|
Poslao: 17 Dec 2009 20:35
|
offline
- Pridružio: 29 Dec 2008
- Poruke: 42
- Gde živiš: Kragujevac
|
DDS (Ver_09-12-01.01) - NTFSx86
Run by XxX at 20:28:02.53 on Thu 12/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.63 [GMT 1:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
============== Running Processes ===============
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HiYo\bin\HiYo.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\Mixer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\XxX\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://mystart.hiyo.com/
uSearch Page =
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Hiyo] c:\program files\hiyo\bin\HiYo.exe /RunFromStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [combofix] "c:\combofix\cf29365.cfxxe" /c "c:\combofix\C.bat"
mRun: [C-Media Mixer] Mixer.exe /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\book of legends\images\stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\book of legends\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\rdolib.dll
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-11 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-11 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-11 360584]
R2 athsgt;athsgt;c:\windows\system32\drivers\athsgt.sys [2008-10-21 164992]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-13 285392]
R2 limsgt;limsgt;c:\windows\system32\drivers\limsgt.sys [2008-10-21 12544]
S1 glaide32;glaide32;\??\c:\windows\system32\drivers\glaide32.sys --> c:\windows\system32\drivers\glaide32.sys [?]
=============== Created Last 30 ================
2009-12-11 01:04:22 0 d-----w- c:\windows\ie8updates
2009-12-11 01:01:06 0 d-----w- c:\program files\MSXML 4.0
2009-12-11 00:23:24 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-12-11 00:23:21 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-12-11 00:23:20 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-12-11 00:23:18 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-12-11 00:23:17 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-11 00:23:15 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-11 00:23:14 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-12-11 00:23:13 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-12-11 00:23:12 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-12-11 00:22:36 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-11 00:22:35 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-11 00:22:33 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-11 00:22:33 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-11 00:22:29 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-11 00:22:22 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-10 23:22:36 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-12-10 23:22:32 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-12-10 23:16:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-10 23:16:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-10 23:16:23 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-12-07 17:39:58 0 d-----w- c:\program files\trend micro
2009-12-02 13:05:25 28416 ----a-w- c:\windows\system32\_uxtuneup.dll_.vir
2009-11-24 00:04:11 252 ----a-w- c:\windows\system32\uses32.dat
2009-11-24 00:04:11 100 ----a-w- c:\windows\system32\flags.ini
2009-11-18 21:24:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
==================== Find3M ====================
2009-11-18 21:23:31 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-11-13 16:33:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-13 16:33:25 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-13 16:32:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-04 09:05:39 897920 ----a-w- c:\program files\WGAPluginInstall.exe
2009-10-04 08:56:34 166144 ----a-w- c:\program files\DECCHECKSetup.EXE
2009-06-23 13:32:59 714136 -c--a-w- c:\program files\jre-6u14-windows-i586-iftw.exe
2004-09-10 11:40:38 75264 ----a-w- c:\program files\DECCHECK.exe
2004-09-10 11:40:38 5970 -c--a-w- c:\program files\eula.txt
============= FINISH: 20:29:07.36 ===============
mycity.rs/must-login.png
|
|
|
|
|
|
|
Poslao: 17 Dec 2009 22:57
|
offline
- Bogdan-Tc
- Anti Malware Fighter
Rank 1
- Pridružio: 04 Jan 2009
- Poruke: 2168
|
Da li si koristio neki USB memorijski uređaj u vremenskom periodu od kada sam ti dao uputstva za deinstalaciju AVZ_a i ComboFix_a pa do trenutka kada ti je Anti-Virus počeo ponovo prijavljivati infekcije?
Isprati sledeće uputstvo...
Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder
Dvoklikom pokreni avenger.exe
Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:
Registry values to delete:
HKLM\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Files to delete:
C:\windows\system32\rdolib.dll
c:\windows\system32\uses32.dat
c:\windows\system32\flags.ini
Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti
Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja
Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u
Iskopiraj sadržaj dobijenog loga u temu na forumu.
|
|
|
|
|
|
|
Poslao: 18 Dec 2009 15:25
|
offline
- Pridružio: 29 Dec 2008
- Poruke: 42
- Gde živiš: Kragujevac
|
Logfile of The Avenger Version 2.0, (c) by Swandog46
swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "C:\windows\system32\rdolib.dll" not found!
Deletion of file "C:\windows\system32\rdolib.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "c:\windows\system32\uses32.dat" deleted successfully.
File "c:\windows\system32\flags.ini" deleted successfully.
Error: could not delete registry value "HKLM\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs"
Deletion of registry value "HKLM\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
|
|
|
|
|
|
|
Poslao: 18 Dec 2009 21:28
|
offline
- Bogdan-Tc
- Anti Malware Fighter
Rank 1
- Pridružio: 04 Jan 2009
- Poruke: 2168
|
Ponovo ćemo koristiti program The Avenger.
Dvoklikom pokreni avenger.exe
Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:
Registry values to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Files to delete:
C:\windows\system32\rdolib.dll
Obeleži kvadratiće ispred sledećih opcija:
Scan for rootkits
Automatically disable any rootkits found
Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti
Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja
Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u
Iskopiraj sadržaj dobijenog loga u temu na forumu.
|
|
|
|
|
|
|
Poslao: 19 Dec 2009 12:29
|
offline
- Pridružio: 29 Dec 2008
- Poruke: 42
- Gde živiš: Kragujevac
|
Napisano: 19 Dec 2009 12:27
Logfile of The Avenger Version 2.0, (c) by Swandog46
swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "C:\windows\system32\rdolib.dll" not found!
Deletion of file "C:\windows\system32\rdolib.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Dopuna: 19 Dec 2009 12:29
Kada ga je restartovao ,ponovo je registrovao zarazene fajlove,kao i svaki put kad dize sistem!
|
|
|
|
|
|
|
Poslao: 20 Dec 2009 01:31
|
offline
- Bogdan-Tc
- Anti Malware Fighter
Rank 1
- Pridružio: 04 Jan 2009
- Poruke: 2168
|
Napisano: 19 Dec 2009 20:15
Nisi mi odgovorio na ovo pitanje...
ProCarp ::Da li si koristio neki USB memorijski uređaj u vremenskom periodu od kada sam ti dao uputstva za deinstalaciju AVZ_a i ComboFix_a pa do trenutka kada ti je Anti-Virus počeo ponovo prijavljivati infekcije?
Citat:Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.
Dopuna: 20 Dec 2009 1:31
Takođe je potrebno da uradiš Upload dole navedenih file_ova preko sledećeg linka...
http://www.mycity.rs/ambulanta-upload.php
Potrebni file_ovi za upload:
c:\windows\system32\drivers\athsgt.sys
c:\windows\system32\drivers\limsgt.sys
c:\windows\system32\drivers\glaide32.sys
|
|
|
|
|
|
|
Poslao: 20 Dec 2009 11:57
|
offline
- Pridružio: 29 Dec 2008
- Poruke: 42
- Gde živiš: Kragujevac
|
Napisano: 20 Dec 2009 11:28
Ma znam sta je memoriski uredjaj,izvini ,zaboravio sam da odgovorim!Sasvim je moguce da je moja zena ili cak i ja ali sve nesto misli da jeto bilo pre skeniranja ,ali sasvim je moguce!
Dopuna: 20 Dec 2009 11:29
Odakle da uploadujem ove fajlove?Iz c particije ili ?
Dopuna: 20 Dec 2009 11:57
Prva dava fajla sam uploadovao ali treci ne mogu da nadjem nikako!
|
|
|
|
|
|
|
Poslao: 20 Dec 2009 12:03
|
offline
- Bogdan-Tc
- Anti Malware Fighter
Rank 1
- Pridružio: 04 Jan 2009
- Poruke: 2168
|
Da sa C particije.
Dvoklik na My Computer pa na C pa Windows > system32 i pronađi folder drivers... u ovom folderu pod nazivom drivers se nalaze sva tri file_a koja su potrebna za upload.
athsgt.sys
limsgt.sys
glaide32.sys
|
|
|
|
|
|
|
Poslao: 20 Dec 2009 13:36
|
offline
- Pridružio: 29 Dec 2008
- Poruke: 42
- Gde živiš: Kragujevac
|
Napisano: 20 Dec 2009 12:06
kazem uploadovao sam prva dva ali treci nije tu ili ga ja ne vidim!Sad cu ponovo da trazim !
Dopuna: 20 Dec 2009 12:11
Meni su fajlovi poredjani po abecednom redu i na g ga nema a i pretraziva sam ceo folder uzduz i popreko i nema ga!Kako da ga nadjem?
Dopuna: 20 Dec 2009 13:36
Definitivno ga medju drajverima nema!ne znam o cemu se radi!
|
|
|
|
|
|
|
|
