Poslao: 03 Jun 2008 00:10
|
offline
- nirre
- Super građanin
- Pridružio: 26 Mar 2005
- Poruke: 1489
- Gde živiš: Podgorica
|
sad ces da poludis,ovako,nakon enter za stavku pod rednim brojem 1,4,5,6,7 je pisalo "no maching file were found" a za stavku pod red.br. 2,3 nije nista pisalo.
Dopuna: 03 Jun 2008 0:10
https://www.mycity.rs/must-login.png
|
|
|
|
Poslao: 03 Jun 2008 00:15
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Znaci da je 2 i 3 obrisao.
Dodje mi da placem... Ubija me u pojam ovaj rootkit.
Izgleda da on pravi sebi kopiju i menja reg. bazu pred samo gasenje sistema.
Onda, po startovanju sistema on opet promeni reg. bazu i fajlove. Zato mi u logovima vidimo jedno, a na ugasenom Windowsu je nesto drugo.
Moram da razmislim kako da ga se otarasimo. Sada je vec kasno, tako da cu ovo morati da ostavim za sutra.
Dopuna: 03 Jun 2008 0:15
Pisali smo istovremeno. Ovaj zadnji GMER log je cist.
Sta kaze ComboFix?
|
|
|
|
Poslao: 03 Jun 2008 00:17
|
offline
- nirre
- Super građanin
- Pridružio: 26 Mar 2005
- Poruke: 1489
- Gde živiš: Podgorica
|
ComboFix 08-06-01.3 - erin 2008-06-03 0:11:40.7 - NTFSx86
Running from: C:\Documents and Settings\erin\Desktop\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.
2008-06-02 14:54 . 2008-06-03 00:09 250 --a------ C:\WINDOWS\gmer.ini
2008-05-30 06:55 . 2008-05-30 06:55 6,144 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-25 22:44 . 2008-05-25 22:44 <DIR> d-------- C:\Documents and Settings\erin\Application Data\ABBYY
2008-05-25 22:43 . 2008-05-25 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ABBYY
2008-05-25 22:40 . 2008-05-25 22:46 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-22 22:36 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-22 22:36 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-22 22:36 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-21 12:27 . 2008-05-21 12:27 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-21 12:27 . 2008-05-21 12:28 <DIR> d-------- C:\Documents and Settings\erin\Application Data\Skype
2008-05-21 12:27 . 2008-05-21 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-21 12:26 . 2008-05-21 12:27 <DIR> d-------- C:\Program Files\Skype
2008-05-20 14:09 . 2008-06-01 20:59 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-05-20 13:55 . 2008-05-20 14:00 <DIR> d-------- C:\Program Files\Fma
2008-05-14 00:11 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-13 10:57 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-13 10:57 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-13 10:57 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-12 16:08 . 2008-05-12 16:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-12 16:08 . 2008-05-25 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 16:03 . 2008-05-12 16:04 <DIR> d-------- C:\Program Files\Winamp
2008-05-05 19:38 . 2008-05-27 16:52 316 --a------ C:\WINDOWS\win.ini
2008-05-05 19:23 . 2006-10-18 23:47 8,231,936 --a------ C:\WINDOWS\system32\wmploc.backup
2008-05-05 19:23 . 2006-10-17 13:05 105,984 --a------ C:\WINDOWS\system32\url.backup
2008-05-05 19:21 . 2004-08-04 00:56 8,384,000 --a------ C:\WINDOWS\system32\shell32.backup
2008-05-05 19:20 . 2004-08-04 00:56 983,552 --a------ C:\WINDOWS\system32\setupapi.backup
2008-05-05 19:20 . 2004-08-04 00:56 657,920 --a------ C:\WINDOWS\system32\rasdlg.backup
2008-05-05 19:20 . 2004-08-04 00:56 343,040 --a------ C:\WINDOWS\system32\cmdial32.backup
2008-05-05 19:20 . 2004-08-04 00:56 298,496 --a------ C:\WINDOWS\system32\sysdm.backup
2008-05-05 19:20 . 2004-08-04 00:56 163,840 --a------ C:\WINDOWS\system32\credui.backup
2008-05-05 19:20 . 2004-08-04 00:56 10,752 --a------ C:\WINDOWS\hh.backup
2008-05-05 19:17 . 2008-05-10 18:11 <DIR> d-------- C:\WINDOWS\VIPv3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 22:05 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-01 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\RFA_Backups
2008-06-01 12:43 --------- d-----w C:\Documents and Settings\erin\Application Data\LimeWire
2008-06-01 11:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 11:39 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-05-17 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-28 23:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-04-28 18:36 --------- d-----w C:\Documents and Settings\erin\Application Data\ESET
2008-04-28 18:33 --------- d-----w C:\Program Files\ESET
2008-04-28 18:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-04-28 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-28 11:46 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-26 11:50 --------- d-----w C:\Program Files\Opera
2008-04-20 16:36 --------- d-----w C:\Documents and Settings\erin\Application Data\Teleca
2008-04-16 18:11 --------- d-----w C:\Program Files\Audacity 1.3 Beta
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.
------- Sigcheck -------
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-01_21.55.41.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 19:49:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 22:04:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 12:54:31 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-04-17 19:13:02 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2008-06-02 12:54:31 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2008-06-02 22:05:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_244.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 SNPHV71;PC Camera (602a VGA);C:\WINDOWS\system32\DRIVERS\snphv71.sys [2002-11-08 18:24]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1372b9e0-eaf0-11dc-9820-000ea667e277}]
\Shell\AutoRun\command - F:\2ifetri.cmd
\Shell\explore\Command - F:\2ifetri.cmd
\Shell\open\Command - F:\2ifetri.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15a05d2b-be2f-11dc-97af-d2a421fdc9d1}]
\Shell\AutoRun\command - F:\2ifetri.cmd
\Shell\explore\Command - F:\2ifetri.cmd
\Shell\open\Command - F:\2ifetri.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cecfcedf-c68c-11dc-97c8-f84ff3382347}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8209fca-c107-11dc-97b6-a28a6003ab52}]
\Shell\AutoRun\command - F:\2ifetri.cmd
\Shell\explore\Command - F:\2ifetri.cmd
\Shell\open\Command - F:\2ifetri.cmd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 00:14:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-03 0:16:21
ComboFix-quarantined-files.txt 2008-06-02 22:15:54
ComboFix2.txt 2008-06-02 21:05:42
ComboFix3.txt 2008-06-02 14:07:31
ComboFix4.txt 2008-06-01 19:56:10
Pre-Run: 16,210,444,288 bytes free
Post-Run: 16,200,040,448 bytes free
148 --- E O F --- 2008-06-01 11:45:49
|
|
|
|
|
Poslao: 03 Jun 2008 22:57
|
offline
- nirre
- Super građanin
- Pridružio: 26 Mar 2005
- Poruke: 1489
- Gde živiš: Podgorica
|
bobby ::Kumim te, nemoj ih vise ubacivati u tvoj komp.
Nema tih para koje bi me sada natjerale jer samo koliko puta danas upalih gmer i combo to nije normalno.
Sad cu ovo odradit
Dopuna: 03 Jun 2008 0:43
ComboFix 08-06-01.3 - erin 2008-06-03 0:37:06.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.66 [GMT 2:00]Running from: C:\Documents and Settings\erin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\erin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.
2008-06-02 14:54 . 2008-06-03 00:09 250 --a------ C:\WINDOWS\gmer.ini
2008-05-30 06:55 . 2008-05-30 06:55 6,144 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-25 22:44 . 2008-05-25 22:44 <DIR> d-------- C:\Documents and Settings\erin\Application Data\ABBYY
2008-05-25 22:43 . 2008-05-25 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ABBYY
2008-05-25 22:40 . 2008-05-25 22:46 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-22 22:36 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-22 22:36 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-22 22:36 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-21 12:27 . 2008-05-21 12:27 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-21 12:27 . 2008-05-21 12:28 <DIR> d-------- C:\Documents and Settings\erin\Application Data\Skype
2008-05-21 12:27 . 2008-05-21 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-21 12:26 . 2008-05-21 12:27 <DIR> d-------- C:\Program Files\Skype
2008-05-20 14:09 . 2008-06-01 20:59 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-05-20 13:55 . 2008-05-20 14:00 <DIR> d-------- C:\Program Files\Fma
2008-05-14 00:11 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-13 10:57 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-13 10:57 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-13 10:57 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-12 16:08 . 2008-05-12 16:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-12 16:08 . 2008-05-25 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 16:03 . 2008-05-12 16:04 <DIR> d-------- C:\Program Files\Winamp
2008-05-05 19:38 . 2008-05-27 16:52 316 --a------ C:\WINDOWS\win.ini
2008-05-05 19:23 . 2006-10-18 23:47 8,231,936 --a------ C:\WINDOWS\system32\wmploc.backup
2008-05-05 19:23 . 2006-10-17 13:05 105,984 --a------ C:\WINDOWS\system32\url.backup
2008-05-05 19:21 . 2004-08-04 00:56 8,384,000 --a------ C:\WINDOWS\system32\shell32.backup
2008-05-05 19:20 . 2004-08-04 00:56 983,552 --a------ C:\WINDOWS\system32\setupapi.backup
2008-05-05 19:20 . 2004-08-04 00:56 657,920 --a------ C:\WINDOWS\system32\rasdlg.backup
2008-05-05 19:20 . 2004-08-04 00:56 343,040 --a------ C:\WINDOWS\system32\cmdial32.backup
2008-05-05 19:20 . 2004-08-04 00:56 298,496 --a------ C:\WINDOWS\system32\sysdm.backup
2008-05-05 19:20 . 2004-08-04 00:56 163,840 --a------ C:\WINDOWS\system32\credui.backup
2008-05-05 19:20 . 2004-08-04 00:56 10,752 --a------ C:\WINDOWS\hh.backup
2008-05-05 19:17 . 2008-05-10 18:11 <DIR> d-------- C:\WINDOWS\VIPv3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 22:05 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-01 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\RFA_Backups
2008-06-01 12:43 --------- d-----w C:\Documents and Settings\erin\Application Data\LimeWire
2008-06-01 11:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 11:39 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-05-17 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-28 23:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-04-28 18:36 --------- d-----w C:\Documents and Settings\erin\Application Data\ESET
2008-04-28 18:33 --------- d-----w C:\Program Files\ESET
2008-04-28 18:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-04-28 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-28 11:46 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-26 11:50 --------- d-----w C:\Program Files\Opera
2008-04-20 16:36 --------- d-----w C:\Documents and Settings\erin\Application Data\Teleca
2008-04-16 18:11 --------- d-----w C:\Program Files\Audacity 1.3 Beta
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.
------- Sigcheck -------
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-01_21.55.41.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 19:49:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 22:04:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 12:54:31 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-04-17 19:13:02 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2008-06-02 12:54:31 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2008-06-02 22:05:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_244.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 00:39:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-03 0:42:42
ComboFix-quarantined-files.txt 2008-06-02 22:42:00
ComboFix2.txt 2008-06-02 22:16:23
ComboFix3.txt 2008-06-02 21:05:42
ComboFix4.txt 2008-06-02 14:07:31
ComboFix5.txt 2008-06-01 19:56:10
Pre-Run: 16,185,139,200 bytes free
Post-Run: 16,176,984,064 bytes free
136 --- E O F --- 2008-06-01 11:45:49
Dopuna: 03 Jun 2008 22:57
boby,jedno pitanje.
Posto ja nemam veze sa linux-om sad vidjoh na jedan micro-ov dvd da imam knopix( ii da se podize sa cd-a) da li bih mogao preko njega da obrisem tj ocistim usb??
|
|
|
|
Poslao: 03 Jun 2008 22:59
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Mozes preko Knoppixa, zasto da ne.
Izbrisi sve autorun.inf fajlove, kao i onaj 2ifteri.cmd.
Zapravo, ukoliko ti podaci sa USB stickova ne znace puno, najbolje je da obrises kompletan sadrzaj USB stickova.
|
|
|
|
Poslao: 03 Jun 2008 23:56
|
offline
- nirre
- Super građanin
- Pridružio: 26 Mar 2005
- Poruke: 1489
- Gde živiš: Podgorica
|
na usb nema nicega(sem tih gadnih fajlova autorun i taj drugi ali ja ih obrisem i posle toga se virus javi
|
|
|
|
Poslao: 04 Jun 2008 00:01
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Javio se ponovo?
Obrisao si autorun.inf i 2ifteri.cmd iz Knoppixa, i opet su se javili nakon brisanja?
|
|
|
|
Poslao: 10 Jun 2008 01:01
|
offline
- nirre
- Super građanin
- Pridružio: 26 Mar 2005
- Poruke: 1489
- Gde živiš: Podgorica
|
bobby ::Javio se ponovo?
Obrisao si autorun.inf i 2ifteri.cmd iz Knoppixa, i opet su se javili nakon brisanja?
ne,ne nisam jos nista radio sa knopixo-om samo ti kazem kakva je situacija kada brisem iz win-a
Dopuna: 10 Jun 2008 0:42
bobby
da ti pricam sta se sve izdesavalo sa amvo-om u medjuvremenu
naime,ja ti pokrenem linux da bih ocistio fleske ali kad je linux bio pokrenut sa cd-a meni je radio samo 1 usb ulaz na kompu(i iskoristio sam ga misa) a tastatura nije radila i ja probam tu da stavim flesku kad nece,ne poznaje opste da je prikljucena za komp i ja odustanem sa time i odustanem opste sa ciscenjem(fleske nisam opste prikljucivao na komp jer mi mrsko bilo posle sa combom sve da radim.
U medjuvremenu ja vidim na forumu izasao KIS 2009 i rijesih da ga probam a i vrijeme mi vise da malo NOD32 promijenim,dosta sam ga imao i ja odradim update i full scan i on mi nadje neke trojance(sve isti) u system volume information(*vidi sliku) i pobrise ih i meni bas cudno,oko 11 ih nasao.Onda sam bio primoran da prikljucim tel na komp iako to nisam htjeo jer sam znao da ce da mi zarazi komp odma i ja drzim shift,stavljam kabal u komp kad sta vidis,KIS se upali i obrisa 2ifetri ili vec kako se zove i autorun i ja opet preskeniram mobilni sa KIS i on nadje opet nesto(kad ono isti onaj trojan kao prije sto KIS nasao) i onda mi tel nije zarazio komp.Ja odlucih da tako uradim sa svakom fleskom i na sve 3 mi isto nadje(isti trojan) i obrise ga i sada stavljam fleske bez shifta i ne zarazi mi komp(za sada a nadam se da nece ni kasnije) sto po meni znaci da je problem mozda rijesen(jer mi pokazuje hidden file,po tome znam) ali cu ti ipak dostavit log od combo-a sada
Dopuna: 10 Jun 2008 0:43
Zaboravih sliku da ti okacim
Dopuna: 10 Jun 2008 1:01
Odradih log ali mi je kasperski izbacao ogroman broj onih obavjestenja za vrijem skeniranja i po prvi put mi je comboo restartovao racunar,a evo log-a
ComboFix 08-06-01.3 - erin 2008-06-10 0:45:32.10 - NTFSx86
Running from: C:\Documents and Settings\erin\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.
2008-06-09 19:49 . 2008-06-09 19:58 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-09 19:49 . 2008-06-09 19:58 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-09 19:48 . 2008-06-09 19:48 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-09 19:48 . 2008-06-09 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-09 19:48 . 2008-06-10 00:49 1,989,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-09 19:48 . 2008-06-10 00:49 229,408 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-09 19:48 . 2008-06-10 00:49 17,668 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-09 19:48 . 2008-06-10 00:49 2,912 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-09 19:46 . 2008-06-09 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-08 23:34 . 2008-06-08 23:34 <DIR> d-------- C:\Program Files\Xara
2008-06-08 23:23 . 2008-06-08 23:23 32 --a------ C:\WINDOWS\tdlp32.ini
2008-06-08 19:31 . 2004-08-04 00:56 294,912 --a------ C:\WINDOWS\system32\msh263.drv
2008-06-06 22:22 . 2008-06-06 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-06 22:21 . 2008-06-06 22:21 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-06 22:20 . 2008-06-06 22:24 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-02 14:54 . 2008-06-03 00:09 250 --a------ C:\WINDOWS\gmer.ini
2008-05-30 06:55 . 2008-05-30 06:55 6,144 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-25 22:44 . 2008-05-25 22:44 <DIR> d-------- C:\Documents and Settings\erin\Application Data\ABBYY
2008-05-25 22:43 . 2008-05-25 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ABBYY
2008-05-25 22:40 . 2008-05-25 22:46 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-22 22:36 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-05-22 22:36 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-05-22 22:36 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-22 22:36 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-21 12:27 . 2008-05-21 12:27 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-21 12:27 . 2008-05-21 12:28 <DIR> d-------- C:\Documents and Settings\erin\Application Data\Skype
2008-05-21 12:27 . 2008-05-21 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-21 12:26 . 2008-05-21 12:27 <DIR> d-------- C:\Program Files\Skype
2008-05-20 14:09 . 2008-06-09 19:40 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-05-14 00:11 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-13 10:57 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-13 10:57 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-13 10:57 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-12 16:08 . 2008-05-12 16:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-12 16:08 . 2008-05-25 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 16:03 . 2008-05-12 16:04 <DIR> d-------- C:\Program Files\Winamp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 22:02 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-09 20:24 --------- d-----w C:\Documents and Settings\erin\Application Data\LimeWire
2008-06-09 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\RFA_Backups
2008-06-08 21:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 11:39 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-05-17 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-28 23:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-04-26 11:50 --------- d-----w C:\Program Files\Opera
2008-04-25 16:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-20 16:36 --------- d-----w C:\Documents and Settings\erin\Application Data\Teleca
2008-04-16 18:11 --------- d-----w C:\Program Files\Audacity 1.3 Beta
2008-04-16 12:23 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
.
------- Sigcheck -------
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 18:21 201992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 SNPHV71;PC Camera (602a VGA);C:\WINDOWS\system32\DRIVERS\snphv71.sys [2002-11-08 18:24]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 00:51:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2008-06-10 0:58:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 22:58:25
Pre-Run: 15,472,021,504 bytes free
Post-Run: 15,407,239,168 bytes free
134 --- E O F --- 2008-06-01 11:45:49
|
|
|
|
|