MyCity » Ambulanta -> Arhiva Ambulante » Zarazen racunar, Hijackthis nece da se pokrene...

Zarazen racunar, Hijackthis nece da se pokrene...

Napisano na dan: 30.11.2008

Zarazen racunar, Hijackthis nece da se pokrene...
Sledeća strana Pagination

Idi na vrh

Poslao: 30 Nov 2008 01:24
Idi na vrh
offline
  • Pridružio: 18 Apr 2003
  • Poruke: 8134
  • Gde živiš: U kesici gumenih bombona...

Zvao me drug.
Komp mu pored sata izbacuje baloon tooltip koji mu govori da mu je komp zarazen, a kada klikne na taj tooltip, sa Interneta skida neki program.

Elem, ja sam bio tamo i doneo Hijackthis, instalacija je prosla, ali nazalost nisam mogao da ga pokrenem.

Jel postoji neki nacin da pokrenem Hijack ili mozda neki drugi program kojim bih ocistio komp?

Poslao: 30 Nov 2008 01:29
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Promeni ime exe fajla HijackThisa, kao i ime foldera u koji si ga instalirao.
Promeni u nesto sto ne asocira na HijackThis.

Dopuna: 30 Nov 2008 1:29

Da se ne bi puno setao, uradi odmah i sledece:
Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Isto, ukoliko nece da se pokrene - menjaj ime exe fajlu.
Mozda je najbolje da ga promenis jos u Save dijalogu kada ga skidas.

Poslao: 30 Nov 2008 20:20
Idi na vrh
offline
  • Pridružio: 18 Apr 2003
  • Poruke: 8134
  • Gde živiš: U kesici gumenih bombona...

Promenio sam ime (fajla, ime foldera nisam dirao), ali se i dalje nije hteo pokrenuti.

Probacu sa promenom imena u Save dijalogu.

Dopuna: 30 Nov 2008 20:02

Evo me sa hjt i combofix logom.

Doneo sam od mene oba progija sa izmenjenim imenima, pa su se pokrenuli.

Onaj baloon tooltip se vise ne prikazuje.

Evo logova:

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:37:27, on 30.11.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\urmyhero\hero.exe

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/bridge-c8.....c06cc46aff
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O21 - SSODL: WebProxy - {A744F16C-B2D5-4138-81A2-085CDFCDE83A} - ckds16.dll (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3726 bytes




ComboFix:


ComboFix 08-11-29.03 - Administrator 2008-11-30 18:43:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.97 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\h.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 68 bytes in 1 streams.
ADS - explorer.exe: deleted 132 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Administrator.exe
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\exybades._sy
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\itanom.pif
c:\documents and settings\Administrator\My Documents\Veterina\Sudska vet.med\sudska 4\Desktop_.ini
c:\documents and settings\Administrator\My Documents\Veterina\Sudska vet.med\sudska 5\Desktop_.ini
c:\program files\AntiSpywareXP2009
c:\program files\AntiSpywareXP2009\Uninstall.exe
c:\program files\Microsoft Common
c:\program files\Microsoft Common\wuauclt.exe
c:\windows\brastk.exe
c:\windows\karna.dat
c:\windows\system32\_scui.cpl
c:\windows\system32\brastk.exe
c:\windows\system32\DelSelf.bat
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\drivers\Winim15.sys
c:\windows\system32\drivers\Winuy26.sys
c:\windows\system32\karna.dat
c:\windows\system32\rs32net.exe
c:\windows\system32\sft.res
c:\windows\system32\sn.txt
c:\windows\system32\sxmg4.dll
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\wini10603.exe
F:\autorun.inf


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINUY26
-------\Service_Winim15
-------\Service_Winuy26


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 18:36 . 2008-11-30 18:37 <DIR> d-------- c:\program files\urmyhero
2008-11-29 19:42 . 2008-11-29 19:42 33,792 --a------ c:\windows\system32\ckds16.dll
2008-11-07 14:32 . 2008-11-07 14:32 91,492 --a------ c:\windows\system32\drivers\klin.dat
2008-11-07 14:32 . 2008-11-07 14:32 85,860 --a------ c:\windows\system32\drivers\klick.dat
2008-11-07 14:31 . 2008-11-07 14:31 <DIR> d-------- c:\program files\Kaspersky Lab
2008-11-07 14:31 . 2008-11-07 14:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-07 14:31 . 2008-11-30 18:57 1,636,384 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-07 14:31 . 2008-11-30 18:55 20,204 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-07 14:31 . 2008-11-30 18:56 12,064 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-11-07 14:31 . 2008-11-30 18:55 2,132 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-11-07 14:30 . 2008-11-07 14:30 <DIR> d-------- C:\kav
2008-11-07 14:29 . 2008-11-07 14:30 <DIR> d-------- c:\program files\Kasperski
2008-10-30 20:53 . 2008-10-30 20:53 19,344 --a------ c:\windows\acyjujox.vbs
2008-10-30 20:53 . 2008-10-30 20:53 17,988 --a------ c:\windows\system32\zusivy.pif
2008-10-30 20:53 . 2008-10-30 20:53 17,975 --a------ c:\program files\Common Files\fesisoril.sys
2008-10-30 20:53 . 2008-10-30 20:53 17,739 --a------ c:\windows\akyfujecoh.ban
2008-10-30 20:53 . 2008-10-30 20:53 16,549 --a------ c:\documents and settings\All Users\Application Data\eguwywilo.dat
2008-10-30 20:53 . 2008-10-30 20:53 15,546 --a------ c:\windows\moby.db
2008-10-30 20:53 . 2008-10-30 20:53 15,296 --a------ c:\documents and settings\All Users\Application Data\ynobam.bin
2008-10-30 20:53 . 2008-10-30 20:53 14,785 --a------ c:\program files\Common Files\ugyg.dll
2008-10-30 20:53 . 2008-10-30 20:53 14,560 --a------ c:\documents and settings\All Users\Application Data\vizoloxyv.bin
2008-10-30 20:53 . 2008-10-30 20:53 13,569 --a------ c:\program files\Common Files\seweq.vbs
2008-10-30 20:53 . 2008-10-30 20:53 13,455 --a------ c:\windows\system32\olyrejusyk._sy
2008-10-30 20:53 . 2008-10-30 20:53 12,330 --a------ c:\documents and settings\Administrator\Application Data\ytici.dll
2008-10-30 20:53 . 2008-10-30 20:53 11,896 --a------ c:\windows\enifyhon.com
2008-10-30 20:53 . 2008-10-30 20:53 11,654 --a------ c:\windows\omokerify.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 18:27 --------- d-----w c:\program files\Andrex Puppy
2008-11-29 18:27 --------- d-----w c:\documents and settings\Administrator\Application Data\Andrex Puppy
2008-11-29 18:21 --------- d-----w c:\program files\Trend Micro
2008-10-30 19:53 16,550 ----a-w c:\program files\Common Files\asel._dl
2006-03-24 21:49 134,448 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-02-13 16:42 2,777,088 ----a-w c:\program files\FoxitReader.exe
1998-04-26 23:00 570,128 ----a-w c:\program files\DAO350.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVD Region-Free\DVDShell.dll" [2002-10-29 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=c:\windows\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Andrex Puppy]
--a------ 2003-01-08 13:35 771264 c:\program files\Andrex Puppy\Andrex Puppy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-12-18 00:43 227856 c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
--a------ 2002-11-02 07:33 45056 c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
--a------ 2004-06-29 23:24 90112 c:\program files\Common Files\CMEII\CMESys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2002-08-29 03:41 13312 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
--a------ 2003-05-21 17:37 229437 c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-10-23 18:51 233472 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 10:24 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-09-01 12:42 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2003-07-28 08:19 4841472 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-16 18:56 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 22:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2002-10-11 17:26 98304 c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2003-07-28 08:19 323584 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2003-08-15 08:34 57344 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\System32\DRIVERS\IntelH51.sys [2007-08-07 469935]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\System32\DRIVERS\klim5.sys [2007-12-13 24592]
R3 msloop;Microsoft Loopback Adapter Driver;c:\windows\System32\DRIVERS\loop.sys [2005-07-25 4992]
S4 hpt3xx;hpt3xx; []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
rundll32 ckds16.dll,InitModule
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Administrator - c:\documents and settings\Administrator\Administrator.exe
MSConfigStartUp-AMP Agent - c:\program files\Common Files\ARS Company\Agent\Agent.exe
MSConfigStartUp-AntiSpywareXP 2009 - c:\program files\AntiSpywareXP2009\AntiSpywareXP2009.exe
MSConfigStartUp-rs32net - c:\windows\System32\rs32net.exe
MSConfigStartUp-usbn - c:\windows\system32\usbn.exe
MSConfigStartUp-brastk - brastk.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
c:\windows\Downloaded Program Files\start.INF

O16 -: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
c:\windows\Downloaded Program Files\eied.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 18:56:45
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\System32\ODBC32.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\System32\klogon.dll

- - - - - - - > 'lsass.exe'(888-)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2008-11-30 19:01:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-30 18:01:25

Pre-Run: 26.701.520.896 bytes free
Post-Run: 27,002,081,280 bytes free

211

Dopuna: 30 Nov 2008 20:20

Zaboravih napisati.

Video sam da ima SP1, pa sam mu rekao da ne ide na net dok mu ne instaliram SP2, sto bi trebalo biti sutra.

Poslao: 30 Nov 2008 20:51
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\ckds16.dll
c:\program files\Common Files\asel._dl
c:\windows\acyjujox.vbs
c:\windows\system32\zusivy.pif
c:\program files\Common Files\fesisoril.sys
c:\windows\akyfujecoh.ban
c:\documents and settings\All Users\Application Data\eguwywilo.dat
c:\windows\moby.db
c:\documents and settings\All Users\Application Data\ynobam.bin
c:\program files\Common Files\ugyg.dll
c:\documents and settings\All Users\Application Data\vizoloxyv.bin
c:\program files\Common Files\seweq.vbs
c:\windows\system32\olyrejusyk._sy
c:\documents and settings\Administrator\Application Data\ytici.dll
c:\windows\enifyhon.com
c:\windows\omokerify.exe
c:\eied_s7.cab
c:\ex.cab
c:\windows\Downloaded Program Files\eied.inf
c:\windows\Downloaded Program Files\start.INF
c:\program files\Common Files\CMEII\CMESys.exe

Folder::
c:\program files\Common Files\CMEII

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Interesuje me sta je sledeci program:
c:\program files\Andrex Puppy
Idi na www.virustotal.com i uploaduj tamo Andrex Puppy.exe, pa vidi da li je neki malware ili ne.

Dopuna: 30 Nov 2008 20:51

Vundo ljudi uglavnom zaglave zbog matore verzije Jave. Kod njega ne vidim javu u logovima.
Imao je jos i Gator, a to je matori malware koji dolazi sa instalacijama pojedinih programa (Kazaa recimo).

Poslao: 30 Nov 2008 21:16
Idi na vrh
offline
  • Pridružio: 18 Apr 2003
  • Poruke: 8134
  • Gde živiš: U kesici gumenih bombona...

Trebalo bi sutra da odem do njega, pa cemo odraditi ovaj deo.

A Andex Puppy mu je aplikacija koja šeta kuče po ekranu, tako da je to clean.

MyCity » Ambulanta -> Arhiva Ambulante » Zarazen racunar, Hijackthis nece da se pokrene...

Ko je trenutno na forumu
 

Ukupno su 965 korisnika na forumu :: 14 registrovanih, 2 sakrivenih i 949 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Aleksandar Tomić, bbogdan, comi_pfc, Dannyboy, djboj, esx66, kolle.the.kid, Lazarus, Milos82, Mixelotti, nuke92, operniki, procesor, 125