provera ostatka malware

1

provera ostatka malware

offline
  • Pridružio: 22 Apr 2003
  • Poruke: 94
  • Gde živiš: Kragujevac

Evo mene iz normal moda da proverimo da li ima ostataka neke gamadi po preporuci Stewdze.
Deinstalirao sam NOD koji mi je zakucavao komp i Tuneup koji je imao neki bag.
1 .Sad nemam ni jedan antivirus ( koji da stavim, a da bude free, nemam trenutno para za to planinarenje )
2. Koji program cisti sve sto mi je ostalo od silnih install i uninstall ?
3. Moracu da stavim i neki firewall preko koga cu videti sta mi trazi iz kompa izlaz na net.

Kako da krenemo u proveru ?

offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10616
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Ovako:
http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

offline
  • Pridružio: 22 Apr 2003
  • Poruke: 94
  • Gde živiš: Kragujevac

Imao sam neki Rootkit.Win32.Agent.cwiy ( po Kasperskom virus removal toll smesten u C:/windows/system32/drivers/4233dcaf9c94b2f3.sys) po Hitmen pro ( trojan.Generic.KDV.535853 -Engine A ili Trojan.NtRootKit.13118) sto ce reci po meni laiku sve jedan isti koji mi nije dozvoljavao da instaliram nikakav antivirus, a sve ostalo je radilo normalno i svako skeniranje sa Malwarebytes i Spybot ga nije videlo, tek ga je Hitman uklonio. Instalirao sam privremeno i Sophos virus removal toll koji je nasao Malware cleaman -B i obrisao ( ako sam dobro zapisao ) i upozorio me na wuauclt.exe u system32 kao mogucu pretnju. Sve sam uninstall, sada imam samo Malwarebytes i Spybot.

Gmer1 ne mogu da zakacim, kaze da je vece od 5mb, a ja koliko vidim prazan log u notepad.



DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33
Run by Korisnik at 13:28:33 on 2012-06-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.873 [GMT 2:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2888ECD6-B3A2-4DBC-9035-8ABFB604D513} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6B8B9ADA-F9C7-41A0-A6C5-A71D043780AF} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{717FADF5-250B-449A-871D-C3FDA8F0E47F} : NameServer = 192.168.10.254
TCP: Interfaces\{E60213EF-8312-48CA-A00A-61B4576B5F22} : DhcpNameServer = 192.168.1.1 192.168.10.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\korisnik\application data\mozilla\firefox\profiles\6k35gotf.default\
FF - prefs.js: browser.search.selectedEngine - WOT Safe Search
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110819&tt=050412_30b
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 2c6b69e9000000000000b0487a83b857
FF - user.js: extensions.BabylonToolbar_i.hardId - 2c6b69e9000000000000b0487a83b857
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15444
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:24:33
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-7 654408]
R3 ip100xp;TP-LINK 10/100Mbps PCI Network Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [2012-2-6 26752]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-7 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-17 250056]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2012-4-1 20032]
S3 hitmanpro36;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-6-23 27424]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-27 113120]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2012-4-1 98432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-06-24 10:55:50 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-23 17:10:56 29504 ----a-w- c:\windows\system32\uxt4.tmp
2012-06-23 15:52:08 -------- d-----w- c:\documents and settings\korisnik\local settings\application data\ESET
2012-06-23 13:16:14 629760 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-06-23 13:16:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-06-23 13:16:14 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-06-23 13:16:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-06-23 13:16:13 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-06-23 13:16:13 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-23 13:16:13 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-06-23 13:12:10 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-06-23 13:12:10 3072 ------w- c:\windows\system32\iacenc.dll
2012-06-23 13:04:07 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-06-23 13:03:37 -------- d-----w- c:\program files\HitmanPro
2012-06-23 13:03:26 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-06-23 12:15:14 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2012-06-08 15:22:15 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-08 15:22:15 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
.
==================== Find3M ====================
.
2012-06-24 10:55:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-24 10:55:44 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-23 15:12:17 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-23 15:12:17 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 13:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 16:33:15 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-09 17:25:23 54016 ----a-w- c:\windows\system32\drivers\bits.sys
2012-04-04 13:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 13:28:43,45 ===============

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10616
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Zapakuj GMER 1 izvještaj u ZIP, RAR ili 7Z arhivu i pokušaj opet da ga upload-uješ.

offline
  • Pridružio: 22 Apr 2003
  • Poruke: 94
  • Gde živiš: Kragujevac

Evo ga
mycity.rs/must-login.png

offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10616
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

sasakg ::Evo ga
https://www.mycity.rs/must-login.png

Fajl je prazan.
U uputstvu za otvaranje teme imaš postupak za RootRepeal, pa postavi njegov izvještaj.

offline
  • Pridružio: 22 Apr 2003
  • Poruke: 94
  • Gde živiš: Kragujevac

Uradjeno.

mycity.rs/must-login.png

offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10616
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

U toku riješavanja slučaja, zamolio bih te da se pridržavaš sljedećeg:
Detaljno čitati moja uputstva ( ili uputstva kolega koji će me zamjenjivati) i raditi isključivo po njima;
Ne tražiti istovremeno pomoć na drugom mjestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budeš dobio uputstvo;
U toku intervencije ne koristiti USB memorijske uređaje, dok to ne budem zatražio;
Ukoliko ne odgovorim u roku od 48h, osvježi temu novim post-om;
Ukoliko se ne javiš u roku od 5 dana, zatvorićemo slučaj.

Za više informacija o pravilima Ambulante MyCity foruma: LINK


Arrow

Preuzmi sUBs-ov ComboFix sa sljedeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati fajl, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix;
u prozoru koji se otvori klikni "I Agree".

U toku rada, ComboFix će:provjeriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izvještaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obilježeni tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izvještaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primjetiš da izvještaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje fajla C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 22 Apr 2003
  • Poruke: 94
  • Gde živiš: Kragujevac

Negde na pocetku je napisao da ima rootkit.zero, cini mi se.....

ComboFix 12-06-23.06 - Korisnik 24.06.2012 15:29:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1187 [GMT 2:00]
Running from: c:\documents and settings\Korisnik\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
c:\windows\$NtUninstallKB17798$
c:\windows\$NtUninstallKB17798$\54133483
c:\windows\system32\muzapp.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-24 12:58 . 2012-06-24 12:58 -------- d-----w- c:\documents and settings\Korisnik\Local Settings\Application Data\Temp
2012-06-24 10:55 . 2012-06-24 10:55 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-24 10:55 . 2012-06-24 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-06-23 15:52 . 2012-06-23 15:52 -------- d-----w- c:\documents and settings\Korisnik\Local Settings\Application Data\ESET
2012-06-23 13:16 . 2012-05-11 14:42 629760 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-06-23 13:16 . 2012-05-11 14:42 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-06-23 13:16 . 2012-05-11 14:42 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-06-23 13:16 . 2012-05-11 14:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-06-23 13:16 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-23 13:16 . 2012-05-11 14:42 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-06-23 13:16 . 2012-05-11 14:42 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-06-23 13:12 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-06-23 13:12 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-06-23 13:04 . 2012-06-23 13:11 27424 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-06-23 13:03 . 2012-06-23 13:03 -------- d-----w- c:\program files\HitmanPro
2012-06-23 13:03 . 2012-06-23 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-06-23 12:15 . 2012-06-23 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2012-06-08 15:22 . 2012-06-08 15:22 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-08 15:22 . 2012-06-08 15:22 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-24 10:55 . 2012-02-28 18:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-24 10:55 . 2012-02-07 19:36 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-23 15:12 . 2012-04-17 16:51 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-23 15:12 . 2012-02-06 11:27 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 13:19 . 2009-08-06 18:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2009-08-06 18:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2007-10-29 09:43 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2007-10-29 09:43 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2007-10-29 09:43 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2009-08-06 18:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 13:19 . 2009-08-06 18:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2007-10-29 09:43 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2007-10-29 09:43 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 13:19 . 2004-08-04 01:07 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 13:19 . 2009-08-06 18:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19 . 2007-10-29 09:43 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2007-10-29 09:43 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-04 01:07 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 01:07 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 16:33 . 2012-05-15 16:33 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-05-15 16:33 . 2012-05-15 16:33 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-05-15 13:20 . 2004-08-04 01:07 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2004-08-04 01:07 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 01:07 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 01:07 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2004-08-04 01:07 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2007-10-29 09:41 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-09 17:25 . 2012-04-09 17:25 54016 ----a-w- c:\windows\system32\drivers\bits.sys
2012-04-04 13:56 . 2012-02-07 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 11:35 . 2012-05-13 10:09 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-18 925696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"snpstd3"="c:\windows\vsnpstd3.exe" [2007-05-10 835584]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2009-06-30 339968]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0????????? ????????
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 10:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPDLR]
2012-04-01 11:46 21416 ----a-w- c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-08-08 07:25 1828136 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 13:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"KiesHelper"=c:\program files\Samsung\Kies\KiesHelper.exe /s
"KiesPDLR"=c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"High Definition Audio Property Page Shortcut"=HDAShCut.exe
"KiesTrayAgent"=c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7.2.2012 21:56 654408]
R3 ip100xp;TP-LINK 10/100Mbps PCI Network Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [6.2.2012 15:03 26752]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7.2.2012 21:56 22344]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [29.2.2012 09:16 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [17.4.2012 18:51 250056]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [1.4.2012 13:42 20032]
S3 hitmanpro36;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [23.6.2012 15:04 27424]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [27.4.2012 22:58 113120]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [1.4.2012 14:01 98432]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 15:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{717FADF5-250B-449A-871D-C3FDA8F0E47F}: NameServer = 192.168.10.254
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\6k35gotf.default\
FF - prefs.js: browser.search.selectedEngine - WOT Safe Search
FF - prefs.js: browser.startup.homepage - google.com
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110819&tt=050412_30b
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 2c6b69e9000000000000b0487a83b857
FF - user.js: extensions.BabylonToolbar_i.hardId - 2c6b69e9000000000000b0487a83b857
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15444
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:24
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe
MSConfigStartUp-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
MSConfigStartUp-LanguageShortcut - c:\program files\CyberLink\PowerDVD\Language\Language.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2012-06-24 15:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-06-24 15:37:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-24 13:37
.
Pre-Run: 3.671.891.968 bytes free
Post-Run: 3.741.593.600 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 78209412DE9B813EBE091E8EAC938D23

offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10616
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Arrow Korak 1

Otvoriti Notepad i iskopirati sljedeći tekst:

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
  00,00

Firefox::
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\6k35gotf.default\
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110819&tt=050412_30b
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 2c6b69e9000000000000b0487a83b857
FF - user.js: extensions.BabylonToolbar_i.hardId - 2c6b69e9000000000000b0487a83b857
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15444
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1718:24
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sljedećoj poruci log koji bude bio napravljen na kraju čišćenja/skeniranja.



Arrow Korak 2

Spakuj u ZIP, RAR ili 7Z arhivu sljedeći folder:

C:\Qoobox\Quarantine

i pošalji ga preko sljedećeg linka:

http://www.mycity.rs/ambulanta-upload.php

Ko je trenutno na forumu
 

Ukupno su 615 korisnika na forumu :: 26 registrovanih, 7 sakrivenih i 582 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aleksmajstor, amaterSRB, amonsrb, BlackPhantom, BSD, cvrle312, dac, Dovla, goxin, GveX, Lazarus, MarKhan, Marko Marković, Mercury, Milan.1976, ozzy, Skywhaler, suton, Trpe Grozni, vdeki, virked, vlvl, vukm, Đuro Maximus, 223223