Možda tražite i:
Malwarebytes Anti-Malware VS MCShield
Jedan od losih dana Malwarebytes Anti-Malware-a

MyCity » Ambulanta -> Arhiva Ambulante » Uporni malware

Uporni malware

Napisano na dan: 3.1.2011

Strana:
1
2

Uporni malware

Sledeća strana

Pagination

Odgovori

Strana:
1
2

Blans Poslao: 03 Jan 2011 23:19 Idi na vrh
offline Blans Novi MyCity građanin Pridružio: 03 Jan 2011 Poruke: 8	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Pozdrav svima i srecni praznici! Pre otprilike nedelju dana naleteh na problem koji nikako da resim, ali srecom naleteh i na vas forum pa se mozda nadje neki dobri Samaricanin koji bi mogao da mi pomogne. Ovako stoje stvari: sta god da uradim (a sta sam sve probao da uradim opisacu dole), jos uvek mi se dogadja ista stvar - cesto kada pokusam da pratim neki (ne bas uvek i ne svaki) link, u sred ucitavanja strane krene prvo redirekcija na neki potpuno nepoznat sajt, da bi zatim izaslo ono odvratno upozorenje kako mi je eto PC pun virusa i kako treba da sledim taj i taj link itd.... Naravno, svaki put kada se to desi ja jednostavno prekinem rad browser-a (u mom slucaju Firefox), ali mi je vec dojadilo a i desava se sve cesce. Primetio sam: - da bez problema mogu da otvorim pocetnu stranu bilo kog sajta na pr. [Link mogu videti samo ulogovani korisnici] pa u okviru nje otvorim stranu sa receptima (jedan od mojih omiljenih sajtova). - ali ako pokusam da tu istu stranu sa receptima otvorim direktno preko linka u Google-u, [Link mogu videti samo ulogovani korisnici] eto ga redirekcija pa onda upozorenje da sam inficiran i bla, bla.... - Vidim da se nakon redirekcije pokrece Java, ukoliko ne dozvolim Java script u browser-u prozori sa porukama se ne pojavljuju, ali redirekcija i dalje ostaje. Mali istorijat: Sve je pocelo kada sam nepaznjom (eto, ni misa izgleda jos nisam savladao kako treba) dopustio instalaciju nekog laznog antivirus-a cijeg se imena tacno ne secam (mislim da je bilo Think-nesto) - secam se samo da mi je pri "skeniranju" sve vazne sistemske procese ukljucujuci cak i Task Manager proglasio "inficiranim". Sa tim sam nekako uspeo da se izborim u Safe modu, Stinger je nasao Confliker-a koji je verovatno i poceo celu stvar. Njega sam se resio (a mozda i nisam potpuno!) sledeci uputsva koja sam nasao na Internetu. Od tada sam instalirao Malwerbyte-ov Anti-Malware, najsveziju verziju ZoneAlarm i Jave. Taman mi se ucinilo da je sve proslo, neko vreme je sve radilo kao podmazano, a onda eto ga ponovo....Svaki put upozorenje dolazi sa nekog drugog sajta, jednom je to bio neki mcqoemin.co.cc, a poruke zastrasivanja su razlicite ali su jednom nudili Antivirus 2010 - mozda taj podatak nekome pomogne u identifikaciji. Sta sam preduzeo: Malwerbyte je pri prvom skeniranju nasao nekih 5 trojana i kojecega. Naravno sve sam nadjene viruse "dezinfikovao" i sada Malwerbyte u punom scan-u ne detektuje nista, Stinger takodje. Pokusao sam i sa HijackThis, izbrisao sam jedan sumnjiv URLSearch Hook sa "no name" fajlom, ali ni to nije pomoglo. Radim na XP SP2, saljem vam i potrebne log-ove, ima li leka? Puno pozdrava! DDS (Ver_10-12-12.02) - NTFSx86 Run by Joca at 20:31:55.23 on Mon 01/03/2011 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_23 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1653 [GMT 1:00] FW: ZoneAlarm Firewall Enabled ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\EPSON\BSTM\PG\E_L20IC2.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPMixDSP.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\CheckPoint\ZAForceField\ForceField.exe C:\Documents and Settings\Joca\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = [Link mogu videti samo ulogovani korisnici] uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll TB: {2E6F4C13-49FB-4DF3-B601-030D1D470E32} - No File uRun: [SetDefaultMIDI] MIDIDef.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe" uRun: [Translate.Net] c:\program files\sau kp\translate.net\Translate.Net.exe -skipsplash mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [UpdReg] c:\windows\UpdReg.EXE mRun: [CTHelper] CTHELPER.EXE mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup mRun: [EPSON PageSTM TrayIcon01] c:\program files\epson\bstm\pg\E_L20IC2.EXE mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [Link mogu videti samo ulogovani korisnici] DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici] DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici] Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\joca\applic~1\mozilla\firefox\profiles\i5p9sa1q.default\ FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici] FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici] FF - component: c:\documents and settings\joca\application data\mozilla\firefox\profiles\i5p9sa1q.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\FFExternalAlert.dll FF - component: c:\documents and settings\joca\application data\mozilla\firefox\profiles\i5p9sa1q.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCore.dll FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546} ============= SERVICES / DRIVERS =============== R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-12-31 532224] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-11-5 26872] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-11-5 488952] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328] R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096] R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168] R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784] S2 jjctene;Time Helper;c:\windows\system32\svchost.exe -k netsvcs [2010-12-18 14336] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-3-20 98328] S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-3-20 171032] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-3-20 528920] S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352] S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [2008-3-20 163352] S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [2008-3-20 259096] S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [2008-3-20 134168] S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [2008-3-20 309784] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-3-20 99352] S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-3-20 1324056] S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-3-20 72728] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-3-20 534040] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2003-6-6 1527900] =============== Created Last 30 ================ 2011-01-02 14:03:55 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-01-02 14:03:55 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll 2011-01-01 13:54:05 -------- d-----w- C:\SECURITY 2010-12-31 16:56:56 -------- d-----w- c:\docume~1\joca\applic~1\CheckPoint 2010-12-31 16:56:33 -------- d-----w- c:\program files\ZoneAlarm_Security 2010-12-31 16:56:33 -------- d-----w- c:\program files\Conduit 2010-12-31 16:56:33 -------- d-----w- c:\docume~1\joca\locals~1\applic~1\ZoneAlarm_Security 2010-12-31 16:56:33 -------- d-----w- c:\docume~1\joca\locals~1\applic~1\Conduit 2010-12-31 16:55:40 -------- d-----w- c:\program files\CheckPoint 2010-12-31 16:55:33 1238528 ----a-w- c:\windows\system32\zpeng25.dll 2010-12-31 16:55:32 -------- d-----w- c:\windows\system32\ZoneLabs 2010-12-31 12:53:45 -------- d-----w- c:\docume~1\joca\applic~1\Malwarebytes 2010-12-31 12:52:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-31 12:52:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-12-31 12:52:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-31 12:52:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-18 15:39:21 14336 ----a-w- c:\windows\system32\svchost.exe 2010-12-18 15:39:21 12800 ----a-w- c:\windows\system32\svchost_old.exe ==================== Find3M ==================== 2011-01-02 14:03:44 73728 ----a-w- c:\windows\system32\javacpl.cpl ============= FINISH: 20:32:21.96 =============== [Link mogu videti samo ulogovani korisnici] [Link mogu videti samo ulogovani korisnici] [Link mogu videti samo ulogovani korisnici] [Link mogu videti samo ulogovani korisnici]

Profil

1l padr1n0 Poslao: 04 Jan 2011 15:02 Idi na vrh
offline 1l padr1n0 Anti Malware Fighter Rank 2 Pridružio: 02 Feb 2008 Poruke: 14018 Gde živiš: Nish	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pozdrav Blans! U toku resavanja slucaja, zamolio bih te da se pridrzavas sledeceg: Detaljno citati moja uputstva (ili uputstva kolega koji ce me zamenjivati) i raditi iskljucivo po njima; Ne traziti istovremeno pomoc na drugom mestu; Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budes dobio uputstvo; U toku intervencije ne koristiti USB memorijske uredjaje, dok to ne budem zatrazio; Ukoliko ne odgovorim u roku od 48h, osvezi temu novim post-om; Ukoliko se ne javis u roku od 5 dana, zatvoricemo slucaj. Za vise informacija o pravilima Ambulante MyCity foruma: LINK ------------------------------------------------------------------------------------- Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop: Bleeping Computer Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu); Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save. Kada preuzimanje programa bude završeno: deaktiviraj zaštitni softver (uputstvo); zatvori pokrenute programe; dvoklikom pokreni program ComboFix. U toku rada, ComboFix će:proveriti postoji li novija verzija programa: klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE: klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju: obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja: prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta); na kraju rada, otvoriti Notepad sa izveštajem o skeniranju. Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu: klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All; klikni desnim tasterom miša na obeleženi tekst i izaberi Copy; klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste. Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt); Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku. goran9888 (AMF Tim)

Profil

Blans Poslao: 04 Jan 2011 20:57 Idi na vrh
offline Blans Novi MyCity građanin Pridružio: 03 Jan 2011 Poruke: 8	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Zdravo Gorane, puno ti hvala na utrosenom vremenu, uopste nisam ocekivao da ce se neko tako brzo javiti. Uradio sam kako si rekao sa ComboFix-om, proslo je bez problema i Log je kreiran, samo mi se comp zaglavio odmah nakon sto sam probao da iskopiram tekst u clipboard. Morao sam da ga restartujem "na silu" jer ni Task Manager nije radio pa nije pomagalo ni ono alt+ctrl+del. Nadam se da to ne komplikuje situaciju. Nakon ovog restarta Firefox je poslao upit da li zelim da bude default browser (ranije je bio). Ne znam da li to ima nekog znacaja ali mozda je bolje da znas. OK probacu da iskopiram Log u ovu poruku mada ovde ne vidim opciju uvida u poruku kao kod prvog mail-a, ako ne bude islo prikaci cu je. Veliki pozdrav i hvala. ComboFix 11-01-04.01 - Joca 01/04/2011 20:20:00.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1668 [GMT 1:00] Running from: c:\documents and settings\Joca\Desktop\ComboFix.exe FW: ZoneAlarm Firewall Disabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\winlogon.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! . ((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 ))))))))))))))))))))))))))))))) . 2011-01-02 18:48 . 2011-01-02 18:48 -------- d-----w- c:\program files\Common Files\Adobe 2011-01-02 14:05 . 2011-01-02 14:05 -------- d-----w- c:\program files\Common Files\Java 2011-01-02 14:03 . 2011-01-02 14:03 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-01-02 14:03 . 2011-01-02 14:03 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll 2011-01-01 13:54 . 2011-01-04 11:40 -------- d-----w- C:\SECURITY 2010-12-31 12:53 . 2010-12-31 12:53 -------- d-----w- c:\documents and settings\Joca\Application Data\Malwarebytes 2010-12-31 12:52 . 2010-12-31 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-12-31 12:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-31 12:52 . 2011-01-01 10:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-31 12:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-18 15:39 . 2004-08-04 12:00 14336 ----a-w- c:\windows\system32\svchost.exe 2010-12-18 15:39 . 2001-08-23 10:00 12800 ----a-w- c:\windows\system32\svchost_old.exe 2010-12-17 21:56 . 2010-12-17 21:56 -------- d-----w- c:\documents and settings\Administrator . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-02 14:03 . 2009-12-27 12:34 73728 ----a-w- c:\windows\system32\javacpl.cpl . ------- Sigcheck ------- [-] 2004-08-03 . 328204B85FF2B3AE020454CA860F5719 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe [-] 2004-08-03 . 857BF7E41E312756C32B44E8C4446A96 . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200] [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] 2010-12-01 10:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200] [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SetDefaultMIDI"="MIDIDef.exe" [2008-03-20 31232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568] "nwiz"="nwiz.exe" [2007-05-10 1626112] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-10 81920] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTHelper"="CTHELPER.EXE" [2008-03-20 23040] "CTxfiHlp"="CTXFIHLP.EXE" [2008-03-20 23552] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "EPSON PageSTM TrayIcon01"="c:\program files\EPSON\BSTM\PG\E_L20IC2.EXE" [2007-12-11 151552] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-11-05 738808] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3561:TCP"= 3561:TCP:vyttdh R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/19/2003 6:11 PM 685816] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/5/2010 12:41 PM 26872] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/5/2010 12:41 PM 488952] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/20/2008 5:23 PM 98328] R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [3/20/2008 5:32 PM 259096] R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [3/20/2008 5:38 PM 134168] R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [3/20/2008 5:37 PM 309784] S2 jjctene;Time Helper;c:\windows\system32\svchost.exe -k netsvcs [12/18/2010 4:39 PM 14336] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/20/2008 5:23 PM 98328] S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [3/20/2008 5:36 PM 171032] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [3/20/2008 5:36 PM 171032] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/20/2008 5:23 PM 528920] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/20/2008 5:23 PM 528920] S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [3/20/2008 5:26 PM 163352] S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [3/20/2008 5:26 PM 163352] S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [3/20/2008 5:32 PM 259096] S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [3/20/2008 5:38 PM 134168] S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [3/20/2008 5:37 PM 309784] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/20/2008 5:36 PM 99352] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/20/2008 5:36 PM 99352] S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [3/20/2008 5:40 PM 1324056] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [3/20/2008 5:40 PM 1324056] S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [3/20/2008 5:37 PM 72728] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [3/20/2008 5:37 PM 72728] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/20/2008 5:25 PM 534040] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/20/2008 5:25 PM 534040] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [6/6/2003 6:43 PM 1527900] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs jjctene . . ------- Supplementary Scan ------- . uStart Page = [Link mogu videti samo ulogovani korisnici] IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Joca\Application Data\Mozilla\Firefox\Profiles\i5p9sa1q.default\ FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici] FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici] FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546} . - - - - ORPHANS REMOVED - - - - HKCU-Run-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe HKCU-Run-Translate.Net - c:\program files\SAU KP\Translate.Net\Translate.Net.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici] Rootkit scan 2011-01-04 20:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache] "ServiceDll"="%CommonProgramFiles%\dns.cert" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(736) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll - - - - - - - > 'lsass.exe'(804) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . Completion time: 2011-01-04 20:24:27 ComboFix-quarantined-files.txt 2011-01-04 19:24 Pre-Run: 150,336,720,896 bytes free Post-Run: 151,056,162,816 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 8037283FEED728A5A305EA5381055EBE

Profil

1l padr1n0 Poslao: 05 Jan 2011 14:20 Idi na vrh
offline 1l padr1n0 Anti Malware Fighter Rank 2 Pridružio: 02 Feb 2008 Poruke: 14018 Gde živiš: Nish	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Otvoriti Notepad i iskopirati sledeci tekst: `File:: c:\program files\common files\dns.cert DirLook:: C:\SECURITY FileLook:: c:\windows\system32\svchost_old.exe c:\windows\system32\svchost.exe Registry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3561:TCP"=- [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache] "ServiceDll"=- Driver:: jjctene NetSvc:: jjctene` Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja. goran9888 (AMF Tim)

Profil

Blans Poslao: 05 Jan 2011 18:52 Idi na vrh
offline Blans Novi MyCity građanin Pridružio: 03 Jan 2011 Poruke: 8	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Cao, izvini sto malo kasnim ComboFix 11-01-04.06 - Joca 01/05/2011 18:39:09.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1674 [GMT 1:00] Running from: c:\documents and settings\Joca\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Joca\Desktop\CFScript.txt FW: ZoneAlarm Firewall Disabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FILE :: "c:\program files\common files\dns.cert" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\winlogon.exe . . . is infected!! c:\windows\explorer.exe . . . is infected!! . ((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 ))))))))))))))))))))))))))))))) . 2011-01-02 18:48 . 2011-01-02 18:48 -------- d-----w- c:\program files\Common Files\Adobe 2011-01-02 14:05 . 2011-01-02 14:05 -------- d-----w- c:\program files\Common Files\Java 2011-01-02 14:03 . 2011-01-02 14:03 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-01-02 14:03 . 2011-01-02 14:03 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll 2011-01-01 13:54 . 2011-01-04 11:40 -------- d-----w- C:\SECURITY 2010-12-31 12:53 . 2010-12-31 12:53 -------- d-----w- c:\documents and settings\Joca\Application Data\Malwarebytes 2010-12-31 12:52 . 2010-12-31 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-12-31 12:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-31 12:52 . 2011-01-01 10:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-31 12:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-18 15:39 . 2004-08-04 12:00 14336 ----a-w- c:\windows\system32\svchost.exe 2010-12-18 15:39 . 2001-08-23 10:00 12800 ----a-w- c:\windows\system32\svchost_old.exe 2010-12-17 21:56 . 2010-12-17 21:56 -------- d-----w- c:\documents and settings\Administrator . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-02 14:03 . 2009-12-27 12:34 73728 ----a-w- c:\windows\system32\javacpl.cpl . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . --- c:\windows\system32\svchost.exe --- Company: Microsoft Corporation File Description: Generic Host Process for Win32 Services File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158-) Product Name: Microsoft® Windows® Operating System Copyright: © Microsoft Corporation. All rights reserved. Original Filename: svchost.exe File size: 14336 Created time: 2010-12-18 15:39 Modified time: 2004-08-04 12:00 MD5: 8F078AE4ED187AAABC0A305146DE6716 SHA1: DA0FF4006859A7580ABA81F486F692DEAD2014FE --- c:\windows\system32\svchost_old.exe --- Company: Microsoft Corporation File Description: Generic Host Process for Win32 Services File Version: 5.1.2600.0 (xpclient.010817-1148-) Product Name: Microsoft® Windows® Operating System Copyright: © Microsoft Corporation. All rights reserved. Original Filename: svchost.exe File size: 12800 Created time: 2010-12-18 15:39 Modified time: 2001-08-23 10:00 MD5: 0F7D9C87B0CE1FA520473119752C6F79 SHA1: 1E1DE0781B4D84120AD0F48599F89DA95F26AD7A ---- Directory of C:\SECURITY ---- 2011-01-04 11:40 . 2011-01-04 11:40 353485 ----a-w- c:\security\HostsXpert.zip 2011-01-03 17:34 . 2011-01-03 17:34 137 ----a-w- c:\security\backups\backup-20110103-183434-856 2011-01-02 14:03 . 2011-01-02 14:03 79648 ----a-w- c:\security\backups\backup-20110103-183434-856.dll 2011-01-02 14:00 . 2011-01-02 14:01 16561952 ----a-w- c:\security\JAVA\jre-6u23-windows-i586.exe 2011-01-02 13:46 . 2010-08-08 13:07 3127 ----a-w- c:\security\JAVA\Nederlands.lng 2011-01-02 13:46 . 2010-08-08 13:08 2553 ----a-w- c:\security\JAVA\Suomi.lng 2011-01-02 13:46 . 2010-12-28 12:38 2758 ----a-w- c:\security\JAVA\Deutsch.lng 2011-01-02 13:46 . 2010-08-08 13:08 2946 ----a-w- c:\security\JAVA\Español.lng 2011-01-02 13:46 . 2010-08-08 13:08 3027 ----a-w- c:\security\JAVA\Français.lng 2011-01-02 13:46 . 2010-08-08 13:08 2920 ----a-w- c:\security\JAVA\Italiano.lng 2011-01-02 13:46 . 2010-12-27 18:17 299233 ----a-w- c:\security\JAVA\JavaRa.def 2011-01-02 13:46 . 2010-12-27 18:23 400384 ----a-w- c:\security\JAVA\JavaRa.exe 2011-01-02 13:45 . 2011-01-02 13:44 159757 ----a-w- c:\security\JAVA\JavaRa.zip 2011-01-02 10:24 . 2011-01-02 10:24 2206 ----a-w- c:\security\processlist.txt 2011-01-01 20:17 . 2011-01-01 20:17 97 ----a-w- c:\security\backups\backup-20110101-211728-268 2011-01-01 19:45 . 2011-01-01 19:45 84 ----a-w- c:\security\backups\backup-20110101-204505-475 2011-01-01 13:58 . 2011-01-01 13:58 6541 ----a-w- c:\security\hijackthis.log 2011-01-01 13:54 . 2011-01-01 13:41 388608 ----a-w- c:\security\HijackThis.exe ------- Sigcheck ------- [-] 2004-08-03 . 328204B85FF2B3AE020454CA860F5719 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe [-] 2004-08-03 . 857BF7E41E312756C32B44E8C4446A96 . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe . ((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] ))))))))))))))))))))))))))))))))))))))))) . + 2011-01-05 17:29 . 2011-01-05 17:29 16384 c:\windows\Temp\Perflib_Perfdata_1fc.dat + 2001-08-23 13:00 . 2011-01-05 17:33 59780 c:\windows\system32\perfc009.dat - 2001-08-23 13:00 . 2011-01-04 18:59 59780 c:\windows\system32\perfc009.dat + 2001-08-23 13:00 . 2011-01-05 17:33 397560 c:\windows\system32\perfh009.dat - 2001-08-23 13:00 . 2011-01-04 18:59 397560 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200] [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] 2010-12-01 10:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200] [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SetDefaultMIDI"="MIDIDef.exe" [2008-03-20 31232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568] "nwiz"="nwiz.exe" [2007-05-10 1626112] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-10 81920] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTHelper"="CTHELPER.EXE" [2008-03-20 23040] "CTxfiHlp"="CTXFIHLP.EXE" [2008-03-20 23552] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "EPSON PageSTM TrayIcon01"="c:\program files\EPSON\BSTM\PG\E_L20IC2.EXE" [2007-12-11 151552] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-11-05 738808] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/19/2003 6:11 PM 685816] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/5/2010 12:41 PM 26872] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/5/2010 12:41 PM 488952] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/20/2008 5:23 PM 98328] R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [3/20/2008 5:32 PM 259096] R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [3/20/2008 5:38 PM 134168] R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [3/20/2008 5:37 PM 309784] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/20/2008 5:23 PM 98328] S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [3/20/2008 5:36 PM 171032] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [3/20/2008 5:36 PM 171032] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/20/2008 5:23 PM 528920] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/20/2008 5:23 PM 528920] S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [3/20/2008 5:26 PM 163352] S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [3/20/2008 5:26 PM 163352] S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [3/20/2008 5:32 PM 259096] S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [3/20/2008 5:38 PM 134168] S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [3/20/2008 5:37 PM 309784] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/20/2008 5:36 PM 99352] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/20/2008 5:36 PM 99352] S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [3/20/2008 5:40 PM 1324056] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [3/20/2008 5:40 PM 1324056] S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [3/20/2008 5:37 PM 72728] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [3/20/2008 5:37 PM 72728] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/20/2008 5:25 PM 534040] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/20/2008 5:25 PM 534040] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [6/6/2003 6:43 PM 1527900] . . ------- Supplementary Scan ------- . uStart Page = [Link mogu videti samo ulogovani korisnici] IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Joca\Application Data\Mozilla\Firefox\Profiles\i5p9sa1q.default\ FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici] FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici] FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546} . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici] Rootkit scan 2011-01-05 18:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache] "ServiceDll"="%CommonProgramFiles%\dns.cert" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(736) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll - - - - - - - > 'lsass.exe'(804) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . Completion time: 2011-01-05 18:43:27 ComboFix-quarantined-files.txt 2011-01-05 17:43 ComboFix2.txt 2011-01-05 17:31 Pre-Run: 150,843,019,264 bytes free Post-Run: 150,817,730,560 bytes free - - End Of File - - 3BB6A062D747882337BED0747C8E9A8D

Profil

1l padr1n0 Poslao: 06 Jan 2011 11:53 Idi na vrh
offline 1l padr1n0 Anti Malware Fighter Rank 2 Pridružio: 02 Feb 2008 Poruke: 14018 Gde živiš: Nish	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Korak 1 Preuzmi BlitzBlank sa sledeće adrese na Desktop: [Link mogu videti samo ulogovani korisnici] Pokreni BlitzBlank (dvoklikom na ikonicu); Kliknuti na karticu Script; U beli okvir prozora iskopirati sledeći tekst: `DeleteFile: c:\windows\system32\winlogon.exe c:\windows\explorer.exe MoveFile: c:\winlogon.exe c:\windows\system32\winlogon.exe c:\explorer.exe c:\windows\explorer.exe` Izvršiti komandu klikom na taster Execute Now; Na oba upita kliknuti OK. Napomena: Nakon restarta računara izveštaj će biti sačuvan pod nazivom blitzblank.log na sistemskoj particiji (tipična lokacija: C:\blitzblank.log); Sadržaj izveštaja blitzblank.log je potrebno iskopirati ovde u poruci. Korak 2 Pokreni ponovo Combo Fix i postavi mi sadrzaj svezeg log-a u sledecoj poruci. goran9888 (AMF Tim)

Profil

Blans Poslao: 06 Jan 2011 12:19 Idi na vrh
offline Blans Novi MyCity građanin Pridružio: 03 Jan 2011 Poruke: 8	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! ComboFix 11-01-05.05 - Joca 01/06/2011 12:10:14.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1697 [GMT 1:00] Running from: c:\documents and settings\Joca\Desktop\ComboFix.exe FW: ZoneAlarm Firewall Disabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\kb.dll . ((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 ))))))))))))))))))))))))))))))) . 2011-01-02 18:48 . 2011-01-02 18:48 -------- d-----w- c:\program files\Common Files\Adobe 2011-01-02 14:05 . 2011-01-02 14:05 -------- d-----w- c:\program files\Common Files\Java 2011-01-02 14:03 . 2011-01-02 14:03 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-01-02 14:03 . 2011-01-02 14:03 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll 2011-01-01 13:54 . 2011-01-04 11:40 -------- d-----w- C:\SECURITY 2010-12-31 12:53 . 2010-12-31 12:53 -------- d-----w- c:\documents and settings\Joca\Application Data\Malwarebytes 2010-12-31 12:52 . 2010-12-31 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-12-31 12:52 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-31 12:52 . 2011-01-01 10:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-31 12:52 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-18 15:39 . 2004-08-04 12:00 14336 ----a-w- c:\windows\system32\svchost.exe 2010-12-18 15:39 . 2001-08-23 10:00 12800 ----a-w- c:\windows\system32\svchost_old.exe 2010-12-17 21:56 . 2010-12-17 21:56 -------- d-----w- c:\documents and settings\Administrator . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-06 11:06 . 2004-08-03 22:56 1032192 ----a-w- c:\windows\explorer.exe 2011-01-06 11:06 . 2004-08-03 22:56 502272 ----a-w- c:\windows\system32\winlogon.exe 2011-01-02 14:03 . 2009-12-27 12:34 73728 ----a-w- c:\windows\system32\javacpl.cpl . ((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] ))))))))))))))))))))))))))))))))))))))))) . + 2011-01-06 11:07 . 2011-01-06 11:07 16384 c:\windows\Temp\Perflib_Perfdata_204.dat + 2001-08-23 13:00 . 2011-01-06 11:11 59780 c:\windows\system32\perfc009.dat - 2001-08-23 13:00 . 2011-01-04 18:59 59780 c:\windows\system32\perfc009.dat + 2001-08-23 13:00 . 2011-01-06 11:11 397560 c:\windows\system32\perfh009.dat - 2001-08-23 13:00 . 2011-01-04 18:59 397560 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200] [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] 2010-12-01 10:27 2735200 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-12-01 2735200] [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SetDefaultMIDI"="MIDIDef.exe" [2008-03-20 31232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568] "nwiz"="nwiz.exe" [2007-05-10 1626112] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-10 81920] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "CTHelper"="CTHELPER.EXE" [2008-03-20 23040] "CTxfiHlp"="CTXFIHLP.EXE" [2008-03-20 23552] "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328] "EPSON PageSTM TrayIcon01"="c:\program files\EPSON\BSTM\PG\E_L20IC2.EXE" [2007-12-11 151552] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-11-05 738808] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/19/2003 6:11 PM 685816] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/5/2010 12:41 PM 26872] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/5/2010 12:41 PM 488952] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/20/2008 5:23 PM 98328] R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [3/20/2008 5:32 PM 259096] R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [3/20/2008 5:38 PM 134168] R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [3/20/2008 5:37 PM 309784] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/20/2008 5:23 PM 98328] S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [3/20/2008 5:36 PM 171032] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [3/20/2008 5:36 PM 171032] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/20/2008 5:23 PM 528920] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/20/2008 5:23 PM 528920] S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [3/20/2008 5:26 PM 163352] S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [3/20/2008 5:26 PM 163352] S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [3/20/2008 5:32 PM 259096] S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [3/20/2008 5:38 PM 134168] S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [3/20/2008 5:37 PM 309784] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/20/2008 5:36 PM 99352] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/20/2008 5:36 PM 99352] S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [3/20/2008 5:40 PM 1324056] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [3/20/2008 5:40 PM 1324056] S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [3/20/2008 5:37 PM 72728] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [3/20/2008 5:37 PM 72728] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/20/2008 5:25 PM 534040] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/20/2008 5:25 PM 534040] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [6/6/2003 6:43 PM 1527900] . . ------- Supplementary Scan ------- . uStart Page = [Link mogu videti samo ulogovani korisnici] IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Joca\Application Data\Mozilla\Firefox\Profiles\i5p9sa1q.default\ FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici] FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici] FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: ZoneAlarm Security Engine: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546} . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici] Rootkit scan 2011-01-06 12:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache] "ServiceDll"="%CommonProgramFiles%\dns.cert" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(748-) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll - - - - - - - > 'lsass.exe'(804) c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll . Completion time: 2011-01-06 12:15:05 ComboFix-quarantined-files.txt 2011-01-06 11:15 ComboFix2.txt 2011-01-05 17:43 ComboFix3.txt 2011-01-05 17:31 Pre-Run: 150,927,110,144 bytes free Post-Run: 150,902,583,296 bytes free - - End Of File - - 9325B0683EEFDFA01C5543B164831F64 BlitzBlank 1.0.0.32 File/Registry Modification Engine native application MoveFileOnReboot: sourceFile = "\??\c:\windows\system32\winlogon.exe", destinationFile = "(null)", replaceWithDummy = 0 MoveFileOnReboot: sourceFile = "\??\c:\windows\explorer.exe", destinationFile = "(null)", replaceWithDummy = 0 MoveFileOnReboot: sourceFile = "\??\c:\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe", replaceWithDummy = 0 MoveFileOnReboot: sourceFile = "\??\c:\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe", replaceWithDummy = 0

Profil

1l padr1n0 Poslao: 07 Jan 2011 02:26 Idi na vrh
offline 1l padr1n0 Anti Malware Fighter Rank 2 Pridružio: 02 Feb 2008 Poruke: 14018 Gde živiš: Nish	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Kakvo je sada stanje racunara? ----------------------------------- Korak 1 Start -> Run `regedit.exe /e c:\dnscache.txt "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache"` Pritisni Enter Sada mi upload-uj fajl opcijom Prikaci fajl, uz sledecu poruku: C:\dnscache.txt Korak 2 - Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa. - Sacekaj koji sekund dok program izvrsi inicijalno skeniranje. - Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi. - Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak - Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save scrambled log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum. Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd. goran9888 (AMF Tim)

Profil

Blans Poslao: 07 Jan 2011 10:41 Idi na vrh
offline Blans Novi MyCity građanin Pridružio: 03 Jan 2011 Poruke: 8	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Sada sve izgleda OK, ne primecujem nikakve redirekcije. Svaka cast i veliko hvala na pomoci! USB redom: 1. Kingston flash 2. Canyon flash (kreira dve particije, jednu zasticenu) 3. WD passport disk USBNoRisk 2.7 (28 December 2010) by bobby Started at 1/7/2011 10:37:54 AM Searching for connected USB Mass storage... ---------------------------------------- ======================================== Searching for other storage... ---------------------------------------- C: {6f561263-a16a-11dd-8919-806d6172696f} E: {6f561265-a16a-11dd-8919-806d6172696f} ======================================== Scanning fixed storage... ---------------------------------------- No blocked files found on C: No autorun.inf files found on C: No mountpoint found for C: No mountpoint found for 6f561263-a16a-11dd-8919-806d6172696f No Desktop.ini files found on C: ---------------------------------------- No blocked files found on E: No autorun.inf files found on E: No mountpoint found for E: No mountpoint found for 6f561265-a16a-11dd-8919-806d6172696f No Desktop.ini files found on E: ---------------------------------------- ======================================== Initial scan finished! ======================================== New device connected at 1/7/2011 10:38:06 AM Scanning for connected USB mass storage... ---------------------------------------- F: {fde23282-a135-11dd-90b4-0022158834b5} Added F: ======================================== Scanning USB mass storage for files... ---------------------------------------- No blocked files found on F: ---------------------------------------- No autorun.inf files found on F: No mountpoint found for fde23282-a135-11dd-90b4-0022158834b5 ---------------------------------------- ---------------------------------------- Desktop.ini found at F:\RECYCLER\ contains interesting CLSID string ---------------------------------------- [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} ---------------------------------------- HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll ---------------------------------------- No mimics found on drive F: ---------------------------------------- .lnk/.pif/.com/.scr files found on drive F: ======================================== ======================================== Removed F: ======================================== New device connected at 1/7/2011 10:38:27 AM Scanning for connected USB mass storage... ---------------------------------------- F: {5de7882c-b873-11dd-90cd-0022158834b5} Added F: ======================================== Scanning USB mass storage for files... ---------------------------------------- No blocked files found on F: ---------------------------------------- No autorun.inf files found on F: No mountpoint found for 5de7882c-b873-11dd-90cd-0022158834b5 ---------------------------------------- No Desktop.ini files found on F: ---------------------------------------- No mimics found on drive F: ---------------------------------------- No .lnk/.pif/.com/.scr files found on drive F: ======================================== New device connected at 1/7/2011 10:38:33 AM Scanning for connected USB mass storage... ---------------------------------------- G: {5de7882d-b873-11dd-90cd-0022158834b5} Added G: ======================================== Scanning USB mass storage for files... ---------------------------------------- Blocked file found: G:\autorun.inf.blocked ---------------------------------------- Content of G:\autorun.inf.blocked ---------------------------------------- [autorun] kfËÀÝÔÛÄLëàäÔÛÆÀËÆÖÉëîàÖÇÝÉÄÀÖÉòîàýùÀÝÖÐÎÀÙÔÝËÆÀö shell\\\Install\\\command=ZELJKA\\\stojanovic.exe shell\\\open\\\command=ZELJKA\\\stojanovic.exe shell\\\explore\\\command=ZELJKA\\\stojanovic.exe shell\\\open\\\command=ZELJKA\\\stojanovic.exe shellexecute=ZELJKA\\\stojanovic.exe open=ZELJKA\\\stojanovic.exe action=open folder to view files using Windovs Explorer USEAUTOPLAY=1 Icon=ZELJKA\\\stojanovic.exe ---------------------------------------- Files referenced from G:\autorun.inf.blocked ---------------------------------------- None ---------------------------------------- ---------------------------------------- No autorun.inf files found on G: No mountpoint found for 5de7882d-b873-11dd-90cd-0022158834b5 ---------------------------------------- No Desktop.ini files found on G: ---------------------------------------- No mimics found on drive G: ---------------------------------------- No .lnk/.pif/.com/.scr files found on drive G: ======================================== ======================================== Removed G: ======================================== New device connected at 1/7/2011 10:39:05 AM Scanning for connected USB mass storage... ---------------------------------------- F: {38c8f430-a1d6-11dd-90bc-0022158834b5} Added F: ======================================== Scanning USB mass storage for files... ---------------------------------------- No blocked files found on F: ---------------------------------------- No autorun.inf files found on F: No mountpoint found for F: No mountpoint found for 38c8f430-a1d6-11dd-90bc-0022158834b5 ---------------------------------------- ---------------------------------------- Desktop.ini found at F:\Recycled\ contains interesting CLSID string ---------------------------------------- [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} ---------------------------------------- HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32 HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32 HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll ---------------------------------------- No mimics found on drive F: ---------------------------------------- .lnk/.pif/.com/.scr files found on drive F: ======================================== [Link mogu videti samo ulogovani korisnici]*

Profil

1l padr1n0 Poslao: 07 Jan 2011 14:15 Idi na vrh
offline 1l padr1n0 Anti Malware Fighter Rank 2 Pridružio: 02 Feb 2008 Poruke: 14018 Gde živiš: Nish	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Nema na cemu. Idemo dalje ... Korak 1 Otvoriti Notepad i iskopirati sledeci tekst: `Registry:: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters] "ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,64,\ 6e,73,72,73,6c,76,72,2e,64,6c,6c,00` Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja. -------------- Korak 2 ---> Ponoviti za svaki USB memorijski uredjaj ponaosob - Pokrenuti USBNoRisk i sačekati da izvrši inicijalno skeniranje. - Po završetku inicijalnog skeniranja priključiti USB memorijski uređaj. - Kliknuti na karticu Script; U beli okvir prozora iskopirati sledeći tekst: `{fde23282-a135-11dd-90b4-0022158834b5} folder_list:%DRIVE% no_sh: {5de7882c-b873-11dd-90cd-0022158834b5} folder_list:%DRIVE% no_sh: {5de7882d-b873-11dd-90cd-0022158834b5} folder_list:%DRIVE% no_sh: {38c8f430-a1d6-11dd-90bc-0022158834b5} folder_list:%DRIVE% no_sh:` - Izvršiti komandu klikom na taster Run Script; Po izvršenju komande USBNoRisk će se automatski vratiti na karticu Monitor; - Uraditi desni klik unutar belog okvira prozora i odabrati opciju Save Scrambled Log; Otvoriće se prozor Notepad_a sa tekstom koji je potrebno iskopirati ovde u poruci. goran9888 (AMF Tim)

Profil

MyCity » Ambulanta -> Arhiva Ambulante » Uporni malware

Ko je trenutno na forumu

Ukupno su 1462 korisnika na forumu :: 28 registrovanih, 1 sakriven i 1433 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 15694 - dana 01 Feb 2026 12:23

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: -[CoA]-, 1MAP, Asteker, Boris90, Burovnyak, Butcher, cikadeda, Crazzer, darkkran, DonRumataEstorski, draganl, eagle.rs, goran.vvv, grunff2, Haris, kybonacci, Leonov, Magarac, Muki 123, Mzee, Nepopravljivi, Pero Petković, Robin, Timočka Divizija, vidra boy, vidra1, Zastava, šumar bk2

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by