potrebna pomoć

1

potrebna pomoć

offline
  • Pridružio: 01 Jul 2008
  • Poruke: 33
  • Gde živiš: u Pančevu

Od pre nekog vremena kompjuter nam je jaaaako usporen i s vremena na vreme nam se aktiviraju razni popup programi, koji nam još dodatno usporavaju. Takođe smo provalili da nam se u toku dana folder C:\Documents and Settings\Windows Xp\Local Settings\Temp napuni kojekakvim glupostima koje ne znamo ni odakle su ni šta su. Oduvek koristimo NOD32, ali sam se zbog ovakvih problema odlučila da probam neki drugi program i instalirala Spyware Terminator koji mi je našao Backdoor.Agent.kwf i Net Tool.Delf.sd, a među fajlovima koji su inficirani su upravo ti koji mi pune temp. Raspitala sam se i evo me kod vas. Nadam se da ćete moći da mi pomognete.


Uradila sam kako ste tražili i evo ga izveštaj

Logfile of HijackThis v1.99.1
Scan saved at 8:38:48, on 1.7.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Documents and Settings\Windows Xp\Desktop\New Folder\TR3.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI69DF~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {bac99536-b4b6-45be-bd1e-6eff5d381a7c} - C:\WINDOWS\SYSTEM32\kerest.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [devenv] C:\WINDOWS\system\smvss.exe /w
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iolo Utility Bar] "C:\Program Files\iolo\System Mechanic 5 Professional\SMUtilityBar.exe"
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI69DF~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - pandasoftware.com/activescan (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI69DF~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI69DF~1\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\gebccab.dll
O20 - Winlogon Notify: kerest - kerest.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

Inače, imamo adsl preko ptt-a.

Pozdrav

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 01 Jul 2008
  • Poruke: 33
  • Gde živiš: u Pančevu

ComboFix 08-06-20.4 - Windows Xp 2008-07-01 10:51:41.1 - NTFSx86
Running from: D:\DOWNLOAD\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system\smss.exe
C:\WINDOWS\system\smvss.exe
C:\WINDOWS\system32\dnf8cc82c4.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-23 16:53 . 2008-06-23 16:53 244 --ah----- C:\sqmnoopt19.sqm
2008-06-23 16:53 . 2008-06-23 16:53 232 --ah----- C:\sqmdata19.sqm
2008-06-23 14:09 . 2008-06-23 14:09 244 --ah----- C:\sqmnoopt18.sqm
2008-06-23 14:09 . 2008-06-23 14:09 232 --ah----- C:\sqmdata18.sqm
2008-06-23 10:14 . 2008-06-23 10:14 244 --ah----- C:\sqmnoopt17.sqm
2008-06-23 10:14 . 2008-06-23 10:14 232 --ah----- C:\sqmdata17.sqm
2008-06-23 08:53 . 2008-06-23 08:53 244 --ah----- C:\sqmnoopt16.sqm
2008-06-23 08:53 . 2008-06-23 08:53 232 --ah----- C:\sqmdata16.sqm
2008-06-20 08:34 . 2008-06-30 21:53 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-06-20 08:01 . 2008-06-20 08:01 <DIR> d-------- C:\Program Files\Crawler
2008-06-20 08:00 . 2008-07-01 08:49 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-06-20 08:00 . 2008-07-01 08:49 <DIR> d-------- C:\Documents and Settings\Windows Xp\Application Data\Spyware Terminator
2008-06-20 08:00 . 2008-07-01 02:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-06-20 08:00 . 2008-06-20 08:00 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-06-14 14:36 . 2008-06-14 14:37 <DIR> d-------- C:\Program Files\Acme CAD Converter
2008-06-02 15:19 . 2008-06-02 15:19 <DIR> dr------- C:\Program Files\Vizros
2008-06-02 10:58 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 08:48 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\stickies
2008-07-01 07:10 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\MegauploadToolbar
2008-06-30 14:15 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\Corel
2008-06-30 06:45 10,332 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-26 16:52 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\uTorrent
2008-06-20 09:34 --------- d-----w C:\Program Files\uTorrent
2008-05-31 19:04 --------- d-----w C:\Program Files\CDisplay
2008-05-25 17:10 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\Skype
2008-05-21 10:13 --------- d-----w C:\Program Files\Corel
2008-05-21 10:13 --------- d-----w C:\Program Files\Common Files\Corel
2008-05-03 21:44 96,864 ----a-w C:\WINDOWS\~GLC0001.TMP
2008-05-03 21:41 96,864 ----a-w C:\WINDOWS\~GLC0000.TMP
2008-04-14 15:34 21,840 ----a-w C:\WINDOWS\system32\SIntfNT.dll
2008-04-14 15:34 17,212 ----a-w C:\WINDOWS\system32\SIntf32.dll
2008-04-14 15:34 12,067 ----a-w C:\WINDOWS\system32\SIntf16.dll
2007-04-19 01:47 88 --sh--r C:\WINDOWS\system32\7BABFE60C1.sys
2007-11-17 12:34 88 --sh--r C:\WINDOWS\system32\D9C8DBE01D.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bac99536-b4b6-45be-bd1e-6eff5d381a7c}]
C:\WINDOWS\SYSTEM32\kerest.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:07 15360]
"iolo Utility Bar"="C:\Program Files\iolo\System Mechanic 5 Professional\SMUtilityBar.exe" [2005-01-31 12:58 735232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-28 22:05 344064]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-29 18:55 949376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:07 158208]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-20 08:00 1817600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:07 15360]

C:\Documents and Settings\Windows Xp\Start Menu\Programs\Startup\
Stickies.lnk - C:\Program Files\stickies\stickies.exe [2007-03-08 23:28:19 700416]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Windows Xp\Desktop\html Ivana\baby_desktop.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kerest]
kerest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\gebccab.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 16:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-22 11:09 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\PopCap Games\\Bejeweled Deluxe\\WinBej.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Program Files\\eMule2\\eMule.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Custom Content Manager\\CCM.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-20 08:00]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2002-09-28 07:08]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2002-10-04 03:53]
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2002-11-28 09:16]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 13:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{523ecbfa-438c-11dd-b4ab-00148586ce49}]
\Shell\Auto\command - G:\Config.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Config.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 05:47:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-01 07:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 08:00:01 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 09:00:02 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 10:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 11:00:08 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 12:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 13:00:01 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 14:00:01 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 15:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 16:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 23:00:01 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 17:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 18:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 19:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 20:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 21:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 00:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 01:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-24 02:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-05 03:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-05 04:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-05 05:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 06:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\OBeamuo7.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-07-01 11:09:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-01 11:22:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 09:22:20

Pre-Run: 3,472,666,624 bytes free
Post-Run: 3,836,903,424 bytes free

219

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

да ли имаш неке усб стикове или меморије које би могле бити инфициране такође?

offline
  • Pridružio: 01 Jul 2008
  • Poruke: 33
  • Gde živiš: u Pančevu

Imamo jedan usb stik koji suprug koristi, ali ne znam da li je inficiran...

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.



Одради после још једно скенирање ComboFix-om, и постави нови лог..

offline
  • Pridružio: 01 Jul 2008
  • Poruke: 33
  • Gde živiš: u Pančevu

Danas mi se pojavilo nešto novo. Kompjuter mi se strašno usporio i IE se uključivao sam od sebe više puta, a mi ga inače ni ne koristimo, samo Firefox i Operu. Valjda nije nešto nepopravljivo. TO je bilo pre ovog scan-a, od tad se više nije pojavljivalo, sve je ok...

Evo novog log-a:

ComboFix 08-06-20.4 - Windows Xp 2008-07-01 17:33:08.3 - NTFSx86
Running from: D:\DOWNLOAD\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-07-01 14:51 . 2008-07-01 14:51 26,624 --a------ C:\WINDOWS\system32\oggview.dll
2008-07-01 14:51 . 2008-07-01 14:51 26,624 --a------ C:\WINDOWS\system32\domsys.dll
2008-06-23 16:53 . 2008-06-23 16:53 244 --ah----- C:\sqmnoopt19.sqm
2008-06-23 16:53 . 2008-06-23 16:53 232 --ah----- C:\sqmdata19.sqm
2008-06-23 14:09 . 2008-06-23 14:09 244 --ah----- C:\sqmnoopt18.sqm
2008-06-23 14:09 . 2008-06-23 14:09 232 --ah----- C:\sqmdata18.sqm
2008-06-23 10:14 . 2008-06-23 10:14 244 --ah----- C:\sqmnoopt17.sqm
2008-06-23 10:14 . 2008-06-23 10:14 232 --ah----- C:\sqmdata17.sqm
2008-06-23 08:53 . 2008-06-23 08:53 244 --ah----- C:\sqmnoopt16.sqm
2008-06-23 08:53 . 2008-06-23 08:53 232 --ah----- C:\sqmdata16.sqm
2008-06-20 08:34 . 2008-07-01 15:10 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-06-20 08:01 . 2008-06-20 08:01 <DIR> d-------- C:\Program Files\Crawler
2008-06-20 08:00 . 2008-07-01 15:10 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-06-20 08:00 . 2008-07-01 14:56 <DIR> d-------- C:\Documents and Settings\Windows Xp\Application Data\Spyware Terminator
2008-06-20 08:00 . 2008-07-01 02:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-06-20 08:00 . 2008-06-20 08:00 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-06-14 14:36 . 2008-06-14 14:37 <DIR> d-------- C:\Program Files\Acme CAD Converter
2008-06-02 15:19 . 2008-06-02 15:19 <DIR> dr------- C:\Program Files\Vizros
2008-06-02 10:58 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 15:27 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\stickies
2008-07-01 15:22 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\uTorrent
2008-07-01 14:37 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\MegauploadToolbar
2008-06-30 14:15 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\Corel
2008-06-20 09:34 --------- d-----w C:\Program Files\uTorrent
2008-05-31 19:04 --------- d-----w C:\Program Files\CDisplay
2008-05-25 17:10 --------- d-----w C:\Documents and Settings\Windows Xp\Application Data\Skype
2008-05-21 10:13 --------- d-----w C:\Program Files\Corel
2008-05-21 10:13 --------- d-----w C:\Program Files\Common Files\Corel
2008-05-03 21:44 96,864 ----a-w C:\WINDOWS\~GLC0001.TMP
2008-05-03 21:41 96,864 ----a-w C:\WINDOWS\~GLC0000.TMP
2007-04-19 01:47 88 --sh--r C:\WINDOWS\system32\7BABFE60C1.sys
2007-11-17 12:34 88 --sh--r C:\WINDOWS\system32\D9C8DBE01D.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1892F58-1116-4DEC-92AA-577872EC3D3D}]
2008-07-01 14:51 26624 --a------ C:\WINDOWS\system32\domsys.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bac99536-b4b6-45be-bd1e-6eff5d381a7c}]
C:\WINDOWS\SYSTEM32\kerest.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:07 15360]
"iolo Utility Bar"="C:\Program Files\iolo\System Mechanic 5 Professional\SMUtilityBar.exe" [2005-01-31 12:58 735232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-28 22:05 344064]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-29 18:55 949376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:07 158208]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-20 08:00 1817600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:07 15360]

C:\Documents and Settings\Windows Xp\Start Menu\Programs\Startup\
Stickies.lnk - C:\Program Files\stickies\stickies.exe [2007-03-08 23:28:19 700416]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Windows Xp\Desktop\html Ivana\baby_desktop.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kerest]
kerest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\gebccab.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office 2007\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 16:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-22 11:09 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\PopCap Games\\Bejeweled Deluxe\\WinBej.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Program Files\\eMule2\\eMule.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Custom Content Manager\\CCM.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-20 08:00]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2002-09-28 07:08]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2002-10-04 03:53]
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2002-11-28 09:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{523ecbfa-438c-11dd-b4ab-00148586ce49}]
\Shell\Auto\command - G:\Config.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Config.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 05:47:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-01 07:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 08:00:01 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 09:00:02 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 10:00:02 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 11:00:01 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 12:00:01 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 13:00:04 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 14:00:04 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 15:00:04 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 16:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 23:00:01 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 17:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 18:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 19:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 20:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 21:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 00:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-30 01:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-24 02:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-05 03:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-05 04:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-06-05 05:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\OBeamuo7.exe
"2008-07-01 06:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\OBeamuo7.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-07-01 17:39:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [2452] 0xFD3C1828

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-01 17:51:40
ComboFix-quarantined-files.txt 2008-07-01 15:50:36
ComboFix2.txt 2008-07-01 09:22:49

Pre-Run: 3,746,426,880 bytes free
Post-Run: 3,793,956,864 bytes free

194

Dopuna: 01 Jul 2008 19:24

Zaboravih da kažem da sam i flash čistila kao što ste mi rekli, sve sam po uputstvu uradila pre ovog scaniranja.

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

врло је могуће да сте се преко неког другог усб стика заразили (од другара, или сл.)..што се тиче даљег случаја, у току дана стижу даље инструкције..

offline
  • Pridružio: 01 Jul 2008
  • Poruke: 33
  • Gde živiš: u Pančevu

Hvala.
Inače, kako se zaštititi od zaraženih USB stikova, osim očiglednog rešenja da se ne koriste? Može li se koristiti gore pomenuti program da bi se skenirao tuđi stik, pa onda koristio?

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\gebccab.dll
C:\WINDOWS\system32\OBeamuo7.exe
C:\WINDOWS\SYSTEM32\kerest.dll
C:\WINDOWS\system32\Config.exe
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bac99536-b4b6-45be-bd1e-6eff5d381a7c}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kerest]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{523ecbfa-438c-11dd-b4ab-00148586ce49}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 1372 korisnika na forumu :: 32 registrovanih, 1 sakriven i 1339 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: babaroga, bojank, bojcistv, ccoogg123, darkangel, DonRumataEstorski, dragoljub11987, Excalibur13, galijot, Goran 0000, hyla, ikan, jackreacher011011, janbo, Kruger, Kubovac, Leonov, Mcdado, Mercury, Milometer, Milos ZA, milutin134, mnn2, nenad81, NoOneEver Dreams, novator, sasa87, Srle993, Trpe Grozni, Vlada1389, VP6919, yufighter