Provera loga

1

Provera loga

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

Napisano: 01 Maj 2009 20:24

Na ovom racnaru je postojala infekcija koju su avira i superantispyware sredili ali i dalje je racunar spor. Pogledajte log i uputite me sta da radim dalje ukoliko jos nesto postoji. Hvala unapred

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:08 PM, on 5/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = adobe.com/shockwave/download/triggerpages_mmcom/default.html
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B5CCDA0-80AA-4484-AF19-AD3F5D8B0A3A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B5CCDA0-80AA-4484-AF19-AD3F5D8B0A3A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B5CCDA0-80AA-4484-AF19-AD3F5D8B0A3A}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\csellang32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7787 bytes

Dopuna: 01 Maj 2009 20:33

Gledajuci ostale topice downloadovala sam usbnorisk i skenirala flash, saljem log upravo. Ima necega tu Smile

USBNoRisk 2.1 by bobby

Started at 5/1/2009 8:28:43 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {fa0d2711-d397-11db-9f4e-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

Blocked file found: C:\autorun.inf.blocked
----------------------------------------
Content of C:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for fa0d2711-d397-11db-9f4e-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 5/1/2009 8:29:05 PM

Scanning for connected USB mass storage...
----------------------------------------
F: {744c7e28-7d00-11dd-91ed-001636dd4cfc}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
autorun.inf found on F:
----------------------------------------
File F:\autorun.inf renamed successfully

Content of F:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

Files referenced from F:\autorun.inf.blocked
----------------------------------------
F:\ej10fkdo.bat -r-hs 108855
----------------------------------------

Sanitized mountpoint for 744c7e28-7d00-11dd-91ed-001636dd4cfc
----------------------------------------

No Desktop.ini files found on F:
----------------------------------------

No mimics found on drive F:
========================================

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...




Arrow Klikni desnim tasterom na Avira ikonicu ( ) u donjem, desnom uglu ekrana i deštikliraj AntiVir Guard Enable.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.


Isključi i SUPERAntiSpyware (desni klik na ikonicu u tray-u, stavka Exit).


-------------------------------------------------------------------------------------



Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

ComboFix 09-05-01.1 - Natasa 05/01/2009 20:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.894.379 [GMT 2:00]
Running from: c:\documents and settings\Natasa\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-05-01 18:19 . 2009-05-01 18:19 -------- d-----w c:\program files\Trend Micro
2009-04-30 15:34 . 2007-03-15 17:17 183808 ----a-w C:\WgaLogon.dll
2009-04-27 13:30 . 2009-04-27 13:30 -------- d-----w c:\program files\Avira
2009-04-27 13:30 . 2009-04-27 13:30 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-27 12:42 . 2009-05-01 18:33 -------- d-----w C:\USBNoRisk
2009-04-27 11:20 . 2009-04-27 11:20 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-27 11:20 . 2009-04-27 12:55 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 11:20 . 2009-04-27 11:20 -------- d-----w c:\documents and settings\Natasa\Application Data\SUPERAntiSpyware.com
2009-04-27 11:20 . 2009-04-27 11:20 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 13:33 . 2009-03-23 16:57 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-27 12:24 . 2007-06-23 18:45 -------- d-----w c:\program files\DAEMON Tools
2009-03-26 10:27 . 2009-03-26 10:28 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-26 10:27 . 2007-03-16 11:54 -------- d-----w c:\program files\Java
2009-03-22 19:57 . 2007-05-09 21:32 -------- d-----w c:\program files\LimeWire
2009-03-22 14:43 . 2008-01-13 16:52 -------- d-----w c:\program files\Soulseek
2009-03-21 11:59 . 2009-03-14 15:26 -------- d-----w c:\program files\Fish Tycoon
2009-03-19 23:11 . 2008-06-17 21:31 -------- d-----w c:\program files\MessengerDiscovery
2009-03-15 17:15 . 2009-03-15 17:15 -------- d-----w c:\program files\IVT Corporation
2009-03-15 14:49 . 2009-03-15 14:49 -------- d-----w c:\program files\GameInvest
2009-03-08 19:35 . 2009-03-07 17:22 -------- d-----w c:\program files\Garena
2009-03-07 12:05 . 2007-03-16 12:40 -------- d-----w c:\program files\ESET
2009-02-25 13:03 . 2009-02-25 13:03 82380 ----a-w c:\windows\system32\drivers\AFS2K.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-03-16 282624]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-06-05 231424]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-28 16248320]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Natasa^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Natasa\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Natasa^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Natasa\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=

R3 GarenaPEngine;GarenaPEngine; [x]
R3 Unilocator;Unilocator;c:\windows\system32\locatrNT.exe [1996-09-29 120832]
S0 BtHidBus;Bluetooth HID Bus Service;c:\windows\System32\Drivers\BtHidBus.sys [2008-01-21 21512]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-27 108289]
S2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2008-06-04 143467]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-01-21 26248]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe /autorun
\Shell\dxinst\command - e:\directx\dxsetup.exe
\Shell\mplayer\command - e:\goodies\mplayer\mpmin.exe
\Shell\setup\command - E:\setup.exe /autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a24cb85-124c-11de-93fa-101111111111}]
\Shell\AutoRun\command - G:\uxkl0apt.bat
\Shell\open\Command - G:\uxkl0apt.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51b69c23-7bda-11dc-8e3f-001636dd4cfc}]
\Shell\AutoRun\command - F:\u.com
\Shell\open\Command - F:\u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f24401a-e5c3-11db-8c90-001636dd4cfc}]
\Shell\AutoRun\command - F:\ej10fkdo.bat
\Shell\open\Command - F:\ej10fkdo.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac51dc6e-259b-11dd-90a3-001636dd4cfc}]
\Shell\AutoRun\command - F:\ej10fkdo.bat
\Shell\open\Command - F:\ej10fkdo.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acd38de6-27df-11dd-90ac-001636dd4cfc}]
\Shell\AutoRun\command - gg.exe 0o
\Shell\explore\Command - gg.exe 0e
\Shell\open\Command - gg.exe 0o

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9d51d79-966c-11dc-8e90-001636dd4cfc}]
\Shell\AutoRun\command - F:\i.com
\Shell\open\Command - F:\i.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef80ae9d-1cf1-11dc-8d4f-000c7648812c}]
\Shell\AutoRun\command - F:\jm3cx96.bat
\Shell\open\Command - F:\jm3cx96.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eff081af-0b0f-11de-93dd-001cea6aa68d}]
\Shell\AutoRun\command - F:\2fiy.bat
\Shell\open\Command - F:\2fiy.bat
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/shockwave/download/triggerpages_mmcom/default.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
TCP: {0B5CCDA0-80AA-4484-AF19-AD3F5D8B0A3A} = 192.168.0.1
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} - hxxps://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
FF - ProfilePath - c:\documents and settings\Natasa\Application Data\Mozilla\Firefox\Profiles\g2s5elmj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-05-01 20:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(480)
c:\windows\system32\msi.dll
.
Completion time: 2009-05-01 20:58
ComboFix-quarantined-files.txt 2009-05-01 18:58
ComboFix2.txt 2009-04-27 12:51

Pre-Run: 8,243,580,928 bytes free
Post-Run: 8,304,533,504 bytes free

169

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Upload-uj sledeće file-ove:

c:\windows\system32\locatrNT.exe
C:\WgaLogon.dll


Upload link: http://www.mycity.rs/ambulanta-upload.php

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

Uradjeno, cekam dalje instukcije.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pokreni USBNoRisk, pređi na Script tab i tamo iskopiraj sve što se nalazi unutar kod polja:

{fa0d2711-d397-11db-9f4e-806d6172696f}
delete_blocked:

{744c7e28-7d00-11dd-91ed-001636dd4cfc}
delete: %DRIVE%ej10fkdo.bat
delete_blocked:



Priključi flash drive. Nakon desetak sekundi sačuvaj novi log (desni klik, Save log) i iskopiraj ga ovde.

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

Napisano: 01 Maj 2009 21:57

USBNoRisk 2.1 by bobby

Started at 5/1/2009 9:54:11 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {fa0d2711-d397-11db-9f4e-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

Blocked file found: C:\autorun.inf.blocked
----------------------------------------
Content of C:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for fa0d2711-d397-11db-9f4e-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
fa0d2711-d397-11db-9f4e-806d6172696f
Drive letter for GUID: C:
SectionStart = 0
SectionEnd = 2
----------------------------------------
Deleting blocked files:
----------------------------------------


New device connected at 5/1/2009 9:55:45 PM

Scanning for connected USB mass storage...
----------------------------------------
F: {744c7e28-7d00-11dd-91ed-001636dd4cfc}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
Blocked file found: F:\autorun.inf.blocked
----------------------------------------
Content of F:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

Files referenced from F:\autorun.inf.blocked
----------------------------------------
F:\ej10fkdo.bat -r-hs 108855
----------------------------------------

----------------------------------------
No Autorun.inf files found on F:
No mountpoint found for 744c7e28-7d00-11dd-91ed-001636dd4cfc
----------------------------------------

No Desktop.ini files found on F:
----------------------------------------

No mimics found on drive F:
========================================

Processing script
----------------------------------------
744c7e28-7d00-11dd-91ed-001636dd4cfc
Drive letter for GUID: F:
SectionStart = 3
SectionEnd = 5
File lock detected:
USBNoRisk cannot find what locked the file
Delete: F:\ej10fkdo.bat > Error!
----------------------------------------
Deleting blocked files:
----------------------------------------
Delete: F:\autorun.inf.blocked > Done!
----------------------------------------

========================================
Scan finished!
========================================

Dopuna: 01 Maj 2009 21:59

Kada je flash ubacen prvi put nije nista uradio pa sam uradila run script, ali kada sam drugi put ubacila flash skripta je odradjena.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ok. Privremeno isključi antivirus i ponovi postupak sa sledećom skriptom:


{744c7e28-7d00-11dd-91ed-001636dd4cfc}
f_delete: %DRIVE%ej10fkdo.bat
delete: C:\autorun.inf.blocked



Postavi novi log.

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

USBNoRisk 2.1 by bobby

Started at 5/1/2009 10:09:33 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {fa0d2711-d397-11db-9f4e-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

Blocked file found: C:\autorun.inf.blocked
----------------------------------------
Content of C:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for fa0d2711-d397-11db-9f4e-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 5/1/2009 10:10:20 PM

Scanning for connected USB mass storage...
----------------------------------------
F: {744c7e28-7d00-11dd-91ed-001636dd4cfc}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
No Autorun.inf files found on F:
No mountpoint found for 744c7e28-7d00-11dd-91ed-001636dd4cfc
----------------------------------------

No Desktop.ini files found on F:
----------------------------------------

No mimics found on drive F:
========================================

Processing script
----------------------------------------
744c7e28-7d00-11dd-91ed-001636dd4cfc
Drive letter for GUID: F:
SectionStart = 0
SectionEnd = 2
f_delete: delete file error: F:\ej10fkdo.bat, The handle is invalid.
Delete: C:\autorun.inf.blocked > Done!
----------------------------------------

========================================
Scan finished!
========================================

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Idemo još jednom. Skripta sledi:


{744c7e28-7d00-11dd-91ed-001636dd4cfc}
folder_list: %DRIVE%

Ko je trenutno na forumu
 

Ukupno su 950 korisnika na forumu :: 53 registrovanih, 5 sakrivenih i 892 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aleksmajstor, Apok, aramis s, babaroga, Cranium, darcaud, Denaya, dozorni, dragon986, Drug pukovnik, Filip Marinković, Gama, Georgius, havoc995, Hoegaarden, Insan, jaeger, Jovan Nenad, kaisarevic1, kalens021, Kibice, Kiki2004, komkom, kripo, krlebgd77, kybonacci, LUDI, manda87, mačković, Mercury, Milan A. Nikolic, milos.cbr, mnn2, Nekicoveculjak, nenad81, repac, RJ, Roman, ruan, sakota79, Simon simonović, Sirius, SlaKoj, Smiljke, Snorks, Srle993, stegonosa, Vl veliki, Vlada1389, vobo, voja64, zuxbg