[bobby]IE problem

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Sad mi tek ništa nije jasno. Čuvam zadnji sken ComboFix-a. i kad izbacim notepad na desk. ne mogu u njemu da otvorim CFSript.txt . Jedino da opet tražim sve što si mi u prethodnoj poruci rekao pa da opet skeniram?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Sumnjam da je mozda ovaj malware napravljen da sabotira ComboFix.
Probacemo jedan drugi program slicne namene:

Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder


Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:

Files to delete:
c:\windows\system32\dk\calling.com

Folders to delete:
c:\documents and settings\MAHA\Application Data\VirusRemover2008
c:\program files\WebMediaViewer

Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinReg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\msennger
HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run\VMware hptray

Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u
Iskopiraj sadržaj dobijenog loga u temu na forumu.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Kad iskopiram tekst koji se nalazi unutar Kod polja i prebacim u avenger pa kliknem execute pojavi se Error: Invalid Script!!!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Probaj ovako:
Files to delete:
c:\windows\system32\dk\calling.com

Folders to delete:
c:\documents and settings\MAHA\Application Data\VirusRemover2008
c:\program files\WebMediaViewer

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinReg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msennger
HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run\VMware hptray

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Opet isto??

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Probaj onda samo ovo:
Files to delete:
c:\windows\system32\dk\calling.com

Folders to delete:
c:\documents and settings\MAHA\Application Data\VirusRemover2008
c:\program files\WebMediaViewer

Dopuna: 17 Nov 2008 21:11

Maha, kazi mi koji si program koristio za pisanje CFScripta?
Da nisi kojim slucajem snimao fajl u Unicode/UTF formatu, ili da si koristio neku ne-englesku kodnu stranicu?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Isto...ništa! jbg zar sam toliki maler!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Neka moja teorija je da taj malware brani pisanje skriptova.
Probaj da skines skript odavde i da ga prevuces na ComboFix, mozda uspemo tako:
[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Evo sken-a. ComboFix 08-11-16.01 - MAHA 2008-11-17 21:20:13.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1482 [GMT 1:00]
Running from: c:\documents and settings\MAHA\Desktop\C-F.exe
Command switches used :: c:\documents and settings\MAHA\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\dk\calling.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\MAHA\Application Data\VirusRemover2008
c:\program files\WebMediaViewer
c:\program files\WebMediaViewer\browseu.exe
c:\program files\WebMediaViewer\browseul.dll
c:\program files\WebMediaViewer\hpmom.exe
c:\program files\WebMediaViewer\hpmon.exe
c:\program files\WebMediaViewer\hpmun.dll
c:\program files\WebMediaViewer\hpmun.exe
c:\program files\WebMediaViewer\myd.ico
c:\program files\WebMediaViewer\mym.ico
c:\program files\WebMediaViewer\myp.ico
c:\program files\WebMediaViewer\myv.ico
c:\program files\WebMediaViewer\ot.ico
c:\program files\WebMediaViewer\qttask.exe
c:\program files\WebMediaViewer\qttaskm.exe
c:\program files\WebMediaViewer\qttasku.exe
c:\program files\WebMediaViewer\ts.ico
c:\windows\system32\dk\calling.com

.
((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-16 08:55 . 2008-11-16 22:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Digsby
2008-11-16 08:52 . 2008-11-16 22:29 <DIR> d-------- c:\documents and settings\MAHA\Application Data\Digsby
2008-11-15 21:45 . 2008-11-15 21:45 165 --a------ c:\documents and settings\All Users\Application Data\service.dat
2008-11-15 12:55 . 2008-11-15 12:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-14 13:28 . 2008-11-14 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd
2008-11-14 13:25 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2008-11-14 13:24 . 2008-11-14 13:25 <DIR> d-------- c:\program files\Common Files\Logishrd
2008-11-14 13:24 . 2008-11-14 13:24 <DIR> d-------- c:\documents and settings\MAHA\Application Data\InstallShield
2008-11-14 12:42 . 2008-11-14 12:42 <DIR> d-------- c:\program files\MyRealGames.com
2008-11-14 08:11 . 2008-11-14 08:11 <DIR> d-------- C:\Games
2008-11-14 08:01 . 2008-11-14 08:01 <DIR> d-------- c:\program files\FormatFactory
2008-11-14 07:36 . 2008-11-14 07:36 <DIR> d-------- c:\program files\Universal Extractor
2008-11-13 21:04 . 2008-11-13 21:04 <DIR> d-------- c:\program files\Stereoscopic Player
2008-11-13 21:04 . 2008-11-13 21:04 <DIR> d-------- c:\documents and settings\MAHA\Application Data\Stereoscopic Player
2008-11-10 07:29 . 2008-11-10 07:29 <DIR> d-------- c:\documents and settings\MAHA\Application Data\Ashampoo
2008-11-10 07:28 . 2008-11-10 07:28 <DIR> d-------- c:\program files\Ashampoo
2008-11-10 07:28 . 2008-11-10 07:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ashampoo
2008-10-27 21:14 . 2008-10-27 21:15 <DIR> d-------- c:\program files\CCleaner
2008-10-27 20:50 . 2008-11-11 13:51 <DIR> d-------- c:\program files\Readon Technology

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-17 20:20 --------- d-----w c:\documents and settings\MAHA\Application Data\uTorrent
2008-11-17 16:58 --------- d-----w c:\program files\FreeGamePick.com
2008-11-16 20:15 --------- d-----w c:\documents and settings\MAHA\Application Data\Free Download Manager
2008-11-15 18:00 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-11-15 12:06 --------- d-----w c:\program files\AskTBar
2008-11-14 12:25 --------- d-----w c:\program files\Common Files\Logitech
2008-11-14 12:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-14 06:42 --------- d-----w c:\program files\Google
2008-10-27 20:15 --------- d-----w c:\program files\Yahoo!
2008-03-24 06:14 3,140 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-03-24 06:10 88 --sh--r c:\documents and settings\All Users\Application Data\45B6F09A85.sys
2008-01-18 21:18 47,360 ----a-w c:\documents and settings\MAHA\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "c:\program files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" [2008-01-29 57344]

[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2007-10-08 2445359]
"Free Upload Manager"="c:\program files\Free Download Manager\fum\fum.exe" [2007-07-30 253952]
"Free Uploader Oe Integration"="c:\program files\Free Download Manager\FUM\fumoei.exe" [2007-06-11 40960]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-22 4608]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-08 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-08 54832]
"Gainward"="c:\windows\TBPanel.exe" [2007-06-26 2173480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-10 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"flockbox"="c:\program files\My Lockbox\flockbox.exe" [2007-12-15 1071472]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 1544192]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-25 1234712]
"nwiz"="nwiz.exe" [2007-05-10 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2006-08-17 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-27 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-14 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 MPRIFL;MPRIFL;c:\windows\system32\DRIVERS\MPRIFL.SYS [2008-01-27 17264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-11 97928]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-03 01:51:58 13560]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-11 231704]
R3 ha20x2k;Creative 20X HAL Driver;c:\windows\system32\drivers\ha20x2k.sys [2006-08-17 1110528]
S3 SkLaggProtocol;Marvell Link Aggregation Protocol (LAGG) Support;c:\windows\system32\DRIVERS\yk51lagg.sys []
S3 SkVlanProtocol;Marvell Virtual LAN (VLAN) Support;c:\windows\system32\DRIVERS\skvlan.sys [2006-05-17 19328]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-11-17 21:20:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-11-17 21:21:23
ComboFix-quarantined-files.txt 2008-11-17 20:21:19
ComboFix2.txt 2008-11-17 18:55:05
ComboFix3.txt 2008-11-16 21:53:21
ComboFix4.txt 2008-11-16 21:14:07
ComboFix5.txt 2008-11-17 20:19:59

Pre-Run: 96,902,098,944 bytes free
Post-Run: 96,889,376,768 bytes free

153

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Aleluja
konacno je odradio posao.

Nisi mi gore odgovorio na pitanje - koji si program koristio za pisanje CFScripta?