trojanci

1

trojanci

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Zdravo, sa S-S&D sam otkrio da sam zarazen trojancima Delf i Hupigon 13. On ih ocisti ali se pri ponovnom restartovanju kompjutera ponovo jave. Kompjuter je usporen i trojanci mi blokiraju AV zastitu. Saljem HJT log fajl pa vidite sto se moze uraditi. Hvala


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:37 PM, on 27/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Windows\system32\svchost.exe
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Windows\system32\JupitCo.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\tHIS\THIS.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = trazim.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - banka.com.mk/Ctrls/Ctrls.cab
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: HTTP SSL HTTPFilterEventlog (HTTPFilterEventlog) - Unknown owner - C:\Windows\system32\ahuii.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Windows\LogWatNT.exe
O23 - Service: NetOp Helper ver. 7.50 (2002343) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5472 bytes

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Klikni desnim tasterom miša na avast! ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Stop OnAccess Protection.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Avast je bio blokiran i te ikonice nije bilo, pa sam izbrisao Avas sa Add remove programs. KOmpjuter mi nije na mrezi pa nemam bojaznosti od dodatnih zaraza. Evo log fajla
ComboFix 09-04-27.03 - Administrator 28/04/2009 11:25.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.127.16 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-01-04 16:38 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 10:40 . 2009-01-04 16:38 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 07:13 . 2009-04-23 07:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-23 07:13 . 2009-04-23 07:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-22 07:38 . 2009-04-24 12:44 32 --s-a-w c:\windows\system32\345450611.dat
2009-04-22 07:38 . 2009-04-22 07:38 53248 --sh--r c:\windows\system32\ahuii.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 06:42 . 2005-12-14 11:53 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-04-27 10:33 . 2008-10-01 12:01 -------- d-----w c:\program files\Trend Micro
2009-04-27 06:19 . 2006-01-06 12:24 -------- d-----w c:\program files\Pozaren pridones
2009-04-23 12:15 . 2006-09-29 06:04 -------- d-----w c:\program files\Cistacki
2009-04-06 07:02 . 2008-01-31 06:56 -------- d-----w c:\program files\Honorarci
2009-04-03 07:31 . 2006-02-14 06:48 -------- d-----w c:\program files\Provizija
2009-04-03 07:21 . 2002-09-12 10:59 -------- d-----w c:\program files\Virmani
2009-03-26 12:04 . 2008-01-25 08:14 -------- d-----w c:\program files\Hrana
2009-03-25 13:46 . 2008-01-28 11:06 -------- d-----w c:\program files\Prevoz
2002-09-12 10:31 . 2002-09-12 10:59 7510 ----a-w c:\program files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="c:\program files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" - c:\windows\system32\JupitCo.exe [2002-03-14 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
R2 HTTPFilterEventlog;HTTP SSL HTTPFilterEventlog;c:\windows\system32\ahuii.exe [2009-04-22 53248]
R2 JUPITER;USB SECURITY DEVICE;c:\windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
R2 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2004-08-03 30464]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
S2 cpqdiag;Compaq Diagnostics Driver;c:\windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
S2 LCRMS;Insight Manager LC Remote Management;c:\program files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
S2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);c:\program files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
S3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5964c399-fb12-11dc-af9f-00080214b5d4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trazim.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-28 11:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-28 11:31
ComboFix-quarantined-files.txt 2009-04-28 09:31
ComboFix2.txt 2009-04-28 06:59
ComboFix3.txt 2008-10-08 06:22

Pre-Run: 28,586,098,688 bytes free
Post-Run: 28,581,347,328 bytes free

181

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Zasto si vise puta pokretao Combofix?

Okaci mi ComboFix2.txt fajl koji se nalazi na rootu c particije.,...Ako ga nema tamo pogledaj u folderu Qoobox.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Kada sam prvi put pokrenuo dao mi je prazni log fajl pa sam ponovio postupak.
Evo ComboFix2 fajla

ComboFix 09-04-27.03 - Administrator 28/04/2009 8:44.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.127.15 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\file.exe
c:\windows\system32\digiwet.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-01-04 16:38 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 10:40 . 2009-01-04 16:38 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 07:13 . 2009-04-23 07:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-23 07:13 . 2009-04-23 07:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-22 07:38 . 2009-04-24 12:44 32 --s-a-w c:\windows\system32\345450611.dat
2009-04-22 07:38 . 2009-04-22 07:38 53248 --sh--r c:\windows\system32\ahuii.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 06:42 . 2005-12-14 11:53 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-04-27 10:33 . 2008-10-01 12:01 -------- d-----w c:\program files\Trend Micro
2009-04-27 06:19 . 2006-01-06 12:24 -------- d-----w c:\program files\Pozaren pridones
2009-04-23 12:15 . 2006-09-29 06:04 -------- d-----w c:\program files\Cistacki
2009-04-06 07:02 . 2008-01-31 06:56 -------- d-----w c:\program files\Honorarci
2009-04-03 07:31 . 2006-02-14 06:48 -------- d-----w c:\program files\Provizija
2009-04-03 07:21 . 2002-09-12 10:59 -------- d-----w c:\program files\Virmani
2009-03-26 12:04 . 2008-01-25 08:14 -------- d-----w c:\program files\Hrana
2009-03-25 13:46 . 2008-01-28 11:06 -------- d-----w c:\program files\Prevoz
2002-09-12 10:31 . 2002-09-12 10:59 7510 ----a-w c:\program files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="c:\program files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" - c:\windows\system32\JupitCo.exe [2002-03-14 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
R2 HTTPFilterEventlog;HTTP SSL HTTPFilterEventlog;c:\windows\system32\ahuii.exe [2009-04-22 53248]
R2 JUPITER;USB SECURITY DEVICE;c:\windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
R2 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2004-08-03 30464]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
S2 cpqdiag;Compaq Diagnostics Driver;c:\windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
S2 LCRMS;Insight Manager LC Remote Management;c:\program files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
S2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);c:\program files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
S3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*Deregistered* - AClient
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - ClntMgmt
*Deregistered* - CPQALERT
*Deregistered* - CpqDfwWebAgent
*Deregistered* - cpqdiag
*Deregistered* - cpqdmi
*Deregistered* - cpqWebDmi
*Deregistered* - cq_mem
*Deregistered* - cqcpu
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - HTTPFilterEventlog
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LCRMS
*Deregistered* - LmHosts
*Deregistered* - LogWatch
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQLServer
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - NetOp Host for NT Service
*Deregistered* - NHOSTNT3
*Deregistered* - Nla
*Deregistered* - NMSCFG
*Deregistered* - NMSSvc
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - ppa3
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - WIN32SL
*Deregistered* - winmgmt
*Deregistered* - ws2_32sik
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5964c399-fb12-11dc-af9f-00080214b5d4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Administrator - c:\documents and settings\Administrator\Administrator.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trazim.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-28 08:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-28 8:59
ComboFix-quarantined-files.txt 2009-04-28 06:59
ComboFix2.txt 2008-10-08 06:22

Pre-Run: 27,927,445,504 bytes free
Post-Run: 28,583,133,184 bytes free

301

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\ws2_32sik.sys
c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe 

Driver::
ws2_32sik
HTTPFilterEventlog

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Napisano: 29 Apr 2009 11:18

uradjeno


ComboFix 09-04-27.03 - Administrator 29/04/2009 11:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.127.18 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe
c:\windows\system32\drivers\ws2_32sik.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe
c:\windows\system32\drivers\ws2_32sik.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HTTPFILTEREVENTLOG
-------\Legacy_WS2_32SIK
-------\Service_HTTPFilterEventlog
-------\Service_ws2_32sik


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-01-04 16:38 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 10:40 . 2009-01-04 16:38 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 07:13 . 2009-04-23 07:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-23 07:13 . 2009-04-23 07:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 09:09 . 2005-12-14 11:53 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-04-27 10:33 . 2008-10-01 12:01 -------- d-----w c:\program files\Trend Micro
2009-04-27 06:19 . 2006-01-06 12:24 -------- d-----w c:\program files\Pozaren pridones
2009-04-23 12:15 . 2006-09-29 06:04 -------- d-----w c:\program files\Cistacki
2009-04-06 07:02 . 2008-01-31 06:56 -------- d-----w c:\program files\Honorarci
2009-04-03 07:31 . 2006-02-14 06:48 -------- d-----w c:\program files\Provizija
2009-04-03 07:21 . 2002-09-12 10:59 -------- d-----w c:\program files\Virmani
2009-03-26 12:04 . 2008-01-25 08:14 -------- d-----w c:\program files\Hrana
2009-03-25 13:46 . 2008-01-28 11:06 -------- d-----w c:\program files\Prevoz
2002-09-12 10:31 . 2002-09-12 10:59 7510 ----a-w c:\program files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="c:\program files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" - c:\windows\system32\JupitCo.exe [2002-03-14 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
R2 JUPITER;USB SECURITY DEVICE;c:\windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
S2 cpqdiag;Compaq Diagnostics Driver;c:\windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
S2 LCRMS;Insight Manager LC Remote Management;c:\program files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
S2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);c:\program files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
S3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5964c399-fb12-11dc-af9f-00080214b5d4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trazim.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-29 11:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\compaq\ACLIENT\AClient.exe
c:\program files\COMPAQ\Compaq Management Agents\Cpqalert.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
c:\progra~1\COMPAQ\COMPAQ~2\Cpqdmi.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2009-04-29 11:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 09:12
ComboFix2.txt 2009-04-28 09:31
ComboFix3.txt 2009-04-28 06:59
ComboFix4.txt 2008-10-08 06:22

Pre-Run: 28,560,748,544 bytes free
Post-Run: 28,531,003,392 bytes free

120

Dopuna: 29 Apr 2009 11:19

uradjeno


ComboFix 09-04-27.03 - Administrator 29/04/2009 11:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.127.18 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe
c:\windows\system32\drivers\ws2_32sik.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe
c:\windows\system32\drivers\ws2_32sik.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HTTPFILTEREVENTLOG
-------\Legacy_WS2_32SIK
-------\Service_HTTPFilterEventlog
-------\Service_ws2_32sik


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-01-04 16:38 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 10:40 . 2009-01-04 16:38 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 07:13 . 2009-04-23 07:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-23 07:13 . 2009-04-23 07:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 09:09 . 2005-12-14 11:53 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-04-27 10:33 . 2008-10-01 12:01 -------- d-----w c:\program files\Trend Micro
2009-04-27 06:19 . 2006-01-06 12:24 -------- d-----w c:\program files\Pozaren pridones
2009-04-23 12:15 . 2006-09-29 06:04 -------- d-----w c:\program files\Cistacki
2009-04-06 07:02 . 2008-01-31 06:56 -------- d-----w c:\program files\Honorarci
2009-04-03 07:31 . 2006-02-14 06:48 -------- d-----w c:\program files\Provizija
2009-04-03 07:21 . 2002-09-12 10:59 -------- d-----w c:\program files\Virmani
2009-03-26 12:04 . 2008-01-25 08:14 -------- d-----w c:\program files\Hrana
2009-03-25 13:46 . 2008-01-28 11:06 -------- d-----w c:\program files\Prevoz
2002-09-12 10:31 . 2002-09-12 10:59 7510 ----a-w c:\program files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="c:\program files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" - c:\windows\system32\JupitCo.exe [2002-03-14 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
R2 JUPITER;USB SECURITY DEVICE;c:\windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
S2 cpqdiag;Compaq Diagnostics Driver;c:\windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
S2 LCRMS;Insight Manager LC Remote Management;c:\program files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
S2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);c:\program files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
S3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5964c399-fb12-11dc-af9f-00080214b5d4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trazim.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-29 11:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\compaq\ACLIENT\AClient.exe
c:\program files\COMPAQ\Compaq Management Agents\Cpqalert.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
c:\progra~1\COMPAQ\COMPAQ~2\Cpqdmi.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2009-04-29 11:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 09:12
ComboFix2.txt 2009-04-28 09:31
ComboFix3.txt 2009-04-28 06:59
ComboFix4.txt 2008-10-08 06:22

Pre-Run: 28,560,748,544 bytes free
Post-Run: 28,531,003,392 bytes free

120

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Kakvo je sad stanje?

Uradi jos i ovo cisto da vidimo da nije usb koji posedujes isto zarazen.. posto se vide tragovi nekog crva u logu.

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Stanje je sada super, zasad sve funkcionira, cak je CD drive poceo da cita. Uspesno sam instalirao i AV i on radi.
Evo log fajla za 2 USB memoriske kartice

USBNoRisk 2.1 by bobby

Started at 30/04/2009 12:06:19 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {d97ce59e-deb9-11db-ae87-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for d97ce59e-deb9-11db-ae87-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 30/04/2009 12:06:32 PM

Scanning for connected USB mass storage...
----------------------------------------
E: {599ae974-7a4f-11dd-b013-00080214b5d4}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for 599ae974-7a4f-11dd-b013-00080214b5d4
----------------------------------------

No Desktop.ini files found on E:
----------------------------------------

No mimics found on drive E:
========================================

========================================
Removed E:
========================================


New device connected at 30/04/2009 12:07:10 PM

Scanning for connected USB mass storage...
----------------------------------------
E: {aab2e3fe-356e-11de-b0ef-00080214b5d4}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for aab2e3fe-356e-11de-b0ef-00080214b5d4
----------------------------------------

No Desktop.ini files found on E:
----------------------------------------

No mimics found on drive E:
========================================

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Ok.. to je to.. kucaj u run : Combofix /u

Ko je trenutno na forumu
 

Ukupno su 502 korisnika na forumu :: 4 registrovanih, 2 sakrivenih i 496 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: cikadeda, dane007, Hektor, VJ