Prekid inte

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Pozdrav! Koristim 32-bitni Windows i kablovski internet, od juce mi se desava da mi se jako usporava internet i rad kompjutera !

Koristim Antivir koji mi cesto prjavljuje

Begin scan in 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\96T3BDHI\vtvy[1].jpg'
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\96T3BDHI\vtvy[1].jpg
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '577d9ebb.qua'.

Begin scan in 'C:\WINDOWS\system32\hjamff.dll'
C:\WINDOWS\system32\hjamff.dll
[DETECTION] Contains recognition pattern of the WORM/Conficker.V worm
[NOTE] The file was moved to the quarantine directory under the name '576b7f52.qua'.

egin scan in 'C:\WINDOWS\system32\x'
C:\WINDOWS\system32\x
[DETECTION] Contains recognition pattern of the WORM/Conficker.G worm
[NOTE] The file was moved to the quarantine directory under the name '4faf4c3e.qua'.

Begin scan in 'C:\WINDOWS\system32\x'
C:\WINDOWS\system32\x
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4fac3dee.qua'.

Odem u safe mod i sa Malwarebytes' Anti-Malware
ocistim nadjenih ovo

Malwarebytes' Anti-Malware 1.46
[Link mogu videti samo ulogovani korisnici]

Verzija baze: 4774

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

15.12.2010 18:26:35
mbam-log-2010-12-15 (18-26-35).txt

Način skeniranja: Brzo skeniranje
Skeniranih objekata 143454
Proteklo vreme 5 minuta(e), 18 sekundi

Inficirani procesi u memoriji: 1
Inficirani moduli u memoriji: 0
Inficirani ključevi u registru: 0
Inficirane vrednosti u registru: 5
Inficirani podaci u registru: 0
Inficirane fascikle: 0
Inficirane datoteke: 9

Inficirani procesi u memoriji:
C:\WINDOWS\system32\msvmiode.exe (Backdoor.Bot) -> Unloaded process successfully.

Inficirani moduli u memoriji:
(Maliciozne stavke nisu pronađene)

Inficirani ključevi u registru:
(Maliciozne stavke nisu pronađene)

Inficirane vrednosti u registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msodesnv7 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoft driver setup (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft driver setup (Worm.Palevo) -> Quarantined and deleted successfully.

Inficirani podaci u registru:
(Maliciozne stavke nisu pronađene)

Inficirane fascikle:
(Maliciozne stavke nisu pronađene)

Inficirane datoteke:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\96T3BDHI\jxgedqlb[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\96T3BDHI\sydkv[1].bmp (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NA1JEUBQ\adsqmfx[1].png (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NA1JEUBQ\tbrvcm[1].png (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UKBTCV6G\fyggnfx[1].jpg (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UKBTCV6G\ubyxq[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\KOKI\Application Data\ltzqai.exe (Worm.Palevo) -> Delete on reboot.
C:\WINDOWS\system32\msvmiode.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\gwdrive32.exe (Worm.Palevo) -> Delete on reboot.
no kad se vratim u normalu radi neko vreme dobro onda mi opet antiwir detektuje trojanca x u sistem32 pa jovo nanovo
---------------------------------------------------------------------------

DDS (Ver_10-12-12.02) - NTFSx86
Run by KOKI at 21:23:33,73 on sre 15.12.2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.240 [GMT 1:00]

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
D:\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [Link mogu videti samo ulogovani korisnici]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bancaintesabeograd.com\online
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [Link mogu videti samo ulogovani korisnici]
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\koki\applic~1\mozilla\firefox\profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\reader\browser\nppdf32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [Link mogu videti samo ulogovani korisnici] - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-27 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-27 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-27 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-27 61960]
S2 jzvppcvhn;Monitor Installer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S2 utaqoa;Config Center;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S2 uwzki;Shell Center;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S2 zamuzmn;Helper Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 ahnukvhwm;ahnukvhwm;\??\c:\windows\system32\07.tmp --> c:\windows\system32\07.tmp [?]
S3 fmhyfgqp;fmhyfgqp;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 rgofrhpus;rgofrhpus;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 vywkbinz;vywkbinz;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]

=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 21:24:04,85 ===============
Kod postuka ya gmer1 mi je brzo stao sa skeniranjem i u prilogu saljem fotos




[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav,



Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 10-12-15.04 - KOKI 15.12.2010 22:26:03.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.157 [GMT 1:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-13 16:01 . 2010-03-27 18:08 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-27 19:45 . 2010-03-27 13:46 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-06 281768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3267:TCP"= 3267:TCP:hgmmkwp

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 19:08 135336]
S2 jzvppcvhn;Monitor Installer;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S2 utaqoa;Config Center;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S2 uwzki;Shell Center;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S2 zamuzmn;Helper Windows;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S3 ahnukvhwm;ahnukvhwm;\??\c:\windows\system32\07.tmp --> c:\windows\system32\07.tmp [?]
S3 fmhyfgqp;fmhyfgqp;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 rgofrhpus;rgofrhpus;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 vywkbinz;vywkbinz;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - UTAQOA
*Deregistered* - kgloyfod

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zamuzmn
jzvppcvhn
uwzki
utaqoa
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancaintesabeograd.com\online
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [Link mogu videti samo ulogovani korisnici] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2010-12-15 22:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ahnukvhwm]
"ImagePath"="\??\c:\windows\system32\07.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fmhyfgqp]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rgofrhpus]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vywkbinz]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jzvppcvhn]
"ServiceDll"="c:\windows\system32\hjamff.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\utaqoa]
"ServiceDll"="c:\windows\system32\hjamff.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uwzki]
"ServiceDll"="c:\windows\system32\hjamff.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zamuzmn]
"ServiceDll"="c:\windows\system32\hjamff.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1732)
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
.
Completion time: 2010-12-15 22:31:00
ComboFix-quarantined-files.txt 2010-12-15 21:30

Pre-Run: 16.368.132.096 bytes free
Post-Run: 16.403.144.704 bytes free

- - End Of File - - 327906C062F2035F1A70F9149BEF1905

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\07.tmp
c:\windows\system32\01.tmp
c:\windows\system32\hjamff.dll

Driver::
jzvppcvhn
utaqoa
uwzki
zamuzmn
ahnukvhwm
fmhyfgqp
rgofrhpus
vywkbinz

NetSvc::
zamuzmn
jzvppcvhn
uwzki
utaqoa

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3267:TCP"=-



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 10-12-15.04 - KOKI 15.12.2010 22:55:32.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.286 [GMT 1:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\KOKI\Desktop\CFScript.txt
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\01.tmp"
"c:\windows\system32\07.tmp"
"c:\windows\system32\hjamff.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AHNUKVHWM
-------\Legacy_FMHYFGQP
-------\Legacy_JZVPPCVHN
-------\Legacy_RGOFRHPUS
-------\Legacy_UTAQOA
-------\Legacy_UWZKI
-------\Legacy_VYWKBINZ
-------\Legacy_ZAMUZMN
-------\Service_ahnukvhwm
-------\Service_fmhyfgqp
-------\Service_jzvppcvhn
-------\Service_rgofrhpus
-------\Service_utaqoa
-------\Service_uwzki
-------\Service_vywkbinz
-------\Service_zamuzmn


((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-13 16:01 . 2010-03-27 18:08 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-27 19:45 . 2010-03-27 13:46 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-15 21:59 . 2010-12-15 21:59 16384 c:\windows\Temp\Perflib_Perfdata_368.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-06 281768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 19:08 135336]
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancaintesabeograd.com\online
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [Link mogu videti samo ulogovani korisnici] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2010-12-15 23:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2672)
c:\windows\system32\browselc.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-15 23:01:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-15 22:01
ComboFix2.txt 2010-12-15 21:31

Pre-Run: 16.403.046.400 bytes free
Post-Run: 16.369.692.672 bytes free

- - End Of File - - FCFB13F0C8D27C87E627452E8523C365

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ovo izgleda dobro. Imas li sada problema?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Čini mi se da je sve u redu, ali kao da mi nešto non stop vuče internet!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Sada ne bi trebalo da imas taj problem. Do pre nekih 10-15 min. si imao, dok nismo pustili skriptu.
Mozda si jos uvek pod utiskom, jer u logu vise nema tragova malware-a.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ok, puno ti hvala!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

ComboFix /Uninstall

Primeti da postoji razmak između "ComboFix" i "/Uninstall".



a zatim klikni OK (ili pritisni Enter).

Sačekaj da se proces deinstalacije završi.


Preporuka

Instaliraj MCShield [Link mogu videti samo ulogovani korisnici]

Na linku imas detaljno objasnjenje za sta sluzi ovaj program.

.