Virus pomoć

Virus pomoć

offline
  • mita08 
  • Novi MyCity građanin
  • Pridružio: 29 Nov 2008
  • Poruke: 5

Evo i putanje do virusa, ima ih više (kopirao sam log fajl iz NOD32)

29.11.2008 14:35:44 Real-time file system protection file C:\WINDOWS\system32\dse235rgd0.dll probably a variant of Win32/Spy.Banker trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\kxvo.exe.
29.11.2008 14:34:17 Real-time file system protection file C:\WINDOWS\system32\wedasgads0.dll probably a variant of Win32/PSW.OnLineGames trojan cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\WINDOWS\system32\taskmgr.exe.
29.11.2008 14:34:13 Real-time file system protection file D:\dwg3gngs.exe a variant of Win32/Pacex.Gen virus unable to clean NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE.
29.11.2008 14:34:06 Real-time file system protection file C:\dwg3gngs.exe a variant of Win32/Pacex.Gen virus unable to clean NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:21, on 29.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\File Seeker\FSeekerDBUpdater.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dijuf\Desktop\New Folder\TR3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [FileSeekerUpdater] "C:\Program Files\File Seeker\FSeekerDBUpdater.exe" -start
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7272 bytes

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Pozdrav ...

Uradi sledece :

Arrow Privremeno iskljuci NOD32:

Ukoliko je verzija 2.xx

* Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.

Ukoliko je verzija 3.xx





Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • mita08 
  • Novi MyCity građanin
  • Pridružio: 29 Nov 2008
  • Poruke: 5

Evo log fajl:

ComboFix 08-11-29.02 - Dijuf 2008-11-29 21:11:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.389 [GMT 1:00]
Running from: c:\documents and settings\Dijuf\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\Dijuf\Application Data\google\runhh6110411.exe
c:\windows\system32\kxvo.exe
c:\windows\system32\x64
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-29 09:27 . 2005-10-05 15:44 170,220 -r-hs---- C:\dwg3gngs.exe
2008-11-28 21:44 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2008-11-28 21:28 . 2008-11-28 21:28 <DIR> d-------- c:\program files\ESET
2008-11-28 21:28 . 2008-11-28 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-28 21:26 . 2008-11-28 21:26 <DIR> d-------- c:\program files\Dobar nod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 13:46 --------- d-----w c:\program files\File Seeker
2008-11-28 20:56 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-10-27 12:30 --------- d-----w c:\documents and settings\Dijuf\Application Data\Sports Interactive
2008-10-27 12:28 --------- d--h--w c:\program files\Zero G Registry
2008-10-22 18:57 --------- d-----w c:\program files\MathType5_2a
2008-10-22 18:56 --------- d-----w c:\program files\MathType
2008-10-22 18:56 --------- d-----w c:\documents and settings\Dijuf\Application Data\Design Science
2008-10-12 15:01 --------- d-----w c:\program files\Java
2008-10-12 14:58 --------- d-----w c:\program files\Common Files\Java
2008-10-09 17:52 --------- d-----w c:\documents and settings\Dijuf\Application Data\Winamp
2008-10-02 21:15 --------- d-----w c:\documents and settings\Dijuf\Application Data\BSplayer Pro
2008-09-29 21:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-09-13 18:04 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-04 22:36 155,995 ----a-w c:\windows\java\Packages\9R9RDRTB.ZIP
2008-09-02 22:09 307,968 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-09-02 21:57 505,128 ----a-w c:\windows\system32\msvcp71.dll
2008-09-02 21:57 353,576 ----a-w c:\windows\system32\msvcr71.dll
2008-09-02 21:57 29,480 ----a-w c:\windows\system32\msxml3a.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-04-21 91432]
"FileSeekerUpdater"="c:\program files\File Seeker\FSeekerDBUpdater.exe" [2007-01-12 603648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2005-12-13 217088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 11000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.divxa32"= divxa32.acm
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [2008-08-24 308248]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\CyberLink\PowerDVD8\000.fcl [2008-02-01 16:24:04 41456]
R2 LogWatch;Event Log Watch;"c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2005-02-23 53248]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\DRIVERS\k510bus.sys [2008-09-09 58288]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\DRIVERS\k510mdfl.sys [2008-09-09 8336]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\DRIVERS\k510mdm.sys [2008-09-09 94064]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\k510mgmt.sys [2008-09-09 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\k510obex.sys [2008-09-09 83344]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"c:\program files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 98328]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24901661-7aa8-11dd-80d0-f970e432be62}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{351134bf-b67e-11dd-81a8-001eec4adabb}]
\Shell\AutoRun\command - G:\xih9.cmd
\Shell\explore\Command - G:\xih9.cmd
\Shell\open\Command - G:\xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba19362-899f-11dd-810c-cc84c17d8c6c}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3715c47-7d99-11dd-80de-001eec4adabb}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdf8178c-9536-11dd-8133-94edc1dc7b6c}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 13:24]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Dijuf\Application Data\Mozilla\Firefox\Profiles\y6pyp6l9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-29 21:13:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\progra~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-11-29 21:14:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 20:14:34

Pre-Run: 36,091,006,976 bytes free
Post-Run: 36,093,210,624 bytes free

165

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\dwg3gngs.exe


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


Arrow Skini sledeci program - http://amf.mycity.rs/personal/bobby/USB_blocker/usb_blocker.exe
- startuj ga i odaberi opciju Auto block
- ubaci USB stick u komp i sacekaj koji sekund (recimo 5-10 sekundi)
- program je sada uradio analizu sticka (vidi se u donjem delu programa, u logu)
- gore levo klikni duplo na slovo koje oznacava particiju, tj. tvoj USB stick
- dole kraj sata ce se pojaviti poruka da smes da izvadis USB stick iz kompa
- ne gasi program, vec ubaci sledeci USB stick i za njega isto sacekaj par sekundi, i tako redom za sve stickove, MP3 plejere, mobilni
- zapamti kojim redom su ubacivani stickovi

Kada sve to zavrsis, log u donjem delu programa ce sadrzati sve podatke koji su meni potrebni da bih video koji stick je zarazen.
Klikni desnim dugmetom misa na log/izvestaj i odaberi Save log.
Automatski ce se otvoriti Notepad i u njemu izvestaj.
Iskopiraj mi taj izvestaj ovde na forum.

offline
  • mita08 
  • Novi MyCity građanin
  • Pridružio: 29 Nov 2008
  • Poruke: 5

ComboFix 08-11-29.03 - Dijuf 2008-11-30 15:43:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.482 [GMT 1:00]
Running from: c:\documents and settings\Dijuf\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dijuf\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\dwg3gngs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dwg3gngs.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 14:47 . 2008-11-30 14:47 <DIR> d-------- c:\documents and settings\Dijuf\LocalLow
2008-11-30 14:47 . 2008-11-30 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-28 21:44 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2008-11-28 21:28 . 2008-11-28 21:28 <DIR> d-------- c:\program files\ESET
2008-11-28 21:28 . 2008-11-28 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-28 21:26 . 2008-11-28 21:26 <DIR> d-------- c:\program files\Dobar nod
2008-10-27 13:30 . 2008-10-27 13:30 <DIR> d-------- c:\documents and settings\Dijuf\Application Data\Sports Interactive
2008-10-27 13:28 . 2008-10-27 13:28 <DIR> d--h----- c:\program files\Zero G Registry
2008-10-27 13:28 . 2008-10-27 13:28 <DIR> d--h----- c:\documents and settings\Dijuf\InstallAnywhere
2008-10-22 19:57 . 2008-10-22 19:57 <DIR> d-------- c:\program files\MathType5_2a
2008-10-22 19:56 . 2008-10-22 19:56 <DIR> d-------- c:\program files\MathType
2008-10-22 19:56 . 2008-10-22 19:56 <DIR> d-------- c:\documents and settings\Dijuf\Application Data\Design Science
2008-10-20 18:47 . 2008-10-26 21:15 <DIR> d-------- C:\Proba
2008-10-19 22:17 . 2008-10-19 22:18 3,025 --a------ c:\windows\ST5UNST.000
2008-10-19 22:12 . 2000-12-06 00:00 209,608 --a------ c:\windows\system32\TABCTL32.OCX
2008-10-19 22:12 . 1995-07-26 00:00 200,704 --a------ c:\windows\system32\THREED32.OCX
2008-10-19 22:10 . 1996-12-09 00:00 71,680 --a------ c:\windows\ST5UNST.EXE
2008-10-19 22:10 . 1996-12-09 00:00 29,696 --a------ c:\windows\system32\VB5StKit.dll
2008-10-12 16:02 . 2008-10-12 16:02 <DIR> d-------- c:\windows\Sun
2008-10-12 16:01 . 2008-10-12 16:01 <DIR> d-------- c:\program files\Java
2008-10-12 16:01 . 2008-06-10 01:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-12 15:58 . 2008-10-12 15:58 <DIR> d-------- c:\program files\Common Files\Java
2008-10-10 21:55 . 2008-10-13 15:05 172 --a------ c:\windows\wcx_ftp.ini
2008-10-10 21:54 . 2008-11-07 23:44 <DIR> d-------- C:\totalcmd
2008-10-10 21:54 . 2008-11-29 14:32 1,119 --a------ c:\windows\wincmd.ini
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\UC.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\RAR.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\PKZIP.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\PKUNZIP.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\NOCLOSE.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\LHA.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\ARJ.PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 13:46 --------- d-----w c:\program files\File Seeker
2008-11-28 20:56 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-10-09 17:52 --------- d-----w c:\documents and settings\Dijuf\Application Data\Winamp
2008-10-02 21:15 --------- d-----w c:\documents and settings\Dijuf\Application Data\BSplayer Pro
2008-09-29 21:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-09-13 18:04 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-04 22:36 155,995 ----a-w c:\windows\java\Packages\9R9RDRTB.ZIP
2008-09-02 22:09 307,968 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-09-02 21:57 505,128 ----a-w c:\windows\system32\msvcp71.dll
2008-09-02 21:57 353,576 ----a-w c:\windows\system32\msvcr71.dll
2008-09-02 21:57 29,480 ----a-w c:\windows\system32\msxml3a.dll
2008-08-24 02:33 3,127 ----a-w c:\windows\system32\presetup.cmd
2008-08-24 02:33 28,672 ----a-w c:\windows\system32\setupold.exe
2008-08-24 01:23 96,792 ----a-w c:\windows\system32\basecsp.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-29_21.14.16.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-29 13:39:34 76,572 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-30 12:25:17 76,572 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-29 13:39:34 439,338 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-30 12:25:17 439,338 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-04-21 91432]
"FileSeekerUpdater"="c:\program files\File Seeker\FSeekerDBUpdater.exe" [2007-01-12 603648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2005-12-13 217088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 11000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.divxa32"= divxa32.acm
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [2008-08-24 308248]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\CyberLink\PowerDVD8\000.fcl [2008-02-01 16:24:04 41456]
R2 LogWatch;Event Log Watch;"c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2005-02-23 53248]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\DRIVERS\k510bus.sys [2008-09-09 58288]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\DRIVERS\k510mdfl.sys [2008-09-09 8336]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\DRIVERS\k510mdm.sys [2008-09-09 94064]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\k510mgmt.sys [2008-09-09 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\k510obex.sys [2008-09-09 83344]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"c:\program files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 98328]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24901661-7aa8-11dd-80d0-f970e432be62}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{351134bf-b67e-11dd-81a8-001eec4adabb}]
\Shell\AutoRun\command - G:\xih9.cmd
\Shell\explore\Command - G:\xih9.cmd
\Shell\open\Command - G:\xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba19362-899f-11dd-810c-cc84c17d8c6c}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3715c47-7d99-11dd-80de-001eec4adabb}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdf8178c-9536-11dd-8133-94edc1dc7b6c}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-30 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 13:24]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-30 15:44:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2008-11-30 15:45:14
ComboFix-quarantined-files.txt 2008-11-30 14:44:57
ComboFix2.txt 2008-11-29 20:14:38

Pre-Run: 34,637,574,144 bytes free
Post-Run: 34,626,772,992 bytes free

178

_____________________________________________________________

Evo log i od USB_blockera:
USB_blocker by bobby

Started at 30.11.2008 15:46:35

Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
D: d051bcb4-78d0-11dd-b452-806d6172696f
C: d051bcb6-78d0-11dd-b452-806d6172696f
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================



New device connected at 30.11.2008 15:46:58

Scanning for connected USB Mass storage...
========================================
G: 7b0f4119-816c-11dd-80ec-f4ca18b0cc63
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
Sanitized 7b0f4119-816c-11dd-80ec-f4ca18b0cc63
========================================


New device connected at 30.11.2008 15:48:06

Scanning for connected USB Mass storage...
========================================
G: c3715c47-7d99-11dd-80de-001eec4adabb
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================

autorun.inf found on G:
File G:\autorun.inf renamed successfully
Sanitizing Shell Menu...
No key for GUID: c3715c47-7d99-11dd-80de-001eec4adabb
========================================


New device connected at 30.11.2008 15:49:09

Scanning for connected USB Mass storage...
========================================
G: 7b0f4117-816c-11dd-80ec-f4ca18b0cc63
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: 7b0f4117-816c-11dd-80ec-f4ca18b0cc63
========================================


New device connected at 30.11.2008 15:49:11

Scanning for connected USB Mass storage...
========================================
G: 7b0f4117-816c-11dd-80ec-f4ca18b0cc63
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: 7b0f4117-816c-11dd-80ec-f4ca18b0cc63
========================================


New device connected at 30.11.2008 15:50:00

Scanning for connected USB Mass storage...
========================================
G: cdf8178c-9536-11dd-8133-94edc1dc7b6c
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: cdf8178c-9536-11dd-8133-94edc1dc7b6c
========================================

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Pokreni ponovo Combofix i postavi mi svez log.

offline
  • mita08 
  • Novi MyCity građanin
  • Pridružio: 29 Nov 2008
  • Poruke: 5

Evo ga:

ComboFix 08-11-29.03 - Dijuf 2008-11-30 20:34:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.386 [GMT 1:00]
Running from: c:\documents and settings\Dijuf\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 14:47 . 2008-11-30 14:47 <DIR> d-------- c:\documents and settings\Dijuf\LocalLow
2008-11-30 14:47 . 2008-11-30 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-28 21:44 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2008-11-28 21:28 . 2008-11-28 21:28 <DIR> d-------- c:\program files\ESET
2008-11-28 21:28 . 2008-11-28 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-28 21:26 . 2008-11-28 21:26 <DIR> d-------- c:\program files\Dobar nod
2008-10-27 13:30 . 2008-10-27 13:30 <DIR> d-------- c:\documents and settings\Dijuf\Application Data\Sports Interactive
2008-10-27 13:28 . 2008-10-27 13:28 <DIR> d--h----- c:\program files\Zero G Registry
2008-10-27 13:28 . 2008-10-27 13:28 <DIR> d--h----- c:\documents and settings\Dijuf\InstallAnywhere
2008-10-22 19:57 . 2008-10-22 19:57 <DIR> d-------- c:\program files\MathType5_2a
2008-10-22 19:56 . 2008-10-22 19:56 <DIR> d-------- c:\program files\MathType
2008-10-22 19:56 . 2008-10-22 19:56 <DIR> d-------- c:\documents and settings\Dijuf\Application Data\Design Science
2008-10-20 18:47 . 2008-10-26 21:15 <DIR> d-------- C:\Proba
2008-10-19 22:17 . 2008-10-19 22:18 3,025 --a------ c:\windows\ST5UNST.000
2008-10-19 22:12 . 2000-12-06 00:00 209,608 --a------ c:\windows\system32\TABCTL32.OCX
2008-10-19 22:12 . 1995-07-26 00:00 200,704 --a------ c:\windows\system32\THREED32.OCX
2008-10-19 22:10 . 1996-12-09 00:00 71,680 --a------ c:\windows\ST5UNST.EXE
2008-10-19 22:10 . 1996-12-09 00:00 29,696 --a------ c:\windows\system32\VB5StKit.dll
2008-10-12 16:02 . 2008-10-12 16:02 <DIR> d-------- c:\windows\Sun
2008-10-12 16:01 . 2008-10-12 16:01 <DIR> d-------- c:\program files\Java
2008-10-12 16:01 . 2008-06-10 01:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-12 15:58 . 2008-10-12 15:58 <DIR> d-------- c:\program files\Common Files\Java
2008-10-10 21:55 . 2008-10-13 15:05 172 --a------ c:\windows\wcx_ftp.ini
2008-10-10 21:54 . 2008-11-07 23:44 <DIR> d-------- C:\totalcmd
2008-10-10 21:54 . 2008-11-29 14:32 1,119 --a------ c:\windows\wincmd.ini
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\UC.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\RAR.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\PKZIP.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\PKUNZIP.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\NOCLOSE.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\LHA.PIF
2008-10-10 21:54 . 2007-09-05 06:02 545 --a------ c:\windows\ARJ.PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 13:46 --------- d-----w c:\program files\File Seeker
2008-11-28 20:56 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-10-09 17:52 --------- d-----w c:\documents and settings\Dijuf\Application Data\Winamp
2008-10-02 21:15 --------- d-----w c:\documents and settings\Dijuf\Application Data\BSplayer Pro
2008-09-29 21:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-09-13 18:04 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-04 22:36 155,995 ----a-w c:\windows\java\Packages\9R9RDRTB.ZIP
2008-09-02 22:09 307,968 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-09-02 21:57 505,128 ----a-w c:\windows\system32\msvcp71.dll
2008-09-02 21:57 353,576 ----a-w c:\windows\system32\msvcr71.dll
2008-09-02 21:57 29,480 ----a-w c:\windows\system32\msxml3a.dll
2008-08-24 02:33 3,127 ----a-w c:\windows\system32\presetup.cmd
2008-08-24 02:33 28,672 ----a-w c:\windows\system32\setupold.exe
2008-08-24 01:23 96,792 ----a-w c:\windows\system32\basecsp.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-29_21.14.16.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-29 13:39:34 76,572 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-30 12:25:17 76,572 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-29 13:39:34 439,338 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-30 12:25:17 439,338 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-04-21 91432]
"FileSeekerUpdater"="c:\program files\File Seeker\FSeekerDBUpdater.exe" [2007-01-12 603648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2005-12-13 217088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 11000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.divxa32"= divxa32.acm
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [2008-08-24 308248]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\CyberLink\PowerDVD8\000.fcl [2008-02-01 16:24:04 41456]
R2 LogWatch;Event Log Watch;"c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2005-02-23 53248]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\DRIVERS\k510bus.sys [2008-09-09 58288]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\DRIVERS\k510mdfl.sys [2008-09-09 8336]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\DRIVERS\k510mdm.sys [2008-09-09 94064]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\k510mgmt.sys [2008-09-09 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\k510obex.sys [2008-09-09 83344]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"c:\program files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 98328]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24901661-7aa8-11dd-80d0-f970e432be62}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{351134bf-b67e-11dd-81a8-001eec4adabb}]
\Shell\AutoRun\command - G:\xih9.cmd
\Shell\explore\Command - G:\xih9.cmd
\Shell\open\Command - G:\xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba19362-899f-11dd-810c-cc84c17d8c6c}]
\Shell\AutoRun\command - G:\dwg3gngs.exe
\Shell\explore\Command - G:\dwg3gngs.exe
\Shell\open\Command - G:\dwg3gngs.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-30 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 13:24]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Dijuf\Application Data\Mozilla\Firefox\Profiles\y6pyp6l9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - c:\documents and settings\Dijuf\Application Data\Mozilla\Firefox\Profiles\y6pyp6l9.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-30 20:35:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\igfxdev.dll
.
Completion time: 2008-11-30 20:35:56
ComboFix-quarantined-files.txt 2008-11-30 19:35:43
ComboFix2.txt 2008-11-30 14:45:15
ComboFix3.txt 2008-11-29 20:14:38

Pre-Run: 33,158,008,832 bytes free
Post-Run: 33,147,142,144 bytes free

175

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Uradi sledece :

Arrow Skini [url=https://www.mycity.rs/must-login.png fajl[/url] i pokreni ga dvoklikom.Na sledece upit klikni Yes .

I zavrsili smo...

Jos samo da deinstaliramo Combofix :


Arrow Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore


To je sve...

offline
  • mita08 
  • Novi MyCity građanin
  • Pridružio: 29 Nov 2008
  • Poruke: 5

Hvala puno i nadam se da se necemo vise cuti Wink

Ko je trenutno na forumu
 

Ukupno su 696 korisnika na forumu :: 49 registrovanih, 9 sakrivenih i 638 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aleksmajstor, amaterSRB, Andrija357, Arhiv, ArmyBoss, bato, cenejac111, djordje92sm, draganca, draggan, dragon986, Duško, Georgius, goran.vvv, goxin, Hoegaarden, hyla, ikan, ivan979, Jovan Nenad, Konda, Krusarac, KUZMAR, ladro, MarKhan, MB120mm, Mercury, Mihajlo, misa1xx, Mitogna, mushroom, nemkea71, neutralal.com, pein, prekodrinski, raketaš, rovac, sakota79, SD, ssekir75, Toni, vasa.93, vathra, Vlad000, vlvl, vranjanac29, W123, wolverined4