MyCity » Ambulanta -> Arhiva Ambulante » msn salje sam poruke ?

msn salje sam poruke ?

Napisano na dan: 17.6.2008
3

msn salje sam poruke ?
Pagination Prethodna strana

Idi na vrh

Poslao: 20 Jun 2008 20:55
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.


======================================

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\nqlsapi.dll
C:\WINDOWS\system32\wmiwrop.dll
C:\WINDOWS\system32\ajoy.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows MSN Live Messanger"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UpdateCheck"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85b83b2c-e861-11dc-a9e0-001d6015f2c4}]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.



Poslao: 20 Jun 2008 21:23
Idi na vrh
offline
  • Pridružio: 10 Jan 2008
  • Poruke: 24
  • Gde živiš: Beograd

ComboFix 08-06-16.5 - jelena 2008-06-20 21:09:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.66 [GMT 2:00]
Running from: C:\Documents and Settings\jelena\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jelena\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ajoy.dll
C:\WINDOWS\system32\nqlsapi.dll
C:\WINDOWS\system32\wmiwrop.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ajoy.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\nqlsapi.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wmiwrop.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 21:01 . 2008-06-20 21:01 386 --a------ C:\6D73776D706461742E746C62FA.tmp
2008-06-20 19:49 . 2008-06-20 19:49 <DIR> d-------- C:\Program Files\WinPcap
2008-06-17 22:11 . 2008-06-17 22:11 <DIR> d-------- C:\deljob
2008-06-17 21:25 . 2008-06-17 21:25 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-06-17 21:25 . 2008-06-17 21:25 <DIR> d-------- C:\WINDOWS\system32\restore
2008-06-17 21:25 . 2008-06-17 21:25 <DIR> d-------- C:\WINDOWS\srchasst
2008-06-17 21:25 . 2008-06-17 21:25 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-17 18:52 . 2008-06-17 18:52 <DIR> d-------- C:\Program Files\Real
2008-06-12 23:43 . 2008-06-13 20:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-12 23:43 . 2008-06-12 23:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-11 14:59 . 2008-04-14 13:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 14:59 . 2008-04-14 13:01 272,128 --------- C:\WINDOWS\system32\DllCache\bthport.sys
2008-05-27 19:51 . 2008-05-27 19:55 <DIR> d-------- C:\Program Files\LimeWire
2008-05-27 19:51 . 2008-05-27 20:01 <DIR> d-------- C:\Documents and Settings\jelena\Application Data\LimeWire
2008-05-24 23:09 . 2008-05-24 23:09 <DIR> d-------- C:\Program Files\Octoshape Streaming Services
2008-05-20 23:48 . 2008-06-15 17:38 <DIR> d-------- C:\Documents and Settings\jelena\Application Data\BearShare
2008-05-20 23:47 . 2008-05-20 23:48 <DIR> d-------- C:\Program Files\BearShare Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 19:02 --------- d-----w C:\Documents and Settings\jelena\Application Data\OpenOffice.org2
2008-06-17 17:01 --------- d-----w C:\Program Files\MSN Messenger
2008-06-17 17:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-10 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-02 16:01 --------- d-----w C:\Program Files\Java
2008-05-30 15:43 --------- d-----w C:\Documents and Settings\jelena\Application Data\Ahead
2008-05-27 18:00 --------- d-----w C:\Program Files\Internet Download Manager
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\DllCache\rmcast.sys
2008-05-07 21:16 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\DllCache\quartz.dll
2008-05-05 13:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-04-17 10:46 18,432 ------w C:\WINDOWS\system32\DllCache\iedw.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\DllCache\msjint40.dll
.

------- Sigcheck -------

2006-08-25 16:19 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 17:05:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 19:13:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 12:28 139264]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-02-25 14:07 243072]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56 15360]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\jelena\OctoshapeClient.exe" [2006-02-13 18:33 214648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-19 13:27 65536]
"Vistadrv"="C:\WINDOWS\system32\vsdrv.exe" [2006-07-30 04:37 121089]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-10-14 11:37 110592]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 13:49 16269312 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="C:\WINDOWS\sm56hlpr.exe" [2006-03-21 16:54 544768]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 14:02 786521]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\jelena\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 10:57:36 49152]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 23:57:56 393216]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"VIDC.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\jelena\\OctoshapeClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2008-03-09 22:47]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2008-03-09 22:47]
R3 AtcL002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl02_xp.sys [2006-08-14 05:40]
R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2006-06-10 01:07]
R3 SynMini;USB2.0 1.3M WebCam;C:\WINDOWS\system32\Drivers\SynMini.sys [2006-08-09 08:15]
R3 SynScan;USB2.0 1.3M WebCam Still Image;C:\WINDOWS\system32\Drivers\SynScan.sys [2006-08-09 08:15]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-01-24 16:38]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-01-24 16:38]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-01-24 16:38]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 18:00:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-06-20 21:13:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PAVSRV51.EXE
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrlS.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\ApVxdWin.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\IncrediMail\bin\ImApp.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVTASK.EXE
C:\Program Files\Panda Security\Panda Antivirus 2008\Avciman.exe
.
**************************************************************************
.
Completion time: 2008-06-20 21:20:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 19:20:15
ComboFix2.txt 2008-06-20 17:09:50
ComboFix3.txt 2008-06-18 20:57:25
ComboFix4.txt 2008-06-17 19:23:15

Pre-Run: 20,055,404,544 bytes free
Post-Run: 19,975,114,752 bytes free

186 --- E O F --- 2008-06-12 20:46:43



Poslao: 20 Jun 2008 21:25
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Jel radi sada sve kako treba?
Logovi kazu da je infekcija uklonjena.

Poslao: 20 Jun 2008 21:48
Idi na vrh
offline
  • Pridružio: 10 Jan 2008
  • Poruke: 24
  • Gde živiš: Beograd

radi radi,hvala puno neznam kako da ti zahvalim za ovoliko cimanje

Poslao: 20 Jun 2008 21:56
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Poslao: 20 Jun 2008 23:56
Idi na vrh
offline
  • Pridružio: 10 Jan 2008
  • Poruke: 24
  • Gde živiš: Beograd

Upload uradjen!

Poslao: 21 Jun 2008 00:15
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Hvala puno. Fajlove sam poslao na analizu AV kompanijama, posto ih vecina ne prepoznaje.

Ja cu temu ostaviti otvorenom jos desetak dana. Javi se u medjuvremenu ukoliko nesto ne stima.

MyCity » Ambulanta -> Arhiva Ambulante » msn salje sam poruke ?

Ko je trenutno na forumu
 

Ukupno su 1607 korisnika na forumu :: 300 registrovanih, 19 sakrivenih i 1288 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 15694 - dana 01 Feb 2026 12:23

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 1MAP, Aleksandar Šljivar, Areal84, asdfjklc, AudioTehnica, Avalon015, babaroga, bagor10, BAKI89, Banovo Brdo, BasCelik, Battlehammer, bavar357, bbelic, bigfoot, Bivan, Bo96, Bob.Rock, Boban0312, bobo85, Bobrock1, bojan_t, Boris.A, Borkanović, boro975, Boskovic, bounty hunters, BrcakRS, Burundi, cebam, cemix, Chainsaw, Clouseau, Coficab, Cp6uH, cvele130, cvrle312, Daba75, Dannyboy, darios, darkdruid72, Darko Jovanovic, Darth Malak, DavidA, Dejan_vw, DejanSt, del boy, dendrit86, DENIRO, desmeki, Despot1, djboj, Djole3621, djoli, djonsule, DJUNTA, dolinalima, Dorcolac, draganl, Dragon Order, DragoslavS, drale12, Drugard72, dule10savic, dulleo, duro1990duro, Dusko Nikolin, DuškoMraz, Dzigy, Dzumanga, eagle.rs, ekozelj, Electron, elenemste, Ercomero, EVIDENTICAR, EXIT78, Fliper, francis begbie, Fructo, GeoM, Goksi95, GrammaticalAnalysis, grega2s, Grochow, Hans Gajger, hatman, Igor Antonic, Igritelj, istina, istokzapad, ivanb, Jakonjveliki, jalos, Jecmendo, Jezekijel, JK, Jovan.D, Kajzer Soze, Kanader, kaput21, kenny74, KimiMR, KizJ, knutveliki, kolateralnasteta, Konda, KonstantinR, Koridor, kovacicbozo, Kubovac, Kum Ruzvelt, kunktator, kuntalo, Kuroje, lafa008, laki_bb, lakson001, Lazur_01, Lelemood, leopard83, Levi, lima, Ljusa, Lotus, LUDI, luka35, lukac, M74AB3, mainstream, Malahit, mane123, marki231, MarkoDzimi, markoskjk, marsi, Mastrum Ridkali, matrix_1, medaTT, metallac777, mgolub, Mig 29, Mika777, Miki281, Milan Miscevic, milenko crazy north, milikonst, Mille Qravela, Milo97, milos.cbr, Milos82, MilosKop, Milovan Dinic, Miloš.90, Milun24, mir, Mis uz pusku, Miska13, mist-mist, Mitch22, Mitraljeta, mixkax, mm1811, molusan, MrG, mrm, mushroom, N.e.m.a.nj.a., naunwzbn, nebojsag, NemanjaCG, nenooo, nerevar, Neutral-M, neutrino, novator, oblivion, Orlova, Otto Grunf, pacika, Pancevac, Parker, pavle_pzs, pavlepopic, Pekman, Permaldar, petljalo, Phaeton, picknick, PlayerOne, pobeda, PoolbegD02, Posmatrac77OKB, Povratak1912, prasinar, Prašinar, Prečanin30, PrincipL, Prle90, rachmoff, rambod, Raso75, Rebel Frank, rednap, Remarqe, S.Palestinac, sajbervulf, sajorg, Sale0501, samo_citam, sap, Sava89, Savantije, Semberija, Sevetar, Shajlok, Shinobi, shlauf, ShtagodShtagod, sijecanj, silikon, Slingshot, sluga, Smor, Solunac na steroidima, srbomir, Srna, ssekir75, stalja, stefan95, stegonosa, stingD, strawman, styg, suponik, T55, t84dar, tajvankanasta, Tandrčak, taomaster, Tastatura ratnik, The_new_Statesman, theBorer, theNedjeljko, tm, tomo2, Tomo988, tooooom, Tragač, travisrise, Tribal, tubular, tuf, Tvrtko I, Uros Cuore Sportivo, uruk, Username1000, Valter071, vaso1, vazduh, VBoss, vdeki, veljko82, Veljko™, vensla, Vica1958, Viceroy, vidra boy, vidra1, Viktor Petrenko, Vilson, Visionary, VJ, vlada035, Vlada1389, vladivostok, vlajkox, vobo, VojaeZ, Volkhov-M, vrag81, vuksa72, wolf1, Wrangler, yorov, zax22r, Zeka_Peka, Zerajic, ZetaMan, zil10, zixmix, Zmaj Ognjeni Vuk, zoran77, Zrcalo, Zukov, zule2, zzapNDjuric99, ZZZ, Žuća, šumar bk2