MyCity » Ambulanta -> Arhiva Ambulante » [bobby] Pomoć, mislim da su mi upali VIRUSI!

[bobby] Pomoć, mislim da su mi upali VIRUSI!

Napisano na dan: 18.10.2008
2

[bobby] Pomoć, mislim da su mi upali VIRUSI!
Pagination Prethodna strana

Idi na vrh

Poslao: 18 Okt 2008 23:13
Idi na vrh
offline
  • Pridružio: 28 Jun 2008
  • Poruke: 61

Evo nekako sam uspio spakovat i uploadirat!

Poslao: 18 Okt 2008 23:17
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Sacekaj onda sa skriptom dok ne pogledam fajl.

Dopuna: 18 Okt 2008 23:17

Uradi kako sam napisao u prethodnoj poruci (pusti onaj skript). Fajl koji si uploadovao je adware.

Poslao: 18 Okt 2008 23:28
Idi na vrh
offline
  • Pridružio: 28 Jun 2008
  • Poruke: 61

ComboFix 08-10-17.01 - Hum 2008-10-18 23:16:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.2016 [GMT 2:00]
Running from: C:\Documents and Settings\Hum\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hum\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\algg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\algg.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.

2008-10-18 10:16 . 2008-10-18 10:19 <DIR> d-------- C:\WINDOWS\system32\675873
2008-10-18 02:34 . 2008-10-18 02:49 <DIR> d-------- C:\Program Files\WAV
2008-10-18 02:28 . 2008-10-18 09:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-18 02:23 . 2008-10-18 10:19 <DIR> d-------- C:\Program Files\Applications
2008-10-15 16:30 . 2008-08-14 12:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 16:30 . 2008-08-14 12:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 16:30 . 2008-08-14 11:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 16:30 . 2008-08-14 11:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-09-25 09:16 . 2008-09-25 09:16 <DIR> d-------- C:\Documents and Settings\Hum\Application Data\BitDefender
2008-09-25 09:15 . 2008-09-25 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-09-25 09:12 . 2008-09-25 09:14 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-09-24 20:58 . 2008-09-24 20:58 <DIR> d-------- C:\Program Files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 21:18 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-10-18 06:58 --------- d-----w C:\Documents and Settings\Hum\Application Data\Skype
2008-10-18 06:57 --------- d-----w C:\Documents and Settings\Hum\Application Data\skypePM
2008-10-09 11:08 --------- d-----w C:\Documents and Settings\Hum\Application Data\BSplayer PRO
2008-09-25 07:15 --------- d-----w C:\Program Files\BitDefender
2008-09-19 15:34 --------- d-----w C:\Program Files\Google
2008-09-17 22:29 --------- d-----w C:\Documents and Settings\Hum\Application Data\Ahead
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-31 23:03 --------- d-----w C:\Program Files\Ares
2008-08-31 23:00 --------- d-----w C:\Program Files\Ares Vista
2008-08-29 08:58 --------- d-----w C:\Program Files\Virtual Earth 3D
2008-08-23 10:31 --------- d-----w C:\Program Files\EA SPORTS
2008-08-20 05:30 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-25 08:00 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-07-19 12:07 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot_2008-10-18_10.23.33.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-18 07:01:33 66,710 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-18 13:31:16 66,710 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-18 07:01:33 427,926 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-18 13:31:16 427,926 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-10-18 08:19:35 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_354.dat
+ 2008-10-18 21:19:23 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_354.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-07-26 2321600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\Hum\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 568176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\BIHPL.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\\Program Files\\Ares Vista\\Ares.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 iastor78;iastor78;C:\WINDOWS\system32\drivers\iastor78.sys [2008-06-08 308248]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-06-02 86792]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-18 23:19:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-18 23:24:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-18 21:24:01
ComboFix2.txt 2008-10-18 09:26:22
ComboFix3.txt 2008-10-18 08:24:01

Pre-Run: 16.594.989.056 bytes free
Post-Run: 16,581,480,448 bytes free

144 --- E O F --- 2008-10-18 07:02:44

Dopuna: 18 Okt 2008 23:28

Napravio! Wink

Poslao: 18 Okt 2008 23:41
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvori Notepad i iskopiraj sledeci tekst:
dir "C:\Program Files\WAV\" /S > c:\log.txt
notepad c:\log.txt
del c:\log.txt

Snimi fajl na disk pod imenom look.bat i startuj ga duplim klikom.
Postavi ovde log koji ce se pojaviti na ekranu.

Poslao: 19 Okt 2008 00:18
Idi na vrh
offline
  • Pridružio: 28 Jun 2008
  • Poruke: 61

Evo log-a:

Volume in drive C has no label.
Volume Serial Number is 5494-0D2D

Directory of C:\Program Files\WAV

18.10.2008 02:49 <DIR> .
18.10.2008 02:49 <DIR> ..
17.10.2008 17:39 117.248 wav.cpl
05.06.2008 11:25 3 wav.ooo
10.09.2008 17:04 33.868 wav1.dat
3 File(s) 151.119 bytes

Total Files Listed:
3 File(s) 151.119 bytes
2 Dir(s) 16.592.121.856 bytes free

Poslao: 19 Okt 2008 00:24
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Obrisi sledece foldere:
C:\Program Files\WAV
C:\WINDOWS\system32\675873

Ima li kakvih vidljivih simptoma jos?

Poslao: 19 Okt 2008 00:33
Idi na vrh
offline
  • Pridružio: 28 Jun 2008
  • Poruke: 61

Nema simptoma! Hvala puno!

Dopuna: 19 Okt 2008 0:33

Obrisao! Ako još šta treba, slušam...

Poslao: 19 Okt 2008 00:42
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Deinstalirajmo ComboFix, posto nam vise nece trebati:

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore


HijackThis mozes deinstalirati iz Add/Remove programs (Control Panel)

MyCity » Ambulanta -> Arhiva Ambulante » [bobby] Pomoć, mislim da su mi upali VIRUSI!

Ko je trenutno na forumu
 

Ukupno su 935 korisnika na forumu :: 35 registrovanih, 5 sakrivenih i 895 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., bobomicek, cavatina, CikaKURE, darkojbn, Denaya, Dimitrise93, djboj, dushan, galerija, Krvava Devetka, kybonacci, laganini123, Lieutenant, mačković, mercedesamg, Mi lao shu, mik7, MiroslavD, Mlav, mrvica78, nenad81, NikolaGTR, panzerwaffe, royst33, ruger357, Stanlio, suton, Trpe Grozni, tubular, Vlad000, voja64, zixmix, zlaya011, šumar bk2