prekid interneta zbog msodesnv7 aplikacije i cfdrive32.exe

1

prekid interneta zbog msodesnv7 aplikacije i cfdrive32.exe

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Napisano: 17 Sep 2010 12:43

Pozdrav, od juce mi se desava da mi se prekida internet, sa Malwarebytes' Anti-Malware mi prikazuje
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msodesnv7 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Inficirani podaci u registru:
(Maliciozne stavke nisu pronađene)

Inficirane fascikle:
(Maliciozne stavke nisu pronađene)

Inficirane datoteke:
C:\WINDOWS\system32\msvmiode.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-4456262612-4903033749-606910049-5773\syscr.exe

---------------------------------------------------------------------
Odem u safe mode i obrisem a on se vraca kasnije!
Sa HijackThis isto analiziram,

O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\cfdrive32.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\cfdrive32.exe

Cekiram cfdrive32.exe na dva mesta i opet se pojavljuju nakon gasenja kompa!
Koristim 32-bitni Windows i kablovski internet
DDS sam skinuo i samo se nakratko otvori i ugasi
Sa Gmerom sam napravio nadam se sve kako pise u uputstvu

Unapred hvala!


mycity.rs/must-login.png

Dopuna: 17 Sep 2010 12:46

Gmer text.file
mycity.rs/must-login.png

mycity.rs/must-login.png

Gmer1 nemogu nikako okacit jel dobijam odgovor da je fail prevelik?????

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

E ovako s obzirom da si sklon koriscenju AM alata imaj na umu sledece :

U toku resavanja slucaja, zamolio bih te da se pridrzavas sledeceg:
Detaljno citati moja uputstva (ili uputstva kolega koji ce me zamenjivati) i raditi iskljucivo po njima;
Ne traziti istovremeno pomoc na drugom mestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budes dobio uputstvo;
U toku intervencije ne koristiti USB memorijske uredjaje, dok to ne budem zatrazio;
Ukoliko ne odgovorim u roku od 48h, osvezi temu novim post-om;
Ukoliko se ne javis u roku od 5 dana, zatvoricemo slucaj.

Za vise informacija o pravilima Ambulante MyCity foruma: LINK


Procitao? Ok Idemo dalje :

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Napisano: 17 Sep 2010 13:28

Evo comboFif
mycity.rs/must-login.png

Dopuna: 17 Sep 2010 13:31

ComboFix 10-09-16.05 - KOKI 17.09.2010 13:16:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.153 [GMT 2:00]
Running from: d:\my documents\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\KOKI\Application Data\ltzqai.exe
c:\windows\cfdrive32.exe
c:\windows\system32\84.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-04 12:22 . 2010-09-04 12:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-31 12:52 . 2010-08-31 12:52 -------- d-----w- c:\documents and settings\Administrator.KOKI-1CCE0A537D\Application Data\Malwarebytes
2010-08-19 17:57 . 2010-08-19 17:57 -------- d-----w- c:\documents and settings\KOKI\Local Settings\Application Data\Help
2010-08-19 16:14 . 2010-08-19 17:52 -------- d-----w- c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender
2010-08-19 16:14 . 2010-08-19 16:12 96200 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2010-08-19 16:13 . 2010-08-19 16:13 -------- d-----w- c:\program files\Common Files\Authentium
2010-08-19 16:03 . 2010-08-19 16:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-19 12:07 . 2008-09-10 17:58 270336 ----a-w- c:\windows\system32\CMRMDRV3.exe
2010-08-19 11:54 . 2008-09-11 10:10 278528 ----a-w- c:\windows\CmiPCIUninstall.exe
2010-08-19 11:54 . 2010-08-19 12:06 -------- d-----w- c:\program files\C-Media PCI Audio Device
2010-08-19 11:54 . 2009-03-18 10:34 1512960 ----a-w- c:\windows\system32\drivers\cmudax3.sys
2010-08-19 11:39 . 2010-08-19 11:39 -------- d-----w- c:\program files\Common Files\Java
2010-08-19 11:31 . 2010-08-19 11:31 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-18 11:37 . 2010-08-19 11:29 -------- d-----w- c:\program files\TextEdit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-16 21:21 . 2010-03-27 12:36 -------- d-----w- c:\documents and settings\KOKI\Application Data\Skype
2010-09-16 15:25 . 2010-03-27 12:42 -------- d-----w- c:\documents and settings\KOKI\Application Data\skypePM
2010-08-19 11:53 . 2010-03-27 16:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-19 11:39 . 2010-05-30 22:56 -------- d-----w- c:\program files\Java
2010-08-19 11:31 . 2010-08-06 11:35 -------- d-----w- c:\documents and settings\KOKI\Application Data\vlc
2010-08-02 11:28 . 2010-03-28 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth
2010-07-17 03:00 . 2010-05-30 22:56 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 20:08 135336]
R2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [8.4.2010 16:46 117288]
R2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [8.4.2010 16:46 117288]
R2 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [8.4.2010 16:46 154152]
S3 Asfsdirv;Asfsdirv; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KGLOYFOD
*Deregistered* - kgloyfod
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{DD662A0C-12FE-4B38-BA53-247F7EC82F46} - (no file)
HKLM-Run-CmPCIaudio - CMICNFG3.cpl
MSConfigStartUp-CyberDefender Early Detection Center - c:\program files\CyberDefender\AntiSpyware\_cdasd1.exe
MSConfigStartUp-Microsoft Driver Setup - c:\windows\system32\xfgnl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2010-09-17 13:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-09-17 13:21:58
ComboFix-quarantined-files.txt 2010-09-17 11:21

Pre-Run: 16.231.170.048 bytes free
Post-Run: 16.335.978.496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BE395C421E4A4E4DE9F3853FD984C4A7

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Deinstaliraj Authentium AntiVirus5.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Napisano: 17 Sep 2010 14:57

Kada ga deinstaliram, šta da onda radim?

Dopuna: 17 Sep 2010 15:08

Deinstaliro sam ga!

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\CDAVFS.sys

Folder::
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender

Driver::
Asfsdirv


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

ComboFix 10-09-16.06 - KOKI 17.09.2010 15:37:45.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.317 [GMT 2:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-04 12:22 . 2010-09-04 12:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-31 12:52 . 2010-08-31 12:52 -------- d-----w- c:\documents and settings\Administrator.KOKI-1CCE0A537D\Application Data\Malwarebytes
2010-08-19 17:57 . 2010-08-19 17:57 -------- d-----w- c:\documents and settings\KOKI\Local Settings\Application Data\Help
2010-08-19 16:14 . 2010-08-19 17:52 -------- d-----w- c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender
2010-08-19 16:14 . 2010-08-19 16:12 96200 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2010-08-19 16:13 . 2010-09-17 13:05 -------- d-----w- c:\program files\Common Files\Authentium
2010-08-19 16:03 . 2010-08-19 16:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-19 12:07 . 2008-09-10 17:58 270336 ----a-w- c:\windows\system32\CMRMDRV3.exe
2010-08-19 11:54 . 2008-09-11 10:10 278528 ----a-w- c:\windows\CmiPCIUninstall.exe
2010-08-19 11:54 . 2010-08-19 12:06 -------- d-----w- c:\program files\C-Media PCI Audio Device
2010-08-19 11:54 . 2009-03-18 10:34 1512960 ----a-w- c:\windows\system32\drivers\cmudax3.sys
2010-08-19 11:39 . 2010-08-19 11:39 -------- d-----w- c:\program files\Common Files\Java
2010-08-19 11:31 . 2010-08-19 11:31 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-16 21:21 . 2010-03-27 12:36 -------- d-----w- c:\documents and settings\KOKI\Application Data\Skype
2010-09-16 15:25 . 2010-03-27 12:42 -------- d-----w- c:\documents and settings\KOKI\Application Data\skypePM
2010-08-19 11:53 . 2010-03-27 16:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-19 11:39 . 2010-05-30 22:56 -------- d-----w- c:\program files\Java
2010-08-19 11:31 . 2010-08-06 11:35 -------- d-----w- c:\documents and settings\KOKI\Application Data\vlc
2010-08-19 11:29 . 2010-08-18 11:37 -------- d-----w- c:\program files\TextEdit
2010-08-02 11:28 . 2010-03-28 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth
2010-07-17 03:00 . 2010-05-30 22:56 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-09-17_11.20.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-17 13:07 . 2010-09-17 13:07 16384 c:\windows\Temp\Perflib_Perfdata_704.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 20:08 135336]
S2 vseamps;vseamps;"c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [?]
S3 Asfsdirv;Asfsdirv; [x]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2010-09-17 15:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\shdoclc.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2010-09-17 15:43:08
ComboFix-quarantined-files.txt 2010-09-17 13:43
ComboFix2.txt 2010-09-17 11:21

Pre-Run: 16.361.943.040 bytes free
Post-Run: 16.354.861.056 bytes free

- - End Of File - - DBC58B3A4AEFD6CBB794338FF874889A

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Uradi kako sam ti ovde napisao.


diarno ::Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\CDAVFS.sys

Folder::
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender

Driver::
Asfsdirv


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

ComboFix 10-09-16.06 - KOKI 17.09.2010 16:21:24.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.297 [GMT 2:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\KOKI\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\drivers\CDAVFS.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\AWSDLL.DLL
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\cdinstx.exe
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\cdinstx.log
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\gacutil.exe
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Includes\Loading.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Includes\NoItems Index.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Includes\Password Cookie.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Includes\Passwords Index.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Includes\Privacy Index.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\charset.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\cookie.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\css\intercept_master.css
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\defaultCharset.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\form.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\frame.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\gray.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\green.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_go.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_go_down.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_go_over.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_grey.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red_down.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\bt_red_over.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\bttn_grey.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\caution.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\frame.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\intercept_header.jpg
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\logo.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\logo.jpg
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\logo_orange.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\red_bttn.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\red_bttn_down.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\red_bttn_over.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\topbar.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\topbar_orange.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\images\warning.gif
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\popup.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\port.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\protocol.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\red.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\scamalert.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\scamalert.htm1
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\scamalert.htm3
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\scamalert.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\security.html
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\style.css
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\Scam Alert\yellow.htm
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\ssstbar.ini
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\sssTbarcfg.ini
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\sssTbarSettings.ini
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\sssTbarUpdateHost.ini
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\st.ico
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\stbarpat.dat.03
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\UserGuide\cybdefstbar.set
c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\UserGuide\stbarchk.ini
c:\windows\system32\drivers\CDAVFS.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Asfsdirv


((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-04 12:22 . 2010-09-04 12:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-31 12:52 . 2010-08-31 12:52 -------- d-----w- c:\documents and settings\Administrator.KOKI-1CCE0A537D\Application Data\Malwarebytes
2010-08-19 17:57 . 2010-08-19 17:57 -------- d-----w- c:\documents and settings\KOKI\Local Settings\Application Data\Help
2010-08-19 16:13 . 2010-09-17 13:05 -------- d-----w- c:\program files\Common Files\Authentium
2010-08-19 16:03 . 2010-08-19 16:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-19 12:07 . 2008-09-10 17:58 270336 ----a-w- c:\windows\system32\CMRMDRV3.exe
2010-08-19 11:54 . 2008-09-11 10:10 278528 ----a-w- c:\windows\CmiPCIUninstall.exe
2010-08-19 11:54 . 2010-08-19 12:06 -------- d-----w- c:\program files\C-Media PCI Audio Device
2010-08-19 11:54 . 2009-03-18 10:34 1512960 ----a-w- c:\windows\system32\drivers\cmudax3.sys
2010-08-19 11:39 . 2010-08-19 11:39 -------- d-----w- c:\program files\Common Files\Java
2010-08-19 11:31 . 2010-08-19 11:31 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-16 21:21 . 2010-03-27 12:36 -------- d-----w- c:\documents and settings\KOKI\Application Data\Skype
2010-09-16 15:25 . 2010-03-27 12:42 -------- d-----w- c:\documents and settings\KOKI\Application Data\skypePM
2010-08-19 11:53 . 2010-03-27 16:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-19 11:39 . 2010-05-30 22:56 -------- d-----w- c:\program files\Java
2010-08-19 11:31 . 2010-08-06 11:35 -------- d-----w- c:\documents and settings\KOKI\Application Data\vlc
2010-08-19 11:29 . 2010-08-18 11:37 -------- d-----w- c:\program files\TextEdit
2010-08-02 11:28 . 2010-03-28 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth
2010-07-17 03:00 . 2010-05-30 22:56 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-09-17_11.20.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-17 14:26 . 2010-09-17 14:26 16384 c:\windows\Temp\Perflib_Perfdata_428.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 20:08 135336]
S2 vseamps;vseamps;"c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{83682B4C-B98C-4BEB-97CC-8EAD2AF9E4C6} - c:\documents and settings\KOKI\Local Settings\Application Data\CyberDefender\cdinstx.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2010-09-17 16:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-17 16:28:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-17 14:28
ComboFix2.txt 2010-09-17 13:43
ComboFix3.txt 2010-09-17 11:21

Pre-Run: 16.358.686.720 bytes free
Post-Run: 16.303.734.784 bytes free

- - End Of File - - 2BE7CAFD7D80350AE39744474A57480C

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Kakvo je sad stanje racunara?

Ko je trenutno na forumu
 

Ukupno su 647 korisnika na forumu :: 29 registrovanih, 1 sakriven i 617 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aleksandarbl, Alibaba1981, bavar357, bojcistv, Dorcolac, Georgius, havoc995, ikan, ivica976, Komentator, ladro, LUDI, mgolub, mile23, Millennium, mnn2, nikolaus112, niksa517, NiNo_8824, opt1, RiV, ruso, stagezin, stegonosa, Trpe Grozni, vladulns, W123, Zimbabwe