore\Command - F:\lky.exe
\Shell\open\Command - F:\lky.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{998b8b6e-a683-11dd-99af-001a923a6071}]
\Shell\AutoRun\command - F:\ln9.exe
\Shell\explore\Command - F:\ln9.exe
\Shell\open\Command - F:\ln9.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e8ce77-b482-11dd-99d3-001a923a6071}]
\Shell\AutoRun\command - F:\yannh.cmd
\Shell\explore\Command - F:\yannh.cmd
\Shell\open\Command - F:\yannh.cmd
.
Contents of the 'Scheduled Tasks' folder

2008-08-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-kamsoft - c:\windows\system32\kamsoft.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Predsjednistvo BiH\Application Data\Mozilla\Firefox\Profiles\2it2118y.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-12-25 14:28:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1040)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll

- - - - - - - > 'explorer.exe'(3980)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\ATKKBService.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\windows\system32\UAService7.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-25 14:30:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-25 13:30:40

Pre-Run: 38,346,174,464 bytes free
Post-Run: 38,357,434,368 bytes free

201 --- E O F --- 2008-12-18 16:49:26

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\kav320.dll
C:\ogcikeq.com
c:\windows\system32\kav321.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17214b59-c2a2-11dd-99eb-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17214b75-c2a2-11dd-99eb-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39bac86c-aff4-11dd-99c1-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ffcc7ea-743b-11dd-99a8-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4996278e-ab18-11dd-99b7-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{535b2720-bd24-11dd-99e3-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65ba1eb4-afdd-11dd-99c0-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94165b8c-00b1-11dd-9985-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97b1a0ee-8852-11dc-9925-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{998b8b6e-a683-11dd-99af-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e8ce77-b482-11dd-99d3-001a923a6071}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

ComboFix 08-12-24.01 - Predsjednistvo BiH 2008-12-25 15:37:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.551 [GMT 1:00]
Running from: c:\documents and settings\Predsjednistvo BiH\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Predsjednistvo BiH\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\ogcikeq.com
c:\windows\system32\kav320.dll
c:\windows\system32\kav321.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ogcikeq.com
c:\windows\system32\kav320.dll
c:\windows\system32\kav321.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 14:41 2,204,192 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-25 14:40 132,640 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-25 14:22 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-25 13:26 29,432 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-25 13:26 14,024 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-25 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-24 10:11 91,700 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-24 10:11 85,860 ----a-w c:\windows\system32\drivers\klick.dat
2008-11-24 10:11 --------- d-----w c:\program files\Lavasoft
2008-11-24 10:11 --------- d-----w c:\program files\Kaspersky Lab
2008-11-24 10:07 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-12 10:48 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 10:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-12 10:42 --------- d-----w c:\program files\Uniblue
2008-11-12 10:42 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Uniblue
2008-11-12 10:38 74,703 ----a-w c:\windows\system32\mfc45.dll
2008-11-12 10:38 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\iolo
2008-11-12 10:38 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-11-12 10:27 --------- d-----w c:\program files\Innovative Solutions
2008-11-12 10:19 --------- d-----w c:\program files\Alwil Software
2008-11-12 09:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 10:27 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\oald7
2008-11-11 10:26 90,112 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-11 10:26 126,976 ----a-w c:\windows\system32\UAService7.exe
2008-11-11 10:26 --------- d-----w c:\program files\TEXTware
2008-11-11 10:26 --------- d-----w c:\program files\IDM
2008-11-11 10:26 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\SecuROM
2008-11-11 10:24 --------- d-----w c:\program files\Oxford
2008-11-06 11:37 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Thunderbird
2008-11-06 11:37 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Talkback
2008-10-30 12:56 --------- d-----w c:\program files\Hewlett-Packard
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2006-02-28 13:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2006-01-30 17:00 98304 c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-12 75856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-12 20560]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-12-13 24592]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Predsjednistvo BiH\Application Data\Mozilla\Firefox\Profiles\2it2118y.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-12-25 15:40:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1040)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
.
Completion time: 2008-12-25 15:42:48
ComboFix-quarantined-files.txt 2008-12-25 14:42:44
ComboFix2.txt 2008-12-25 13:30:48

Pre-Run: 38,394,667,008 bytes free
Post-Run: 38,377,701,376 bytes free

137 --- E O F --- 2008-12-18 16:49:26

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pa, ovde više nema malware-a.
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore



Za sve preostale probleme ćeš morati potražiti savete u nekom drugom delu foruma.

Ko je trenutno na forumu
 

Ukupno su 709 korisnika na forumu :: 6 registrovanih, 0 sakrivenih i 703 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 4channer, DavidA, Dežurni pod palubom, Fisherman, nenad81, vukovi