Prekid inte

2

Prekid inte

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

pre ove tvoje zadnje poruke sam ga restartovo i ievo na fotou ipet antivir detektuje trojanca!

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Da nisi mozda prikacen ne neku mrezu, ako jesi iskljuci se sa mreze.

Skini ovu zakrpu pa instaliraj;

http://www.microsoft.com/downloads/en/details.aspx.....laylang=en

Ako si deinstalirao Combofix, skini novu verziju, pokreni ga ponovo pa mi postavi novi log. Iskljuci AV obavezno, kod Avire je to bar lako.

Ne prikljucuj flash drive dok ti ja ne kazem.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Neznam na kakvu mrežu misliš, sem na kablovski internet nisam ninašta prikopčan, instaliro sam zakrpu i evo log

ComboFix 10-12-15.06 - KOKI 16.12.2010 10:38:43.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.299 [GMT 1:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))
.

2010-12-16 09:35 . 2010-12-16 09:35 164209 ----a-w- c:\windows\system32\x

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-13 16:01 . 2010-03-27 18:08 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-27 19:45 . 2010-03-27 13:46 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-06 281768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3267:TCP"= 3267:TCP:hgmmkwp

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 19:08 135336]
S2 zqlotch;Center Server;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zqlotch
qcyjnbts
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancaintesabeograd.com\online
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2010-12-16 10:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\hjamff.dll 160578 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qcyjnbts]
"ServiceDll"="c:\windows\system32\hjamff.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zqlotch]
"ServiceDll"="c:\windows\system32\hjamff.dll"
.
Completion time: 2010-12-16 10:43:30
ComboFix-quarantined-files.txt 2010-12-16 09:43
ComboFix2.txt 2010-12-15 22:01

Pre-Run: 16.399.831.040 bytes free
Post-Run: 16.427.098.112 bytes free

- - End Of File - - 9DE023109673FDDEF8C6FF44A450B377

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Ugasi Aviru pre nego pustis skriptu.
Ukljuci Windows Firewall

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\hjamff.dll

Driver::
zqlotch

NetSvc::
zqlotch
qcyjnbts

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3267:TCP"=-


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

ComboFix 10-12-15.06 - KOKI 16.12.2010 11:14:41.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.312 [GMT 1:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\KOKI\Desktop\CFScript.txt
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\hjamff.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hjamff.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZQLOTCH
-------\Service_zqlotch
-------\Service_qcyjnbts


((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-13 16:01 . 2010-03-27 18:08 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-27 19:45 . 2010-03-27 13:46 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-12-16_09.41.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-16 10:19 . 2010-12-16 10:19 16384 c:\windows\Temp\Perflib_Perfdata_3cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-06 281768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 19:08 135336]
S2 qcyjnbts;Installer Server;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancaintesabeograd.com\online
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2010-12-16 11:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qcyjnbts]
"ServiceDll"="c:\windows\system32\hjamff.dll"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-16 11:21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-16 10:21
ComboFix2.txt 2010-12-16 09:43
ComboFix3.txt 2010-12-15 22:01

Pre-Run: 16.407.257.088 bytes free
Post-Run: 16.375.062.528 bytes free

- - End Of File - - 021E90ABC854E0EB7CA19521F3A835B5

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Ja bih te zamolio da iskljucis Aviru jer se umesa i ne mozemo da obrisemo malware. Takodje bilo bi pozeljno da je azuriras.

Idemo jos jednom.

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\hjamff.dll

Driver::
qcyjnbts

NetSvc::
qcyjnbts


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Sad sam antiwiru odčekiro da mi se nediže ako combo fiks restartuje kompjuter i nadam se da je u redu.

ComboFix 10-12-15.06 - KOKI 16.12.2010 11:38:00.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.336 [GMT 1:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\KOKI\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\hjamff.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_qcyjnbts


((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-13 16:01 . 2010-03-27 18:08 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-27 19:45 . 2010-03-27 13:46 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-12-16_09.41.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-16 10:42 . 2010-12-16 10:42 16384 c:\windows\Temp\Perflib_Perfdata_740.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-11-06 18:48 281768 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 19:08 135336]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancaintesabeograd.com\online
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2010-12-16 11:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(956)
c:\windows\system32\browselc.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-16 11:44:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-16 10:44
ComboFix2.txt 2010-12-16 10:21
ComboFix3.txt 2010-12-16 09:43
ComboFix4.txt 2010-12-15 22:01

Pre-Run: 16.374.288.384 bytes free
Post-Run: 16.367.124.480 bytes free

- - End Of File - - 5AF26FAD566D472C44C8098C557AC67F

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Izgleda ok. Hajde restartuj racunar, pa pokreni ponovo Combofix i postavi mi novi log, da vidim da li se Conficker vraca ili smo ga sredili.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

ComboFix 10-12-15.06 - KOKI 16.12.2010 11:53:07.12.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.336 [GMT 1:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-13 16:01 . 2010-03-27 18:08 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-27 19:45 . 2010-03-27 13:46 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-12-16_09.41.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-16 10:49 . 2010-12-16 10:49 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-11-06 18:48 281768 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 19:08 135336]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancaintesabeograd.com\online
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2010-12-16 11:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-12-16 11:57:35
ComboFix-quarantined-files.txt 2010-12-16 10:57
ComboFix2.txt 2010-12-16 10:44
ComboFix3.txt 2010-12-16 10:21
ComboFix4.txt 2010-12-16 09:43
ComboFix5.txt 2010-12-16 10:52

Pre-Run: 16.364.654.592 bytes free
Post-Run: 16.357.150.720 bytes free

- - End Of File - - 2F3FF12CB88C9101BFDDC6572AE0A356

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Sada je u redu.

Imas li USB flash drive ili neku drugu memorisku karticu da proverimo.

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save scrambled log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

Ko je trenutno na forumu
 

Ukupno su 511 korisnika na forumu :: 2 registrovanih, 1 sakriven i 508 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: mrav pesadinac, Rumba King