Šta mi je zaraženo ?

Šta mi je zaraženo ?

offline
  • RJ 
  • SuperModerator
  • Supermoderator vojnih foruma
  • Gavrilo Milentijević
  • Komandir stanice milicije Gornje Polje
  • Pridružio: 12 Feb 2005
  • Poruke: 8785
  • Gde živiš: ovalni kabinet

U temi o Malware Bytes-u....
http://www.mycity.rs/Antispyware-programi/Malwarebytes-Anti-Malware.html Helen mi je sugerisao da sam Rootkitovan - o čemu se radi ?

Evo log filea sa Hijack-a


Scan saved at 17:22:11, on 1.2.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CpuIdlePro\cpuidle.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
D:\Novo\Hijack_this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: VirtualNetwork module - {6C517674-DE1C-4493-977C-34A1BFAB35BA} - C:\Program Files\VirtualNetwork\VirtualNetwork.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdlePro\cpuidle.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_All.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD1A55E2-48A6-4477-8D50-05DED312E91C}: NameServer = 10.10.2.69,10.10.2.79

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8444
  • Gde živiš: Novi Beograd

Ne slusas me:

Ovako ne valja:


Klikni desno dugme misa na ikonicu programa i odaberi opciju Rename:


Zadaj mu neko bezvezno ime, recimo GH5.EXE ili TR3.EXE, ili bilo sta drugo samo da se ne spominje HijackThis:


I onda mi postavi novi log.

offline
  • RJ 
  • SuperModerator
  • Supermoderator vojnih foruma
  • Gavrilo Milentijević
  • Komandir stanice milicije Gornje Polje
  • Pridružio: 12 Feb 2005
  • Poruke: 8785
  • Gde živiš: ovalni kabinet

Čekaj, ako sam te dobro razumeo ja sam raspakovao HJ na desktop i nazvao ga drrr

Evo loga

Logfile of HijackThis v1.99.1
Scan saved at 18:07:23, on 1.2.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CpuIdlePro\cpuidle.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
C:\Documents and Settings\vule\Desktop\drrr.exe.exe
C:\Documents and Settings\vule\Desktop\drrr.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: VirtualNetwork module - {6C517674-DE1C-4493-977C-34A1BFAB35BA} - C:\Program Files\VirtualNetwork\VirtualNetwork.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdlePro\cpuidle.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_All.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD1A55E2-48A6-4477-8D50-05DED312E91C}: NameServer = 10.10.2.69,10.10.2.79
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8444
  • Gde živiš: Novi Beograd

* Klikni desnim tasterom miša na AVG ikonicu ( ) u donjem, desnom uglu ekrana.
* Kada se pokrene AVG Control Center, dvoklikni na AVG Resident Shield komponentu.
* U prozoru koji se otvori, deštikliraj opciju Turn on AVG Resident Shield i klikni OK.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.

----------------------

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • RJ 
  • SuperModerator
  • Supermoderator vojnih foruma
  • Gavrilo Milentijević
  • Komandir stanice milicije Gornje Polje
  • Pridružio: 12 Feb 2005
  • Poruke: 8785
  • Gde živiš: ovalni kabinet

Evo loga CF...


ComboFix 09-02-01.01 - vule 2009-02-02 11:10:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.256 [GMT 1:00]
Running from: d:\novo\DL2\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\Ford Racing 2.lnk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.

2009-02-02 11:13 . 2009-02-02 11:13 <DIR> d-------- c:\program files\microsoft frontpage
2009-01-30 12:33 . 2009-02-02 11:14 98,668 --a------ c:\windows\system32\drivers\c27e4db6.sys
2009-01-25 23:12 . 2009-01-25 23:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 23:12 . 2009-01-25 23:12 <DIR> d-------- c:\documents and settings\vule\Application Data\Malwarebytes
2009-01-25 23:12 . 2009-01-25 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 23:12 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 23:12 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-23 15:05 . 2009-01-23 15:05 <DIR> d-------- c:\program files\Free PDF to Word Doc Converter
2009-01-16 23:43 . 2009-01-16 23:43 <DIR> d-------- c:\program files\C-Media
2009-01-14 17:24 . 2009-01-14 17:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NexonEU
2009-01-14 17:21 . 2004-07-26 19:00 86,085 --a------ c:\windows\system32\ImageDrive.cpl
2009-01-13 13:16 . 2009-01-13 13:16 <DIR> d-------- c:\program files\Hasbro
2009-01-11 19:08 . 2009-01-11 19:08 <DIR> d-------- C:\DepositFiles
2009-01-11 12:15 . 2009-01-11 12:15 <DIR> d-------- c:\documents and settings\vule\Application Data\KC Softwares
2009-01-10 22:03 . 2009-01-13 21:34 <DIR> d-------- c:\program files\MC2
2009-01-09 13:03 . 2009-01-09 14:46 <DIR> d-------- c:\program files\StarWraith
2009-01-09 13:03 . 2009-01-09 13:03 796,672 --a------ c:\windows\GPInstall.exe
2009-01-09 11:32 . 2009-01-09 11:32 <DIR> d-------- c:\program files\Cat Daddy Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 10:13 --------- d-----w c:\program files\Chameleon Clock
2009-02-01 17:58 --------- d-----w c:\documents and settings\vule\Application Data\AVG7
2009-02-01 17:44 --------- d-----w c:\program files\ReGetDx
2009-02-01 17:14 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-31 18:49 --------- d-----w c:\documents and settings\vule\Application Data\uTorrent
2009-01-30 16:30 --------- d-----w c:\documents and settings\vule\Application Data\skypePM
2009-01-30 16:30 --------- d-----w c:\documents and settings\vule\Application Data\Skype
2009-01-30 10:28 --------- d-----w c:\program files\SpeedFan
2009-01-29 13:37 --------- d-----w c:\program files\AIMP2
2009-01-15 15:30 138,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-13 12:28 --------- d-----w c:\program files\Risk II
2009-01-11 10:11 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 22:05 --------- d-----w c:\documents and settings\vule\Application Data\Lavasoft
2009-01-10 22:04 --------- d-----w c:\program files\Flash Strike
2009-01-09 20:52 --------- d-----w c:\program files\PopCap Games
2009-01-09 13:44 --------- d-----w c:\program files\Real Alternative
2009-01-09 13:44 --------- d-----w c:\program files\Common Files\InterVideo
2009-01-09 13:44 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 13:44 --------- d-----w c:\program files\32ujmo99032
2009-01-09 09:06 --------- d-----w c:\program files\»ĂĎëÓÎϷϵÁĐ
2008-12-28 17:39 --------- d-----w c:\program files\Empire Interactive
2008-12-16 14:58 --------- d-----w c:\program files\Bomberic 2
2008-12-16 14:40 --------- d-----w c:\documents and settings\All Users\Application Data\ABBYY
2008-12-16 12:17 --------- d-----w c:\documents and settings\vule\Application Data\ABBYY
2008-12-16 12:04 --------- d-----w c:\program files\Devastation Zone Troopers
2008-12-09 09:01 --------- d-----w c:\program files\Air Guard Full
2008-12-08 10:22 --------- d-----w c:\documents and settings\vule\Application Data\Daimler
2008-12-08 08:37 --------- d-----w c:\program files\Alcohol Soft
2008-12-05 18:00 --------- d-----w c:\documents and settings\vule\Application Data\Memonix
2008-12-05 15:49 --------- d-----w c:\program files\Buka
2008-12-05 14:33 --------- d-----w c:\documents and settings\vule\Application Data\Groove Games
2008-12-05 14:03 --------- d-----w c:\documents and settings\All Users\Application Data\Sandlot Games
2008-12-05 13:53 --------- d-----w c:\program files\ReflexiveArcade
2008-12-05 13:49 --------- d-----w c:\documents and settings\All Users\Application Data\ScreenSeven
2008-12-05 13:38 --------- d-----w c:\program files\Neoact
2008-11-08 16:12 45,056 ----a-w c:\windows\NCUNINST.EXE
2008-01-02 23:17 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-11-25 17:15 81,920 ----a-w c:\documents and settings\vule\Application Data\ezpinst.exe
2007-11-25 17:15 47,360 ----a-w c:\documents and settings\vule\Application Data\pcouffin.sys
.

------- Sigcheck -------

2006-09-09 02:02 2198144 ba08992ecfb4b23b9204add12ab385ea c:\windows\system32\ntkrnlpa.exe

2006-09-09 00:01 2321024 ef63859e4fd9cb3ec31a111481f4b1b6 c:\windows\system32\ntoskrnl.exe

2006-09-09 01:48 1616896 7f9583eff8102bce8bd6716744018f83 c:\windows\explorer.exe

2006-09-09 07:45 125720 b04b182a92c119511dd3cdbe18602db1 c:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"HomeAlarm"="c:\program files\Chameleon Clock\ChamClock.exe" [2006-10-26 915456]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-20 590848]
"CpuIdle"="c:\program files\CpuIdlePro\cpuidle.exe" [2008-06-22 903168]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 c:\windows\system32\nvmctray.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-10 219136]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\vule\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-09-24 225280]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
S3 CD-Lock;CD-Lock;\??\e:\cdm.sys --> e:\cdm.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\At1.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At10.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At11.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At12.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At13.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At14.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At15.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At16.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At17.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At18.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At19.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At2.job
- c:\windows\system32\318UADNI.exe []

2009-01-31 c:\windows\Tasks\At20.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At21.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At22.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At23.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At24.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At25.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At26.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At27.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At28.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At29.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At3.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At30.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At31.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At32.job
- c:\windows\system32\318UADNI.exe []

2009-01-31 c:\windows\Tasks\At33.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At34.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At35.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At36.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At37.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At38.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At39.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At4.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At40.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At41.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At42.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At43.job
- c:\windows\system32\318UADNI.exe []

2009-01-31 c:\windows\Tasks\At44.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At45.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At46.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At47.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At48.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At5.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At6.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At7.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At8.job
- c:\windows\system32\318UADNI.exe []

2009-01-31 c:\windows\Tasks\At9.job
- c:\windows\system32\318UADNI.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: Do&wnload by ReGet Deluxe - c:\progra~1\COMMON~1\REGETS~1\CC_Link.htm
IE: Download A&ll by ReGet Deluxe - c:\progra~1\COMMON~1\REGETS~1\CC_All.htm
TCP: {CD1A55E2-48A6-4477-8D50-05DED312E91C} = 10.10.2.69,10.10.2.79
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\vule\Application Data\Mozilla\Firefox\Profiles\dna8zdip.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 11:14:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c27e4db6]
"ImagePath"="\SystemRoot\System32\drivers\c27e4db6.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-583907252-602162358-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\s-1-5-21-583907252-602162358-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:55,91,13,95,05,3c,92,de,4d,b4,d4,1b,24,22,47,ea,77,7f,38,47,7b,27,bf,
70,9c,f1,39,f4,19,f5,1c,18,c0,a6,8c,04,9d,c8,73,81,21,d1,5d,fd,08,2d,b6,31,\
"??"=hex:c5,21,56,08,6b,8a,47,f4,b1,d9,36,d0,61,40,df,7a
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\WdfMgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-02 11:17:05 - machine was rebooted [vule]
ComboFix-quarantined-files.txt 2009-02-02 10:17:01

Pre-Run: 3,044,933,632 bytes free
Post-Run: 3,042,377,728 bytes free

295

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8444
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\c27e4db6.sys

Folder::
c:\program files\»ĂĎëÓÎϷϵÁĐ
c:\program files\32ujmo99032

AtJob::

Driver::
c27e4db6


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 767 korisnika na forumu :: 24 registrovanih, 6 sakrivenih i 737 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Andrija357, ArmyBoss, Atomski čoban, branko62, Cirkon, dankisha, DENIRO, Doca, Drug pukovnik, goxin, ladro, Leonardo, MB120mm, mean_machine, mercedesamg, Oscar, repac, rovac, stegonosa, VJ, vladas87, vlvl, vobo