problem sa kompom zarazenim flash karticom

2

problem sa kompom zarazenim flash karticom

offline
  • Pridružio: 26 Jan 2006
  • Poruke: 233

log je

ComboFix 08-04-20.2 - gogi 2008-04-22 7:24:59.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.263 [GMT 2:00]
Running from: C:\Documents and Settings\gogi\Desktop\virusi\ComboFix.exe
Command switches used :: C:\Documents and Settings\gogi\Desktop\virusi\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\autorun.inf.mwt
C:\WINDOWS\system32\drivers\usbinite.sys.mwt
C:\WINDOWS\system32\drivers\usbKeyInit.sys.mwt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf.mwt
C:\WINDOWS\system32\drivers\usbinite.sys.mwt
C:\WINDOWS\system32\drivers\usbKeyInit.sys.mwt

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-21 15:53 . 2008-04-21 15:53 <DIR> d-------- C:\MISA
2008-04-21 07:53 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-21 07:53 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-04-16 13:30 . 2008-04-21 07:14 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-16 10:15 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-04-16 10:15 . 2001-08-17 13:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2008-04-16 10:14 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2008-04-16 10:14 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2008-04-16 10:14 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2008-04-16 10:14 . 2001-08-17 13:47 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2008-04-16 09:16 . 2008-04-16 09:16 <DIR> d-------- C:\WINDOWS\system32\EFFA9C20.DLL
2008-04-11 14:49 . 2008-04-11 14:49 4,226,353 --a------ C:\WINDOWS\REGBK01.ZIP
2008-04-01 13:10 . 2008-04-01 13:10 <DIR> d-------- C:\WINDOWS\PIF
2008-03-31 14:02 . 2008-03-31 14:02 <DIR> d-------- C:\Program Files\Stonisa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 18:03 --------- d-----w C:\Documents and Settings\gogi\Application Data\SolidDocuments
2008-04-21 12:54 --------- d-----w C:\Program Files\FreeCap
2008-04-21 05:55 --------- d-----w C:\Program Files\ffdshow
2008-04-12 06:14 --------- d-----w C:\Program Files\Common Files\Real
2008-04-12 06:13 --------- d-----w C:\Program Files\Online TV Player 3
2008-04-01 04:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 12:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 08:54 --------- d-----w C:\Program Files\Evidencija Gradjana
2008-03-29 13:56 180,999 ----a-w C:\Program Files\firebird.log
2008-03-26 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-19 17:08 --------- d-----w C:\Program Files\Java
2008-03-11 17:04 4,224,123 ----a-w C:\WINDOWS\REGBK00.ZIP
2008-03-05 06:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-05 06:05 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-29 06:09 --------- d-----w C:\Program Files\SolidDocuments
2008-02-29 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolidDocuments
.

((((((((((((((((((((((((((((( snapshot@2008-04-16_13.37.01.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 11:33:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 05:02:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"SoundMan"="SOUNDMAN.EXE" [2003-07-23 18:19 56832 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-03-03 04:39 6144 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=

S2 9BC11C18;9BC11C18;C:\WINDOWS\system32\2DED3ED8.EXE []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3a97930-0ea5-11dd-88c9-000d6119bd1a}]
\Shell\Auto\command - G:\sky.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sky.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dad5a194-f71b-11dc-889c-000d6119bd1a}]
\Shell\Auto\command - E:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 07:25:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 7:26:09
ComboFix-quarantined-files.txt 2008-04-22 05:25:55
ComboFix2.txt 2008-04-22 05:22:59
ComboFix3.txt 2008-04-21 05:21:15
ComboFix4.txt 2008-04-21 05:19:20

Pre-Run: 105,472,729,088 bytes free
Post-Run: 105,464,451,072 bytes free

113

Dopuna: 22 Apr 2008 7:34

u folderu system32 postoji samo ovaj fajl EFFA9C20.DLL.mwt koji sam uploadovao

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8519
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:


File::
C:\WINDOWS\system32\EFFA9C20.DLL.mwt

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3a97930-0ea5-11dd-88c9-000d6119bd1a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dad5a194-f71b-11dc-889c-000d6119bd1a}]

Driver::
9BC11C18


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 26 Jan 2006
  • Poruke: 233

log je

ComboFix 08-04-20.2 - gogi 2008-04-23 8:06:19.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.228 [GMT 2:00]
Running from: C:\Documents and Settings\gogi\Desktop\virusi\ComboFix.exe
Command switches used :: C:\Documents and Settings\gogi\Desktop\virusi\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\EFFA9C20.DLL.mwt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\EFFA9C20.DLL.mwt

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-21 15:53 . 2008-04-21 15:53 <DIR> d-------- C:\MISA
2008-04-21 07:53 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-21 07:53 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-04-16 13:30 . 2008-04-21 07:14 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-16 10:15 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-04-16 10:15 . 2001-08-17 13:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2008-04-16 10:14 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2008-04-16 10:14 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2008-04-16 10:14 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2008-04-16 10:14 . 2001-08-17 13:47 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2008-04-16 09:16 . 2008-04-16 09:16 <DIR> d-------- C:\WINDOWS\system32\EFFA9C20.DLL
2008-04-11 14:49 . 2008-04-11 14:49 4,226,353 --a------ C:\WINDOWS\REGBK01.ZIP
2008-04-01 13:10 . 2008-04-01 13:10 <DIR> d-------- C:\WINDOWS\PIF
2008-03-31 14:02 . 2008-03-31 14:02 <DIR> d-------- C:\Program Files\Stonisa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 12:40 --------- d-----w C:\Program Files\FreeCap
2008-04-22 12:22 --------- d-----w C:\Documents and Settings\gogi\Application Data\SolidDocuments
2008-04-21 05:55 --------- d-----w C:\Program Files\ffdshow
2008-04-12 06:14 --------- d-----w C:\Program Files\Common Files\Real
2008-04-12 06:13 --------- d-----w C:\Program Files\Online TV Player 3
2008-04-01 04:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 12:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 08:54 --------- d-----w C:\Program Files\Evidencija Gradjana
2008-03-29 13:56 180,999 ----a-w C:\Program Files\firebird.log
2008-03-26 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-19 17:08 --------- d-----w C:\Program Files\Java
2008-03-11 17:04 4,224,123 ----a-w C:\WINDOWS\REGBK00.ZIP
2008-03-05 06:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-05 06:05 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-29 06:09 --------- d-----w C:\Program Files\SolidDocuments
2008-02-29 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolidDocuments
.

((((((((((((((((((((((((((((( snapshot@2008-04-16_13.37.01.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 11:33:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 05:03:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"SoundMan"="SOUNDMAN.EXE" [2003-07-23 18:19 56832 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-03-03 04:39 6144 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=

S2 9BC11C18;9BC11C18;C:\WINDOWS\system32\2DED3ED8.EXE []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 08:07:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-23 8:08:01
ComboFix-quarantined-files.txt 2008-04-23 06:07:57
ComboFix2.txt 2008-04-22 05:26:10
ComboFix3.txt 2008-04-22 05:22:59
ComboFix4.txt 2008-04-21 05:21:15
ComboFix5.txt 2008-04-21 05:19:20

Pre-Run: 106,018,549,760 bytes free
Post-Run: 106,009,821,184 bytes free

102

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8519
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:


Driver::
9BC11C18


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 26 Jan 2006
  • Poruke: 233

log je

ComboFix 08-04-20.2 - gogi 2008-04-25 7:06:47.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.269 [GMT 2:00]
Running from: C:\Documents and Settings\gogi\Desktop\virusi\ComboFix.exe
Command switches used :: C:\Documents and Settings\gogi\Desktop\virusi\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-21 15:53 . 2008-04-21 15:53 <DIR> d-------- C:\MISA
2008-04-21 07:53 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-21 07:53 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-04-16 13:30 . 2008-04-21 07:14 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-16 10:15 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-04-16 10:15 . 2001-08-17 13:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2008-04-16 10:14 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2008-04-16 10:14 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2008-04-16 10:14 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2008-04-16 10:14 . 2001-08-17 13:47 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2008-04-16 09:16 . 2008-04-16 09:16 <DIR> d-------- C:\WINDOWS\system32\EFFA9C20.DLL
2008-04-11 14:49 . 2008-04-11 14:49 4,226,353 --a------ C:\WINDOWS\REGBK01.ZIP
2008-04-01 13:10 . 2008-04-01 13:10 <DIR> d-------- C:\WINDOWS\PIF
2008-03-31 14:02 . 2008-03-31 14:02 <DIR> d-------- C:\Program Files\Stonisa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 19:16 --------- d-----w C:\Documents and Settings\gogi\Application Data\SolidDocuments
2008-04-22 12:40 --------- d-----w C:\Program Files\FreeCap
2008-04-21 05:55 --------- d-----w C:\Program Files\ffdshow
2008-04-12 06:14 --------- d-----w C:\Program Files\Common Files\Real
2008-04-12 06:13 --------- d-----w C:\Program Files\Online TV Player 3
2008-04-01 04:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 12:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 08:54 --------- d-----w C:\Program Files\Evidencija Gradjana
2008-03-29 13:56 180,999 ----a-w C:\Program Files\firebird.log
2008-03-26 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-19 17:08 --------- d-----w C:\Program Files\Java
2008-03-11 17:04 4,224,123 ----a-w C:\WINDOWS\REGBK00.ZIP
2008-03-05 06:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-05 06:05 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-29 06:09 --------- d-----w C:\Program Files\SolidDocuments
2008-02-29 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolidDocuments
.

((((((((((((((((((((((((((((( snapshot@2008-04-16_13.37.01.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 11:33:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 05:01:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"SoundMan"="SOUNDMAN.EXE" [2003-07-23 18:19 56832 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-03-03 04:39 6144 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=

S2 9BC11C18;9BC11C18;C:\WINDOWS\system32\2DED3ED8.EXE []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 07:07:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-25 7:08:34
ComboFix-quarantined-files.txt 2008-04-25 05:08:30
ComboFix2.txt 2008-04-23 06:08:02
ComboFix3.txt 2008-04-22 05:26:10
ComboFix4.txt 2008-04-22 05:22:59
ComboFix5.txt 2008-04-21 05:21:15

Pre-Run: 105,971,830,784 bytes free
Post-Run: 105,963,855,872 bytes free

96

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8519
  • Gde živiš: Novi Beograd

Poslednje dve skripte su trebala da uklone:
S2 9BC11C18;9BC11C18;C:\WINDOWS\system32\2DED3ED8.EXE []


Ali nisu i sada sam zbunjen.

Probaj da iskljucis Tea Timer, ako nisi, pa ponovo uradi poslednju skriptu koju sam ti dao.

offline
  • Pridružio: 26 Jan 2006
  • Poruke: 233

iskljucio sam TeaTimer i evo kako izgleda log

ComboFix 08-04-20.2 - gogi 2008-04-25 12:01:57.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.233 [GMT 2:00]
Running from: C:\Documents and Settings\gogi\Desktop\virusi\ComboFix.exe
Command switches used :: C:\Documents and Settings\gogi\Desktop\virusi\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-21 15:53 . 2008-04-21 15:53 <DIR> d-------- C:\MISA
2008-04-21 07:53 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-21 07:53 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-04-16 13:30 . 2008-04-21 07:14 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-16 10:15 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-04-16 10:15 . 2001-08-17 13:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2008-04-16 10:14 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2008-04-16 10:14 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2008-04-16 10:14 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2008-04-16 10:14 . 2001-08-17 13:47 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2008-04-16 09:16 . 2008-04-16 09:16 <DIR> d-------- C:\WINDOWS\system32\EFFA9C20.DLL
2008-04-11 14:49 . 2008-04-11 14:49 4,226,353 --a------ C:\WINDOWS\REGBK01.ZIP
2008-04-01 13:10 . 2008-04-01 13:10 <DIR> d-------- C:\WINDOWS\PIF
2008-03-31 14:02 . 2008-03-31 14:02 <DIR> d-------- C:\Program Files\Stonisa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 09:50 --------- d-----w C:\Documents and Settings\gogi\Application Data\SolidDocuments
2008-04-25 05:11 --------- d-----w C:\Program Files\FreeCap
2008-04-21 05:55 --------- d-----w C:\Program Files\ffdshow
2008-04-12 06:14 --------- d-----w C:\Program Files\Common Files\Real
2008-04-12 06:13 --------- d-----w C:\Program Files\Online TV Player 3
2008-04-01 04:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 12:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 08:54 --------- d-----w C:\Program Files\Evidencija Gradjana
2008-03-29 13:56 180,999 ----a-w C:\Program Files\firebird.log
2008-03-26 12:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-19 17:08 --------- d-----w C:\Program Files\Java
2008-03-11 17:04 4,224,123 ----a-w C:\WINDOWS\REGBK00.ZIP
2008-03-05 06:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-05 06:05 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-29 06:09 --------- d-----w C:\Program Files\SolidDocuments
2008-02-29 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolidDocuments
.

((((((((((((((((((((((((((((( snapshot@2008-04-16_13.37.01.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 11:33:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 05:01:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"SoundMan"="SOUNDMAN.EXE" [2003-07-23 18:19 56832 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:21 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-03-03 04:39 6144 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=

S2 9BC11C18;9BC11C18;C:\WINDOWS\system32\2DED3ED8.EXE []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 12:02:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-25 12:03:22
ComboFix-quarantined-files.txt 2008-04-25 10:03:16
ComboFix2.txt 2008-04-25 05:08:35
ComboFix3.txt 2008-04-23 06:08:02
ComboFix4.txt 2008-04-22 05:26:10
ComboFix5.txt 2008-04-22 05:22:59

Pre-Run: 105,941,393,408 bytes free
Post-Run: 105,932,812,288 bytes free

96

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8519
  • Gde živiš: Novi Beograd

Preuzmi RegASSASSIN.

Dvoklikom pokreni program i u polje za unos teksta iskopiraj sledeće:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9BC11C18

Klikni na Delete taster.

offline
  • Pridružio: 26 Jan 2006
  • Poruke: 233

odradio sam brisanje

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8519
  • Gde živiš: Novi Beograd

Skeniraj CF-om i postavi mi log.

Ko je trenutno na forumu
 

Ukupno su 385 korisnika na forumu :: 4 registrovanih, 0 sakrivenih i 381 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Alibaba1981, goxin, Kristian_KG, radionica1