Nemogu da pronadjem virus 3 dana a hackovan sam..

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 30 Jul 2009 20:34

Cao pre 3 dana na sajtu Worldofraids.com koji se bavi vestima o igrici World of Warcraft sam inficiran sa virusom, dosao sam do tog zakljucka jel sam posecivao navedeni sajt dana kada su bili hakovani a pomenuta igrica je pocela da dobija errors cim je startujem.

Kao sto sam rekao to se desilo pre 3 dana, ja sam od tada radi sigurnosti svog world of warcraft accounta uradio in Deep scan sa Avira Pro podesenom na MAX detaljnost.
AV nije nista pronasao ali sobzirom da sam manuelno nasao taj fajl "6to4ex.dll" rucno sam ga orbisao.

World of Raids:
Citat:The trojan appears to have been an exploit affecting Adobe Flash Player. It was run via javascript after detecting the browser and would download the trojan files a.exe, b.exe, c.exe and 6to4ex.dll. The source of these files has currently been traced to China.

Uglavnom da budem siguran da sam cist. unistall sam Aviru i install Kaspersky trial, uradio full deep scan i KAV nista nije pronasao.
Unistall sam Kaspersky i vratio Aviru.
Odradio online scan sa Trend micro AV.
Odradio scan sa Search and destroy i Ad_Aware.
Podesio svoj Firewall (Comodo) da nijedan novi procecs na sistemu neda da se upali i ode na net. (Defense+)
Promenio svoju sifru od Mail-a i WOW accounta.

3 dana kasnije (danas) konektujem se online na svoj WOW acc i saznajem da sam bio hackovan u toku noci, tacnije od 13h do 18h botovi su runnovali na mom acc, farmovali gold, prodalali sve sto sam imao u torbama na 4 high lvl charrs, prodali sav gear, opljackali banku na svim charrs ukljucujuci i Guild bank do limita.
Takodje verujem da su moji MoneyBookers i Visa card ugrozeni ovime (Nalog od moneybookers je prazan kao i Visa card) Al se plasim da ako odradim uplatu budem scamovan za taj novac.

Uglavnom zamolicu strucna lica sa MyCity da mi pomognu da se uverim 100% da je moj PC cist i da posle sto mi Blizzard vrati account budem siguran da necu biti hackovan opet.
Mislim licno da je moj slucaj dosta ozbiljan jel za razliku od varijanti gde ljudi imaju gomilu virusa godinama a opet nista neizgube moj PC prolazi kao cist na toliko razlicitih security softwera a opet sam hackovan.
Hvala unapred!


_

Koristim Win XP sa SP3 (iskljuceni win update)
System restore je disabled.
Update svih security softwera radim svakodnevno.
Firefox 3.5 sa NO Scipt. (nazalost NO Script je bio podesen da pusta sve skripte na datom sajtu)
Avira anti vir Pro podesen na max
Comodo Firewall Pro odlicno podesen
Spy Both sa non stop ukljucenim residentom
AD_Aware samo za on demand scan.

Takodje zelim da napomenem da za moj sistem virus je veoma retka pojava. Nikada neposecujem sumljive sajtove i koristim addon za mozilu WOT.
Malocas sam morao da Unistall Aviru jel je pocela da mi restartuje PC, sa porukom tipa "Avira je pretrpela error i mora da se ugasi" posle toga mi se sistem restartuje cim upalim PC, tako da sam iz safe mode unistall Aviru za sad.


Evo HijackThis log upravo uradjen (Ne u Safe modu)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:40 PM, on 7/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Aston\aston.exe
C:\PROGRA~1\Aston\XP\internat.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Portrait Displays\forteManager\DTHtml.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stillo\Desktop\Ubica.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/online/cccwelcome/drivers.html
F2 - REG:system.ini: Shell=C:\PROGRA~1\Aston\aston.exe ,svchost.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -LGE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7405 bytes



--

Dopuna: 30 Jul 2009 20:56

DSS Log:



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/18/2009 11:39:26 PM
System Uptime: 7/30/2009 6:35:52 PM (2 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2N
Processor: AMD Processor model unknown | CPU 1 | 3013/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 59 GiB total, 17.301 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 90 GiB total, 17.343 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
ACDSee 9 Photo Manager
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Aston.1.9.6
ASUS Gamer OSD
ASUS Smart Doctor
ASUS Utilities
ASUS VGA Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AusLogics Disk Defrag
BS.Player PRO
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Choice Guard
Command & Conquer 3
COMODO Internet Security
Counter-Strike: Source Texture Pack 1.00
Counter-Strike: Source v17
Curse Client
DH Driver Cleaner Professional Edition
EVE Online (remove only)
forteManager
HijackThis 2.0.2
Hitman Blood Money
Hotfix for Windows XP (KB938759)
Java(TM) 6 Update 13
Java(TM) 6 Update 14
Junk Mail filter update
K-Lite Codec Pack 4.7.0 (Full)
Logitech iTouch Software
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Application Error Reporting
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.1)
MSVCRT
MSXML 6.0 Parser (KB925673)
neroxml
NetLimiter 2 Pro (remove only)
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
OCZ Technology Laser Gaming Mouse
OpenOffice.org 3.1
PC Probe II
PowerDVD
PowerISO
Recover Files 2.0
SDK
Segoe UI
Skype™ 4.1
SoundMAX
Spybot - Search & Destroy
Total Commander (Remove or Repair)
Update for Windows XP (KB898461)
VCRedistSetup
Ventrilo Client
WebFldrs XP
Winamp
Windows Driver Package - Advanced Micro Devices (AmdK8-) Processor (05/27/2006 1.3.2.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Presentation Foundation
WinRAR archiver
WinZip
World of Warcraft
XML Paper Specification Shared Components Pack 1.0
XviD MPEG-4 Video Codec

==== Event Viewer Messages From Past Week ========

7/30/2009 6:34:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 AsIO asuskbnt avgio avipbb cmdGuard cmdHlp EIO_XP Fips IPSec MRxSmb NetBIOS NetBT nltdi RasAcd Rdbss SCDEmu ssmdrv Tcpip WS2IFSL
7/30/2009 6:34:50 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/30/2009 6:34:50 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/30/2009 6:34:50 PM, error: Service Control Manager [7001] - The Forceware Web Interface service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/30/2009 6:34:50 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/30/2009 6:34:50 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/30/2009 6:34:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/30/2009 6:33:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/27/2009 3:56:50 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ativvaxx.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.1.9.
7/27/2009 3:56:50 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ati3duag.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.231.
7/27/2009 3:56:50 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ati2mtag.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6462.
7/27/2009 3:56:50 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ati2dvag.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6462.
7/27/2009 3:56:50 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ati2cqag.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.233.
7/27/2009 3:38:22 PM, error: Service Control Manager [7034] - The PnkBstrB service terminated unexpectedly. It has done this 1 time(s).
7/27/2009 3:38:19 PM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
7/26/2009 10:15:35 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\ativvaxx.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.221.
7/26/2009 10:15:35 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\ati3duag.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.655.
7/26/2009 10:15:35 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\ati2dvag.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6936.
7/26/2009 10:15:35 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\ati2cqag.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.419.
7/26/2009 10:14:24 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\ati2mtag.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6947.

==== End Of File ===========================

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...


Vidim da se nešto "dogodilo" pri startovanju Windows-a danas u 18:34. Gomila drivera se nije pokrenula.

Šta se dogodilo? Da li se PC restartovao u toku boot-a?






Preuzmi SysProt AntiRootkit sa sledeće stranice:

SysProt downlaod

Na strani koja se otvori treba kliknuti "here" link.



Raspakuj arhivu u neki folder (uputstvo), a zatim:
dvoklikom pokreni program i pređi na Log karticu;

štikliraj svih osam stavki i klikni Create log;

nakon određenog vremena će se pojaviti upit u kome treba obeležiti
Scan root drive only i kliknuti Start;

po završetku skeniranja pojaviće se obaveštenje koje treba zatvoriti klikom na OK;

izveštaj (log) će biti sačuvan u istom folderu u kome se nalazi i sam program.


Priloži kreirani izveštaj uz poruku korišćenjem opcije Prikači fajl.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Cao, Hvala ti na odgovoru.
Sto se tice tog restarta, predpostavljam da je to kada je PC poceo da se restartuje cim krene dizanje sistema, resio sam to tako sto sam preko safe mode unistall Aviru.

Sto se tice ovog programa, odradio sam sve kao sto si reko, ali nailazim na problem, kada krene Scan posle par sekundi PC krene da mi izbacuje gresku da je Flopy otvoren i da probam da ga zatvorim pa nastavim sken,Ja flopi hard nemam u kompijuteru i neznam kako da zaobidjem taj part gde ovaj program "Zabode" inace morao sam da ga gasim na End process posto ostane tako ubagovan ..

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Obeležio si Scan root drive only ?

Ako jesi, a ipak nije radio, koristi donji program.




Preuzmi program RootRepeal sa jednog od sledećih linkova na Desktop:

http://rootrepeal.googlepages.com/RootRepeal.zip
http://ad13.geekstogo.com/RootRepeal.zip
http://rootrepeal.psikotick.com/RootRepeal.zip

Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Raspakuj RootRepeal.zip u neki folder (uputstvo).
Dvoklikom pokreni RootRepeal.exe.
Pređi na Report karticu (klikom na Report taster, dole, desno).
Klikni Scan taster.
U prozoru koji se otvori (Select Scan), obeleži kućice ispred svih stavki i klikni OK.
U narednom prozoru (Select Drives) obeleži kućicu ispred sistemskog diska (obično C:\) i klikni OK.
Po završetku procesa, klikni Save Report i sačuvaj izveštaj o skeniranju.

Iskopiraj sadržaj tog izveštaja u iduću poruku.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Sto se tice prvog programa, nije mi nudio opciju koju spominjes. cim stikliram svih 7 (da 7 nema vise) opcija, kliknem create log, nista me vise nepita, krene da skenira i tad "spuca"

Evo log koji je drugi program napravio. (okacen fajl)

https://www.mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 30 Jul 2009 23:35

ComboFix 09-07-29.04 - Stillo 07/30/2009 23:23.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1613 [GMT 2:00]
Running from: c:\documents and settings\Stillo\Desktop\ComboFix.exe
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Mozilla Firefox\extensions\{D2F6E1F6-1CE2-426E-9F1B-A1CB8D8B34B5}
c:\program files\Mozilla Firefox\extensions\{D2F6E1F6-1CE2-426E-9F1B-A1CB8D8B34B5}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{D2F6E1F6-1CE2-426E-9F1B-A1CB8D8B34B5}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{D2F6E1F6-1CE2-426E-9F1B-A1CB8D8B34B5}\install.rdf
c:\windows\system32\Ati2mdxx.exe
c:\windows\system32\Iasex.dll

----- BITS: Possible infected sites -----

hxxp://ccp.vo.llnwd.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-27 22:12 . 2009-07-27 22:10 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-27 22:09 . 2009-07-27 22:13 -------- d-----w- c:\documents and settings\Stillo\.housecall6.6
2009-07-27 02:31 . 2009-07-27 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-07-27 01:57 . 2009-07-02 10:12 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-07-27 01:57 . 2009-07-27 01:57 -------- d-----w- C:\ATI
2009-07-26 20:18 . 2009-02-09 11:18 453152 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-24 11:56 . 2009-07-24 11:56 -------- d-----w- c:\program files\Eidos
2009-07-14 20:22 . 2009-07-14 20:22 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-14 20:22 . 2009-07-26 19:02 -------- d-----w- c:\documents and settings\Stillo\Application Data\skypePM
2009-07-14 19:54 . 2009-07-26 20:20 -------- d-----w- c:\documents and settings\Stillo\Application Data\Skype
2009-07-14 19:53 . 2009-07-14 19:53 -------- d-----w- c:\program files\Common Files\Skype
2009-07-14 19:53 . 2009-07-14 20:03 -------- d-----r- c:\program files\Skype
2009-07-14 19:53 . 2009-07-14 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-14 17:26 . 2008-04-13 22:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-07-14 17:26 . 2008-04-13 22:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-07-14 17:26 . 2008-04-13 22:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-07-14 17:26 . 2008-04-13 22:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-07-13 22:41 . 2009-07-18 16:12 -------- d-----w- c:\program files\CryptLoad_1.1.6
2009-07-10 06:09 . 2009-07-15 13:59 1 ----a-w- c:\documents and settings\Stillo\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-10 06:08 . 2009-07-10 06:08 -------- d-----w- c:\documents and settings\Stillo\Application Data\OpenOffice.org
2009-07-10 06:05 . 2009-07-10 06:05 -------- d-----w- c:\program files\JRE
2009-07-10 06:05 . 2009-07-10 06:05 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-05 19:34 . 2009-07-05 19:34 -------- d-----w- c:\documents and settings\Stillo\Local Settings\Application Data\CCP
2009-07-04 23:47 . 2009-07-04 23:47 -------- d-----w- c:\program files\CCP
2009-07-04 23:47 . 2009-07-04 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 16:44 . 2009-03-20 23:11 -------- d-----w- c:\program files\World of Warcraft
2009-07-30 16:36 . 2009-03-19 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-30 16:31 . 2009-03-19 00:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-27 02:29 . 2009-04-17 21:39 -------- d-----w- c:\program files\ATI Technologies
2009-07-27 02:00 . 2009-03-20 17:38 -------- d-----w- c:\documents and settings\Stillo\Application Data\ATI
2009-07-27 01:57 . 2009-03-18 23:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-26 20:13 . 2009-03-18 23:55 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-25 23:29 . 2009-03-19 00:34 -------- d-----w- c:\documents and settings\Stillo\Application Data\uTorrent
2009-07-12 06:13 . 2009-06-21 06:10 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-12 06:13 . 2009-06-21 06:10 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-12 06:12 . 2009-06-21 06:10 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-10 15:42 . 2009-03-18 23:57 17480 ----a-w- c:\documents and settings\Stillo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-10 06:04 . 2009-03-19 00:30 -------- d-----w- c:\program files\Java
2009-07-08 03:54 . 2009-03-19 00:48 179792 ----a-w- c:\windows\system32\guard32.dll
2009-07-08 03:54 . 2009-03-19 00:48 132040 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-07-06 04:37 . 2009-03-19 00:48 86976 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-07-06 04:37 . 2009-03-19 00:48 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-07-05 06:11 . 2009-06-21 06:10 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-05 06:11 . 2009-06-21 06:10 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-07-05 06:10 . 2009-06-21 06:10 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-07-05 06:10 . 2009-06-21 06:10 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-07-05 06:10 . 2009-05-28 01:34 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-07-05 06:10 . 2009-05-28 01:34 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-07-05 06:10 . 2009-05-28 01:34 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-07-05 06:10 . 2009-06-21 06:10 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-07-05 06:10 . 2009-06-21 06:10 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-07-05 06:10 . 2009-06-21 06:10 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-07-05 06:10 . 2009-06-21 06:10 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-07-05 06:10 . 2009-06-21 06:10 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-07-05 06:10 . 2009-06-21 06:10 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-07-05 06:10 . 2009-06-21 06:10 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-07-03 00:23 . 2009-05-25 16:25 -------- d-----w- c:\program files\Rawr v2.2.5
2009-07-02 17:49 . 2007-10-16 14:40 4125696 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-07-02 17:25 . 2009-04-29 02:18 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-07-02 17:24 . 2007-10-16 14:04 335872 ----a-w- c:\windows\system32\ati2dvag.dll
2009-07-02 17:07 . 2009-04-29 02:00 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-07-02 17:06 . 2009-04-29 02:07 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-07-02 17:05 . 2009-04-29 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-07-02 17:05 . 2009-04-29 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-07-02 17:05 . 2009-04-29 02:06 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-07-02 17:04 . 2009-04-29 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-07-02 17:02 . 2009-04-29 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-07-02 16:56 . 2007-10-16 13:44 3014272 ----a-w- c:\windows\system32\ati3duag.dll
2009-07-02 16:54 . 2009-04-29 01:45 11698176 ----a-w- c:\windows\system32\atioglxx.dll
2009-07-02 16:44 . 2007-10-16 13:33 2139904 ----a-w- c:\windows\system32\ativvaxx.dll
2009-07-02 16:44 . 2009-04-29 01:42 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-07-02 16:44 . 2009-04-29 01:42 3 ----a-w- c:\windows\system32\ativva5x.dat
2009-07-02 16:31 . 2009-04-29 01:26 49664 ----a-w- c:\windows\system32\atimpc32.dll
2009-07-02 16:31 . 2009-04-29 01:26 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2009-07-02 16:28 . 2009-04-29 01:22 487424 ----a-w- c:\windows\system32\atikvmag.dll
2009-07-02 16:27 . 2009-04-29 01:20 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-07-02 16:26 . 2009-04-29 01:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-07-02 16:26 . 2009-04-29 01:20 151552 ----a-w- c:\windows\system32\atiadlxx.dll
2009-07-02 16:26 . 2009-04-29 01:19 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-07-02 16:25 . 2009-04-29 01:19 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-07-02 16:25 . 2009-04-29 01:18 3248128 ----a-w- c:\windows\system32\aticaldd.dll
2009-07-02 16:24 . 2009-04-29 01:17 376832 ----a-w- c:\windows\system32\atiok3x2.dll
2009-07-02 16:20 . 2007-10-16 13:11 651264 ----a-w- c:\windows\system32\ati2cqag.dll
2009-06-26 16:54 . 2009-03-20 18:27 -------- d-----w- c:\documents and settings\Stillo\Application Data\Ventrilo
2009-06-26 16:53 . 2009-06-26 16:53 -------- d-----w- c:\program files\Ventrilo
2009-06-26 16:49 . 2009-06-26 16:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-19 22:29 . 2009-03-19 21:55 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-19 14:58 . 2009-06-19 14:58 -------- d-----w- c:\program files\OCZ Technology
2009-06-19 14:52 . 2009-03-19 00:03 -------- d-----w- c:\program files\Logitech
2009-06-19 14:52 . 2009-03-19 00:03 -------- d-----w- c:\program files\Common Files\Logitech
2009-06-18 19:29 . 2009-04-01 19:59 197654 ----a-w- c:\windows\system32\atiicdxx.dat
2009-06-10 00:56 . 2009-06-10 00:56 152576 ----a-w- c:\documents and settings\Stillo\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-05-28 01:35 . 2009-05-28 01:35 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-28 01:35 . 2009-04-12 07:00 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-21 09:33 . 2009-03-19 00:30 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-11 21:35 . 2009-03-03 19:56 118784 ----a-w- c:\windows\system32\atibtmon.exe
2009-07-15 20:30 . 2009-03-19 00:11 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[-] 2009-03-19 00:57 361344 8E036EEC565910417EA020CE0962AA24 c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-03-19 00:57 361344 8E036EEC565910417EA020CE0962AA24 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-12-18 1175552]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DT LGE"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-11 81920]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-07-20 847872]
"Launch PC Probe II"="c:\program files\ASUS\PC Probe II\Probe2.exe" [2006-07-28 2129408]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2008-08-29 380928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-05 520024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"WheelMouse"="c:\program files\OCZ Technology\Mouse\Amoumain.exe" [2006-12-28 196608]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-07-06 1793808]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/12/2009 8:10 AM 64160]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [3/19/2009 2:48 AM 132040]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/19/2009 2:48 AM 25160]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [4/23/2007 1:03 PM 82200]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [10/31/2008 2:52 PM 93184]
S3 gHidPnp;USB Device Enhanced Function Driver;c:\windows\system32\Drivers\gHidPnp.Sys --> c:\windows\system32\Drivers\gHidPnp.Sys [?]
S3 gMouPS2;PS2 Scroll Mouse Device;c:\windows\system32\DRIVERS\gMouPS2.sys --> c:\windows\system32\DRIVERS\gMouPS2.sys [?]
S3 gMouUsb;USB Mouse Device Drv;c:\windows\system32\DRIVERS\gMouUsb.sys --> c:\windows\system32\DRIVERS\gMouUsb.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 9:06 PM 1029456]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Stillo\Desktop\SysProt\SysProtDrv.sys [7/30/2009 10:26 PM 44288]
.
Contents of the 'Scheduled Tasks' folder

2009-07-30 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-03-19 14:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.ati.com/online/cccwelcome/drivers.html
FF - ProfilePath - c:\documents and settings\Stillo\Application Data\Mozilla\Firefox\Profiles\1ue3y1nb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2195958&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - divx-titlovi.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 23:26
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-2025429265-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:7b,48,63,2f,ba,c6,01,86,6b,74,bb,eb,2c,44,3b,a3,6f,a9,9c,71,11,
da,14,bd,84,b3,fe,c0,e1,6c,25,f5,81,9a,78,6e,8b,9b,e4,b1,d0,ad,de,23,9b,16,\
"rkeysecu"=hex:63,f1,07,32,5f,fa,33,21,78,3b,0a,03,dc,38,db,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848-)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ATKKBService.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NetLimiter 2 Pro\nlsvc.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\rundll32.exe
c:\program files\Portrait Displays\forteManager\dthtml.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wdfmgr.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\NetLimiter 2 Pro\NLClient.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-30 23:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 21:28

Pre-Run: 18,412,249,088 bytes free
Post-Run: 18,500,505,600 bytes free

294 --- E O F --- 2009-03-18 23:55

Dopuna: 30 Jul 2009 23:36

Inace Combofix mi je obrisao neki file od Aston Shell programa koji pa recimo menja temu windowsa, i vise ne radi, sta da radim da li smem da undo taj delete sa combo fix il ?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Koji Aston-ov file je obrisan?



Upakuj u zip/rar kompletan folder: C:\qoobox\quarantine

preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 30 Jul 2009 23:42

Takodje mi nije jasno zasto je c:\windows\system32\Ati2mdxx.exe obrisan? kolko vidim to je od Ati drivera deo? da li sam ja nesto pogresno shvatio pa taj file nije obrisan il?

Dopuna: 30 Jul 2009 23:44

Okacio sam kompletan Quarantine od combofix.

Dopuna: 30 Jul 2009 23:48

Izvinjavam se za ove dopune, al kolko vidim moj problem je bio u c:\windows\system32\Iasex.dll ako negresim to je tacno file od virusa sa kojim sam 99.9% bio zarazen i koji je bio okacen na Worldofraids.com
Ono sto me zanima je kako to da
Avira pro
Kaspersky personal
Trend micro
AVG free
SND
AD_Aware
Nisu pronasli ovaj fajl kao bilu kakvu opasnost? stvarno mi neide u glavu..

Dopuna: 30 Jul 2009 23:59

Inace sto se tice Aston shell, Combofix nije nista obrisao, u pitanju je bilo vracanje sistema na standardna podesavanja predpostavljam posto Aston je bio disabned kao i Firefox, al sad je to ok oba sam opet ukljucio.

Dopuna: 31 Jul 2009 0:13

Ok sad me je vec sramota od ovih dopuna, al kako razmisljam sve vise pitanja imam.

Ono sto me zanima je da li bi sad trebalo da bude safe da vratim Avira anti vir na PC posto je to AV koji imam licenciran a i iskreno zadovoljan sam sa njim. (ako se izuzme ovaj slucaj)
Pitam posto nisam mogao da dizem sistem dok nisam unistall Aviru, predpostavljam da je nekako virus to radio.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Skini i raspakuj u c:\windows\system32 folder: https://www.mycity.rs/must-login.png

Toliko o prvom pitanju...



Vezano za detekciju file-a... TrojanDownloader:Win32/Somex.A - detektovan samo od MS-a.




Što se tiče Avira-e... Teško je reći. Verovatno će sveža instalacija da radi.
U svakom slučaju, instaliraj AV što pre.




Ovo sada izgleda ok. Potrebno je da uklonimo korišćene programe:

Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

combofix /u

Primeti da postoji razmak između "ComboFix" i "/u".



a zatim klikni OK (ili pritisni Enter).

Sačekaj da se proces deinstalacije završi.


Sve ostalo možeš sam da obrišeš.