registry virus

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 15 Nov 2011 20:19

Imam jedno pitanje. Svaki put kada combofix uradi scan, uncheckira mi prozor za koriscenje proksi servera za lan, a potreban mi je za net tako da ga svaki put ukljucujem. Okacio sam fotku dole
ComboFix 11-11-15.01 - Shera 11/15/2011 20:01:25.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2476 [GMT 1:00]
Running from: c:\documents and settings\Shera\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Shera\Desktop\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"d:\rrhp.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\autorun.inf
C:\avii.exe
D:\Autorun.inf
D:\dfde.pif
d:\rrhp.exe
.
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSINT32
-------\Service_amsint32
.
.
((((((((((((((((((((((((( Files Created from 2011-10-15 to 2011-11-15 )))))))))))))))))))))))))))))))
.
.
2011-11-04 18:25 . 2011-11-04 18:27 -------- d-----w- C:\ArmCAD 2005 Server
2011-11-03 18:19 . 2011-11-03 18:19 -------- d-----r- C:\MSOCache
2011-10-25 17:26 . 2011-10-25 17:26 -------- d-----w- C:\games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 06:59 . 2011-10-19 01:35 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2011-10-19 01:35 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2011-10-19 01:35 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2011-10-19 01:35 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2011-10-19 01:35 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-28 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2008-04-14 . 86D30211831DD918C9B71C4FF4B049E8 . 228352 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-14_14.08.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 12:00 . 2011-11-14 13:38 65508 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-11-15 18:42 65508 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2011-11-15 18:42 425650 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2011-11-14 13:38 425650 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{32b29df0-2237-4370-9a29-37cebb730e9b}"= "c:\program files\FreeSoundRecorder\prxtbFree.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{32b29df0-2237-4370-9a29-37cebb730e9b}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32b29df0-2237-4370-9a29-37cebb730e9b}]
2011-01-17 14:54 175912 ----a-w- c:\program files\FreeSoundRecorder\prxtbFree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32b29df0-2237-4370-9a29-37cebb730e9b}"= "c:\program files\FreeSoundRecorder\prxtbFree.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{32b29df0-2237-4370-9a29-37cebb730e9b}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3813376]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-04-14 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 23:57 105392 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BisonHK]
2007-03-15 14:37 32768 ----a-w- c:\windows\BisonCam\BisonHK.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BsMnt]
2007-03-15 14:34 172032 ----a-w- c:\windows\BisonCam\BsMnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-10-19 12:52 205808 ----atw- c:\documents and settings\Shera\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
2008-12-19 15:12 152968 ----a-w- c:\program files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-05-16 12:39 16862720 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2011-07-11 21:47 144384 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\WINDOWS\\BisonCam\\BisonCap.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\TOSHIBA\\Bluetooth Toshiba Stack\\ItSecMng.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\GRETECH\\GomPlayer\\GOM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\Autodesk Shared\\Service\\AdskScSrv.exe"=
"c:\\Program Files\\Common Files\\Autodesk Shared\\AcShellEx\\AcLauncher.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\Documents and Settings\\Shera\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\Shera\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\cmd.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3844:TCP"= 3844:TCP:rvkivild
.
R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [10/19/2011 4:30 AM 158720]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [10/19/2011 4:30 AM 5248]
R2 hl_mull;hl_mull;c:\windows\system32\drivers\hl_mull.sys [11/4/2011 7:22 PM 67712]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/19/2011 2:33 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/19/2011 2:33 PM 22216]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [10/19/2011 2:57 AM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [10/19/2011 2:57 AM 43608]
S2 pybzlew;Task Update;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 4:42 AM 14336]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AMSINT32
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pybzlew
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-412668190-842925246-1001Core.job
- c:\documents and settings\Shera\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-19 12:52]
.
2011-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-412668190-842925246-1001UA.job
- c:\documents and settings\Shera\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-19 12:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = proxy.rcub.bg.ac.rs:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 147.91.1.5
FF - ProfilePath - c:\documents and settings\Shera\Application Data\Mozilla\Firefox\Profiles\xpb5q7ji.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-11-15 20:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pybzlew]
"ServiceDll"="c:\windows\system32\zknvebw.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
.
**************************************************************************
.
Completion time: 2011-11-15 20:07:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-15 19:07
ComboFix2.txt 2011-11-15 01:00
ComboFix3.txt 2011-11-14 14:10
.
Pre-Run: 34,455,732,224 bytes free
Post-Run: 34,405,761,024 bytes free
.
- - End Of File - - 23D5E55F90B6B26F0912CFBCDE2AD9CE



Dopuna: 15 Nov 2011 20:21

zaboravih pitanje. jel ne smeta da ga check? mislim ne utice na skidanje virusa?

Dopuna: 15 Nov 2011 20:33

Sad sam pokusao da pokrenem windows iz safe mode-a, ali neuspelo. Kad udarim enter da pokrene windows iz safe mode-a, krene da ucitava neke sys fajlove i na trenutak se pojavi famozni blue screen of death (s kojim sam imao problema od kako sam kupio laptop) i restartuje se racunar. Inace 3 puta sam nosio laptop na servis u MSI predstavnistvo u beogradu zbog blue screen-a i nista

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ne vredi. Mozemo ovako do prekosutra. Pazljivo slusaj:

1. Skini Avast.
2. Skini Comodo Firewall.
3. Skini DrWeb Cure it i Kopiraj uputstvo za koriscenje Dr.Weba il zapisi ako ne mozes da zapamtis.
Posle kad zavrsimo instaliraj koji god hoces zastitni softver.

4. Uradi sledece :

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\zknvebw.dll

Netsvc::
pybzlew

Driver::
pybzlew

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3844:TCP"=-


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.



5. Ne chekiraj tu opciju.

6. Pokreni Dr.web iz normalnog okruzenja i pusti ga da skenira.
7.Instaliraj Antivirus.
8.Instaluraj Firewall.

Tacno radi prema ovim koracima.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ne mogu da skinem dr.web cureit. Ovaj link sto ste okacili ne valja, a pokusao sam i sa njihovog sajta i jos nekih drugih i jedino sto sam uspeo jeste da sinem neki za koji mi javlja da mi je istekao licence key. Mislio sam da je do mog neta pa sam pitao druga koji koristi kablovski internet (ni sa kim nije umrezen) i on mi je rekao istu stvar. Sta sad? :/

• 1Ovo se svidja korisniku: ThePhilosopher
  
  Registruj se da bi pohvalio/la poruku!

Bilo bi lepo da kod prijatelja narezes Rescue CD.

http://www.mycity.rs/Antivirus-programi/Rescue-CD-prirucnik.html

Izaberi jedan. Uputstva detaljna imas na linku iznad.

Ako posle skeniranja i dezinfekcije mozes da instaliras Antivirus i Firewall, ucini to istog trenutka. Pa se javi da vidimo sta cemo i kako cemo.. Al firewall bi trebalo(zajedno sa AV-ovm) da te zastiti od druge infekcije (Conficker). Sada muku mucimo sa Fajl Infektorom (Sality).

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Opet problem. Skinuo sam kaspersky rescue disk v10.0. prvi meni koji mi ponudi je jezik. kad izaberem jezik, na sledecem meniju se pojave sledece stavke: 1)Kaspersky rescue disc. Graphic mode
2)Kaspersky rescue disc. Text mode
3)Hardware info
4)Boot from hard disc
5)Reboot
6)Shut down
Kada izaberem bilo koju od prve dve, krene da radi ucitavanje kao sto pise u vasem uputstvu (slika na dnu poruke) i kad dodje donekle, prestane sa skeniranjem i pojavi se crni ekran. Cekao sam ga 10 min misleci da radi nesto, ali kao da je blokirao laptop. Nisam mogao ni da otvorim cd rom, niti bilo sta drugo, pa sam ga ugasio na silu. Jel treba da sacekam jos ili sta? Mozda sam bio malo nestrpljiv

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pa dal moze jos nesto da krene po zlu? Jel bi ti bio problem ponovno formatiranje? Al ovog puta po mojim uputstvima? Il da probas drugi Rerscue Disc. Predlazem Dr.Web.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

aj probacu drugi rescue disc. ako ne uspe ni to, formatiracu hard, nije problem, ali moram da sacuvam neke podatke koji su mi mnogo bitni

• 1Ovo se svidja korisniku: ThePhilosopher
  
  Registruj se da bi pohvalio/la poruku!

0shera0 ::aj probacu drugi rescue disc. ako ne uspe ni to, formatiracu hard, nije problem, ali moram da sacuvam neke podatke koji su mi mnogo bitni

Ako budes formatirao prvo se javi ovde.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 22 Nov 2011 14:31

Probacu odmah sa formatiranjem. Cekam uputstva

Dopuna: 24 Nov 2011 15:40

Ostavljam post samo da tema ne bi ostala neaktivna

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 24 Nov 2011 16:05

Izvini nisam video. U velikoj sam guzvi (sezona uglja i drva ) javljam ti se za 2 sata.

Dopuna: 24 Nov 2011 20:59

1. Instaliraj Antivirus .
2. Instaliraj Firewall.
3. Instaliraj MCShield > http://amf.mycity.rs/programs/mc/mcshield/
4. Pusti Full Scan Antivirusa.


Jednostavno zar ne. Ovim bi trebalo da budes zasticen od Confickera, i tih usb gamadi preko kojih si zakacio File Infektora.