MyCity » Ambulanta -> Arhiva Ambulante » msn salje sam poruke ?

msn salje sam poruke ?

Napisano na dan: 17.6.2008
3

msn salje sam poruke ?
Pagination Prethodna strana

Idi na vrh

Poslao: 20 Jun 2008 20:55
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.


======================================

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\nqlsapi.dll
C:\WINDOWS\system32\wmiwrop.dll
C:\WINDOWS\system32\ajoy.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows MSN Live Messanger"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UpdateCheck"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85b83b2c-e861-11dc-a9e0-001d6015f2c4}]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 20 Jun 2008 21:23
Idi na vrh
offline
  • Pridružio: 10 Jan 2008
  • Poruke: 24
  • Gde živiš: Beograd

ComboFix 08-06-16.5 - jelena 2008-06-20 21:09:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.66 [GMT 2:00]
Running from: C:\Documents and Settings\jelena\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jelena\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ajoy.dll
C:\WINDOWS\system32\nqlsapi.dll
C:\WINDOWS\system32\wmiwrop.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ajoy.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\nqlsapi.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wmiwrop.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 21:01 . 2008-06-20 21:01 386 --a------ C:\6D73776D706461742E746C62FA.tmp
2008-06-20 19:49 . 2008-06-20 19:49 <DIR> d-------- C:\Program Files\WinPcap
2008-06-17 22:11 . 2008-06-17 22:11 <DIR> d-------- C:\deljob
2008-06-17 21:25 . 2008-06-17 21:25 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-06-17 21:25 . 2008-06-17 21:25 <DIR> d-------- C:\WINDOWS\system32\restore
2008-06-17 21:25 . 2008-06-17 21:25 <DIR> d-------- C:\WINDOWS\srchasst
2008-06-17 21:25 . 2008-06-17 21:25 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-17 18:52 . 2008-06-17 18:52 <DIR> d-------- C:\Program Files\Real
2008-06-12 23:43 . 2008-06-13 20:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-12 23:43 . 2008-06-12 23:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-11 14:59 . 2008-04-14 13:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 14:59 . 2008-04-14 13:01 272,128 --------- C:\WINDOWS\system32\DllCache\bthport.sys
2008-05-27 19:51 . 2008-05-27 19:55 <DIR> d-------- C:\Program Files\LimeWire
2008-05-27 19:51 . 2008-05-27 20:01 <DIR> d-------- C:\Documents and Settings\jelena\Application Data\LimeWire
2008-05-24 23:09 . 2008-05-24 23:09 <DIR> d-------- C:\Program Files\Octoshape Streaming Services
2008-05-20 23:48 . 2008-06-15 17:38 <DIR> d-------- C:\Documents and Settings\jelena\Application Data\BearShare
2008-05-20 23:47 . 2008-05-20 23:48 <DIR> d-------- C:\Program Files\BearShare Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 19:02 --------- d-----w C:\Documents and Settings\jelena\Application Data\OpenOffice.org2
2008-06-17 17:01 --------- d-----w C:\Program Files\MSN Messenger
2008-06-17 17:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-10 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-02 16:01 --------- d-----w C:\Program Files\Java
2008-05-30 15:43 --------- d-----w C:\Documents and Settings\jelena\Application Data\Ahead
2008-05-27 18:00 --------- d-----w C:\Program Files\Internet Download Manager
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\DllCache\rmcast.sys
2008-05-07 21:16 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\DllCache\quartz.dll
2008-05-05 13:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-04-17 10:46 18,432 ------w C:\WINDOWS\system32\DllCache\iedw.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\DllCache\msjint40.dll
.

------- Sigcheck -------

2006-08-25 16:19 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-17_21.22.56.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 17:05:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 19:13:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 12:28 139264]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-02-25 14:07 243072]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56 15360]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\jelena\OctoshapeClient.exe" [2006-02-13 18:33 214648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-19 13:27 65536]
"Vistadrv"="C:\WINDOWS\system32\vsdrv.exe" [2006-07-30 04:37 121089]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-10-14 11:37 110592]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 13:49 16269312 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="C:\WINDOWS\sm56hlpr.exe" [2006-03-21 16:54 544768]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 14:02 786521]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\jelena\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 10:57:36 49152]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 23:57:56 393216]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"VIDC.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\jelena\\OctoshapeClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2008-03-09 22:47]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2008-03-09 22:47]
R3 AtcL002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl02_xp.sys [2006-08-14 05:40]
R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2006-06-10 01:07]
R3 SynMini;USB2.0 1.3M WebCam;C:\WINDOWS\system32\Drivers\SynMini.sys [2006-08-09 08:15]
R3 SynScan;USB2.0 1.3M WebCam Still Image;C:\WINDOWS\system32\Drivers\SynScan.sys [2006-08-09 08:15]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-01-24 16:38]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-01-24 16:38]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-01-24 16:38]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 18:00:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-06-20 21:13:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PAVSRV51.EXE
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrlS.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\ApVxdWin.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\IncrediMail\bin\ImApp.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVTASK.EXE
C:\Program Files\Panda Security\Panda Antivirus 2008\Avciman.exe
.
**************************************************************************
.
Completion time: 2008-06-20 21:20:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 19:20:15
ComboFix2.txt 2008-06-20 17:09:50
ComboFix3.txt 2008-06-18 20:57:25
ComboFix4.txt 2008-06-17 19:23:15

Pre-Run: 20,055,404,544 bytes free
Post-Run: 19,975,114,752 bytes free

186 --- E O F --- 2008-06-12 20:46:43

Poslao: 20 Jun 2008 21:25
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Jel radi sada sve kako treba?
Logovi kazu da je infekcija uklonjena.

Poslao: 20 Jun 2008 21:48
Idi na vrh
offline
  • Pridružio: 10 Jan 2008
  • Poruke: 24
  • Gde živiš: Beograd

radi radi,hvala puno neznam kako da ti zahvalim za ovoliko cimanje

Poslao: 20 Jun 2008 21:56
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Poslao: 20 Jun 2008 23:56
Idi na vrh
offline
  • Pridružio: 10 Jan 2008
  • Poruke: 24
  • Gde živiš: Beograd

Upload uradjen!

Poslao: 21 Jun 2008 00:15
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Hvala puno. Fajlove sam poslao na analizu AV kompanijama, posto ih vecina ne prepoznaje.

Ja cu temu ostaviti otvorenom jos desetak dana. Javi se u medjuvremenu ukoliko nesto ne stima.

MyCity » Ambulanta -> Arhiva Ambulante » msn salje sam poruke ?

Ko je trenutno na forumu
 

Ukupno su 736 korisnika na forumu :: 8 registrovanih, 1 sakriven i 727 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: darios, Darko001, deimos25, kybonacci, Lord Nem, nemkea71, slonic_tonic, stalja