MyCity » Ambulanta -> Arhiva Ambulante » windows script host

windows script host

Napisano na dan: 22.6.2009
2

windows script host
Pagination Prethodna strana
Sledeća strana Pagination

Idi na vrh

Poslao: 22 Jun 2009 22:30
Idi na vrh
offline
  • Pridružio: 04 Sep 2007
  • Poruke: 130

da li da opet ubacujem player i usb?

Poslao: 22 Jun 2009 22:33
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Da, i oni su zarazeni.
Uspeli smo da sprecimo da se malware automatski pokrece po ubacivanju plejera i USB sticka, ali treba da nadjem fajlove malwarea gde su, pa da i njih obrisemo.
Isto vazi i za particije.

Poslao: 22 Jun 2009 22:34
Idi na vrh
offline
  • Pridružio: 04 Sep 2007
  • Poruke: 130

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/22/2009 10:29:39 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {0c44db79-3db6-11de-b67a-806d6172696f}
D: {0c44db7a-3db6-11de-b67a-806d6172696f}
F: {8245a7d2-3daa-11de-8022-806d6172696f}
G: {8245a7d3-3daa-11de-8022-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 0c44db79-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 0c44db7a-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

No blocked files found on F:
No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 8245a7d2-3daa-11de-8022-806d6172696f
No Desktop.ini files found on F:
----------------------------------------

No blocked files found on G:
No Autorun.inf files found on G:
No mountpoint found for G:
No mountpoint found for 8245a7d3-3daa-11de-8022-806d6172696f
No Desktop.ini files found on G:
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
0c44db79-3db6-11de-b67a-806d6172696f
Drive letter for GUID: C:
SectionStart = 0
SectionEnd = 3
File lock detected:
USBNoRisk cannot find what locked the file
Delete: C:\24233.vbs > Error!
----------------------------------------
Folder list for C:\:
----------------------------------------

-rahs   21   C:\101207.cmd   C:\101207.cmd
-rahs   83   C:\24233.vbs   C:\24233.vbs
--a--   0   C:\AUTOEXEC.BAT   C:\AUTOEXEC.BAT
---hs   211   C:\boot.ini   C:\boot.ini
--a--   0   C:\CONFIG.SYS   C:\CONFIG.SYS
d----   0   C:\DOCUME~1   C:\Documents and Settings
prot-   536449024      C:\hiberfil.sys
-rahs   0   C:\IO.SYS   C:\IO.SYS
-rahs   0   C:\MSDOS.SYS   C:\MSDOS.SYS
-rahs   47564   C:\NTDETECT.COM   C:\NTDETECT.COM
-rahs   250048   C:\ntldr   C:\ntldr
prot-   805306368      C:\pagefile.sys
d----   0   C:\proba   C:\proba
dr---   0   C:\PROGRA~1   C:\Program Files
d--hs   0   C:\RECYCLER   C:\RECYCLER
d--hs   0   C:\SYSTEM~1   C:\System Volume Information
d----   0   C:\USBNOR~1   C:\USBNoRisk
--a--   5493   C:\USBNOR~1.RAR   C:\USBNoRisk.rar
d----   0   C:\WINDOWS   C:\WINDOWS

----------------------------------------

0c44db7a-3db6-11de-b67a-806d6172696f
Drive letter for GUID: D:
SectionStart = 4
SectionEnd = 7
File lock detected:
USBNoRisk cannot find what locked the file
Delete: D:\24233.vbs > Error!
----------------------------------------
Folder list for D:\:
----------------------------------------

-rahs   21   D:\101207.cmd   D:\101207.cmd
-rahs   83   D:\24233.vbs   D:\24233.vbs
d----   0   D:\BAAL008   D:\BAAL008
d----   0   D:\CAFECO~1   D:\cafe copacabana
d----   0   D:\HOUSE   D:\HOUSE
d----   0   D:\JOEYNE~1   D:\Joey Negro - Ride The Rhythm
d----   0   D:\KM5_IB~1   D:\KM5_ibiza volumen_9
d----   0   D:\LONGE   D:\LONGE
--a--   29679616   D:\MICHEL~1.MP3   D:\Michel_Cleis_-_La_Mezcla.mp3
d----   0   D:\MOONBE~1   D:\Moonbeam-When_Tears_Are_Dropping_Form_The_Sky-(TRAUM111)-WEB-2009-1KING
d----   0   D:\PESME   D:\PESME
d--hs   0   D:\RECYCLER   D:\RECYCLER
d----   0   D:\ROSS_C~1   D:\Ross_Couch_Night_and_Day__Album_Sampler___BRR016__WEB_2009_EMM
d----   0   D:\SHOVEL~1   D:\Shovell_And_The_Latin_Hooligans-Soul_Makossa-(DFTD227D)-WEB-2009-EPiCFAiL
d--hs   0   D:\SYSTEM~1   D:\System Volume Information
d----   0   D:\VA-SUB~1   D:\VA-Subliminal_Sessions_Summer_2009_(Unmixed_Mixed_by_Erick_Morillo)-2009

----------------------------------------

8245a7d2-3daa-11de-8022-806d6172696f
Drive letter for GUID: F:
SectionStart = 8
SectionEnd = 11
File lock detected:
USBNoRisk cannot find what locked the file
Delete: F:\24233.vbs > Error!
----------------------------------------
Folder list for F:\:
----------------------------------------

-rahs   21   F:\101207.cmd   F:\101207.cmd
-rahs   83   F:\24233.vbs   F:\24233.vbs
d----   0   F:\OUTNUM~1.3   F:\Out.Numbered.3
d--hs   0   F:\RECYCLER   F:\RECYCLER
--a--   730896384   F:\SPERMD~2.AVI   F:\sperm drain-a.avi
--a--   728752128   F:\SPERMD~1.AVI   F:\sperm drain-b.avi
d--hs   0   F:\SYSTEM~1   F:\System Volume Information
--ahs   6656   F:\Thumbs.db   F:\Thumbs.db
d----   0   F:\UPINSM~1   F:\up in smoke
d----   0   F:\water   F:\water

----------------------------------------

8245a7d3-3daa-11de-8022-806d6172696f
Drive letter for GUID: G:
SectionStart = 12
SectionEnd = 15
File lock detected:
USBNoRisk cannot find what locked the file
Delete: G:\24233.vbs > Error!
----------------------------------------
Folder list for G:\:
----------------------------------------

-rahs   21   G:\101207.cmd   G:\101207.cmd
-rahs   83   G:\24233.vbs   G:\24233.vbs
dr---   0   G:\Dacha   G:\Dacha
dr---   0   G:\DRUM   G:\DRUM
d--hs   0   G:\found.000   G:\found.000
dr---   0   G:\HIPHOP~1   G:\hip hop
dr---   0   G:\HOUSE   G:\HOUSE
-rahs   0   G:\kht   G:\kht
dr---   0   G:\LONGE   G:\LONGE
dr---   0   G:\obuka   G:\obuka
d----   0   G:\podaci   G:\podaci
d--hs   0   G:\RECYCLER   G:\RECYCLER
dr---   0   G:\REGGAE   G:\REGGAE
d--hs   0   G:\SYSTEM~1   G:\System Volume Information

----------------------------------------



New device connected at 6/22/2009 10:31:42 PM

Scanning for connected USB mass storage...
----------------------------------------

========================================
New drive connected, but USBNoRisk can't find it
========================================



New device connected at 6/22/2009 10:31:43 PM

Scanning for connected removable storage...
----------------------------------------
H: {fe21aa0e-3e36-11de-8025-00508d59a11d}
Added H:
========================================

Scanning removable storage for files...
----------------------------------------
No blocked files found on H:
----------------------------------------
No Autorun.inf files found on H:
Sanitized mountpoint for fe21aa0e-3e36-11de-8025-00508d59a11d
----------------------------------------

No Desktop.ini files found on H:
----------------------------------------

No mimics found on drive H:
========================================

Processing script
----------------------------------------
fe21aa0e-3e36-11de-8025-00508d59a11d
Drive letter for GUID: H:
SectionStart = 16
SectionEnd = 19
File lock detected:
USBNoRisk cannot find what locked the file
Delete: H:\24233.vbs > Error!
----------------------------------------
Folder list for H:\:
----------------------------------------

dr-hs   0   H:\RECYCLER   H:\RECYCLER
-rahs   406578   H:\ngjavz.exe   H:\ngjavz.exe
d----   0   H:\Testovi   H:\Testovi
d----   0   H:\OMGAUDIO   H:\OMGAUDIO
-rahs   2293   H:\20271.cmd   H:\20271.cmd
-rahs   83   H:\24233.vbs   H:\24233.vbs
-rahs   21   H:\101207.cmd   H:\101207.cmd

----------------------------------------

========================================
Scan finished!
========================================

========================================
Removed H:
========================================


New device connected at 6/22/2009 10:32:19 PM

Scanning for connected USB mass storage...
----------------------------------------
H: {710e41e0-46fc-11de-802b-00508d59a11d}
Added H:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on H:
----------------------------------------
No Autorun.inf files found on H:
Sanitized mountpoint for 710e41e0-46fc-11de-802b-00508d59a11d
----------------------------------------

----------------------------------------
Desktop.ini found at H:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive H:
========================================

Processing script
----------------------------------------
710e41e0-46fc-11de-802b-00508d59a11d
Drive letter for GUID: H:
SectionStart = 20
SectionEnd = 23
f_copy:
read file error: H:\Comment.htt, The system cannot find the file specified.
f_delete: H:\Comment.htt > File does not exist!
----------------------------------------
Folder list for H:\:
----------------------------------------

d----   0   H:\GRACEJ~1   H:\GRACE JONES
d----   0   H:\pdf   H:\pdf
-rahs   2293   H:\20271.cmd   H:\20271.cmd
-r-hs   106254   H:\e.cmd   H:\e.cmd
d----   0   H:\ELECTR~1.2   H:\Electro house 2008 vol.2
d--hs   0   H:\Recycled   H:\Recycled
---hs   19794   H:\explorer.exe   H:\explorer.exe
-rahs   83   H:\24233.vbs   H:\24233.vbs
-rahs   21   H:\101207.cmd   H:\101207.cmd
dr-hs   0   H:\RECYCLER   H:\RECYCLER
-r-hs   93385   H:\jdhc2x2.com   H:\jdhc2x2.com
d----   0   H:\HARD_M~1   H:\Hard_Mix-Brazilian_House-WEB-(MPM0003)-2009-CopyCAT
d----   0   H:\HED_KA~1   H:\Hed_Kandi_The_Mix_Spring_2009-3_CD-2009
d----   0   H:\JOHNNY~1._LE   H:\Johnny_Fiasco-Groove_On_(Incl._Lego_Remix)-(KFD010)-WEB-2009-SOULFUL
d----   0   H:\JUSTIN~1._MA   H:\Justin_Michael_and_Born_to_Funk_Ft._Maya-Change_is_on_the_Way-_PM067_-WEB-2009-BSiDE
d----   0   H:\LA_VID~1.2   H:\La_Vida_Loca_-_The_Latin_House_Party_Vol.2
d----   0   H:\VA-BUD~1   H:\VA - Buddha Bar - Sunlounger (2009)
d----   0   H:\VA_-_H~1   H:\VA_-_House_this_(Mixed_by_Kneedeep)-2009-MST
d----   0   H:\VA_-_M~1   H:\VA_-_Music_For_Cocktails_(Elite_Edition)-2CD-2009-LiR
d----   0   H:\VA-BAR~1   H:\VA-Bar_Vista-Latino-2CD-2009
d----   0   H:\VA-CHI~1   H:\VA-Chill Jazz Sessions (2009)
d----   0   H:\VONMON~1   H:\Von Mondo - House Jazz Masters (2006)
d----   0   H:\BORN_T~1   H:\Born_To_Funk-Get_Funky-(GKF061)-WEB-2008-IMT
---hs   348160   H:\msvcr71.dll   H:\msvcr71.dll
dr-hs   0   H:\RESTORE   H:\RESTORE
---hs   3514318   H:\AdobeR.exe   H:\AdobeR.exe
d--hs   0   H:\MSOCache   H:\MSOCache

----------------------------------------

========================================
Scan finished!
========================================

========================================
Removed H:
========================================

Poslao: 22 Jun 2009 22:37
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Komplikovanije je nego sto sam mislio.

Neka ti plejer i USB stick budu ubodeni u USB portove pre nego sto pokrenes sledeci program koji cu ti dati.

Preuzmi sUBs-ov ComboFix sa jedne od sledećih adresa na Desktop:


Bleeping Computer . . . . . Geeks to Go!
Klikni desnim tasterom na neki od linkova i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

Poslao: 22 Jun 2009 22:56
Idi na vrh
offline
  • Pridružio: 04 Sep 2007
  • Poruke: 130

ComboFix 09-06-22.01 - blaza 06/22/2009 22:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.225 [GMT 2:00]
Running from: c:\documents and settings\blaza\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.

2009-06-22 19:53 . 2009-06-22 20:35 -------- d-----w- C:\USBNoRisk
2009-06-14 23:18 . 2009-06-14 23:18 152576 ----a-w- c:\documents and settings\blaza\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 21:46 . 2009-06-10 21:46 0 ----a-w- c:\windows\nsreg.dat
2009-06-10 21:46 . 2009-06-10 21:46 -------- d-----w- c:\documents and settings\blaza\Local Settings\Application Data\Mozilla
2009-06-04 19:54 . 2009-06-22 16:38 -------- d-----w- c:\documents and settings\blaza\Tracing
2009-06-04 19:53 . 2009-02-06 16:08 55152 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-06-04 19:52 . 2009-06-04 19:52 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-06-04 19:51 . 2006-11-29 11:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-06-04 19:51 . 2009-06-04 19:51 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-06-04 19:49 . 2009-06-04 19:49 -------- d-----w- c:\program files\Microsoft
2009-06-04 19:49 . 2009-06-04 19:49 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-04 19:48 . 2009-06-04 19:53 -------- d-----w- c:\program files\Windows Live
2009-06-04 19:39 . 2009-06-04 19:39 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-02 14:29 . 2001-08-17 11:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-06-02 14:29 . 2001-08-17 11:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-06-02 14:29 . 2008-04-13 22:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-06-02 14:29 . 2008-04-13 22:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-22 16:47 . 2009-05-14 18:40 -------- d-----w- c:\documents and settings\blaza\Application Data\Skype
2009-06-17 13:55 . 2009-05-11 15:21 -------- d-----w- c:\program files\Winamp
2009-06-15 00:18 . 2009-05-11 19:15 -------- d-----w- c:\program files\j
2009-06-14 23:19 . 2009-05-11 23:46 -------- d-----w- c:\program files\Java
2009-06-07 20:46 . 2009-05-11 14:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-04 19:53 . 2009-05-10 22:34 12912 ----a-w- c:\documents and settings\blaza\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 22:34 . 2009-05-22 22:34 -------- d-----w- c:\program files\AC3Filter
2009-05-22 17:53 . 2009-05-22 17:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-21 17:53 . 2009-05-15 19:28 -------- d-----w- c:\program files\Easy CD-DA Extractor 8
2009-05-21 09:33 . 2009-05-11 23:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 23:13 . 2009-05-20 23:00 -------- d-----w- c:\program files\Mv2Player
2009-05-20 23:00 . 2009-05-20 23:00 -------- d-----w- c:\documents and settings\blaza\Application Data\DivX
2009-05-20 22:59 . 2009-05-20 22:59 -------- d-----w- c:\program files\DivX
2009-05-20 22:59 . 2009-05-20 22:59 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-20 01:03 . 2009-05-20 00:17 -------- d-----w- c:\program files\Conduit
2009-05-20 00:19 . 2009-05-20 00:16 -------- d-----w- c:\program files\BitLord
2009-05-14 20:11 . 2009-05-14 20:11 -------- d-----w- c:\documents and settings\blaza\Application Data\SpeedSim
2009-05-14 20:11 . 2009-05-14 20:11 -------- d-----w- c:\program files\SpeedSim
2009-05-14 18:40 . 2009-05-14 18:40 -------- d-----w- c:\program files\Skype
2009-05-14 00:12 . 2009-05-14 00:12 83 --sha-r- c:\windows\system32\24233.vbs
2009-05-14 00:12 . 2009-05-14 00:12 83 --sha-r- C:\24233.vbs
2009-05-14 00:12 . 2009-05-14 00:12 21 --sha-r- c:\windows\system32\101207.cmd
2009-05-14 00:12 . 2009-05-14 00:12 21 --sha-r- C:\101207.cmd
2009-05-12 01:23 . 2009-05-10 21:20 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-11 23:46 . 2009-05-11 23:46 152576 ----a-w- c:\documents and settings\blaza\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-11 22:12 . 2009-05-11 22:12 -------- d-----w- c:\program files\Eggiz
2009-05-11 19:44 . 2009-05-11 19:44 -------- d-----w- c:\program files\eMule
2009-05-11 19:28 . 2009-05-11 19:28 -------- d-----w- c:\program files\ESET
2009-05-11 19:28 . 2009-05-11 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-05-11 14:23 . 2009-05-11 14:16 -------- d-----w- c:\documents and settings\blaza\Application Data\Sony Corporation
2009-05-11 14:18 . 2009-05-11 14:17 -------- d-----w- c:\program files\Sony
2009-05-11 14:17 . 2009-05-11 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-05-11 14:17 . 2009-05-11 14:16 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-11 14:17 . 2009-05-11 14:16 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-05-10 21:22 . 2009-05-10 21:22 -------- d-----w- c:\program files\microsoft frontpage
2009-05-10 21:17 . 2009-05-10 21:17 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 472632]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-11-27 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/20/2008 11:11 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/20/2008 11:08 AM 472320]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/4/2009 9:53 PM 55152]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [11/27/2008 6:45 AM 3584]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

BHO-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-06-22 22:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-22 22:53
ComboFix-quarantined-files.txt 2009-06-22 20:53

Pre-Run: 1,028,288,512 bytes free
Post-Run: 1,217,040,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

136

Poslao: 22 Jun 2009 22:58
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

USB stick i plejer su bili prikljuceni na komp kada si skenirao ComboFixom?

Poslao: 22 Jun 2009 23:05
Idi na vrh
offline
  • Pridružio: 04 Sep 2007
  • Poruke: 130

da i jedno i drugo sam uklucio pre startovanja programa

Poslao: 22 Jun 2009 23:17
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

U USBNoRisku pusti sledeci skript (mozes ubosti USB stick i plejer pre pustanja skripta):
{0c44db79-3db6-11de-b67a-806d6172696f}
f_delete: %DRIVE%24233.vbs
f_delete: %DRIVE%windows\system32\24233.vbs
f_delete: %DRIVE%windows\system32\101207.cmd
f_delete: %DRIVE%101207.cmd
folder_list: %DRIVE%

{0c44db7a-3db6-11de-b67a-806d6172696f}
f_delete: %DRIVE%24233.vbs
f_delete: %DRIVE%101207.cmd
folder_list: %DRIVE%

{8245a7d2-3daa-11de-8022-806d6172696f}
f_delete: %DRIVE%24233.vbs
f_delete: %DRIVE%101207.cmd
folder_list: %DRIVE%

{8245a7d3-3daa-11de-8022-806d6172696f}
f_delete: %DRIVE%24233.vbs
folder_list: %DRIVE%

{fe21aa0e-3e36-11de-8025-00508d59a11d}
f_delete: %DRIVE%24233.vbs
f_delete: %DRIVE%101207.cmd
f_delete: %DRIVE%ngjavz.exe
f_delete: %DRIVE%20271.cmd
folder_list: %DRIVE%

{710e41e0-46fc-11de-802b-00508d59a11d}
f_delete: %DRIVE%24233.vbs
f_delete: %DRIVE%101207.cmd
f_delete: %DRIVE%20271.cmd
f_delete: %DRIVE%e.cmd
f_delete: %DRIVE%jdhc2x2.com
f_delete: %DRIVE%msvcr71.dll
f_delete: %DRIVE%AdobeR.exe
folder_delete: %DRIVE%MSOCache
folder_delete: %DRIVE%RESTORE
folder_list: %DRIVE%
Klikni na "Run Script" i kada zavrsi skeniranje i ciscenje, onda mi ponovo iskopiraj ovde log.

Poslao: 22 Jun 2009 23:21
Idi na vrh
offline
  • Pridružio: 04 Sep 2007
  • Poruke: 130

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/22/2009 11:19:01 PM

Searching for connected USB Mass storage...
----------------------------------------
I: {710e41e0-46fc-11de-802b-00508d59a11d}
H: {fe21aa0e-3e36-11de-8025-00508d59a11d}
========================================

Searching for other storage...
----------------------------------------
C: {0c44db79-3db6-11de-b67a-806d6172696f}
D: {0c44db7a-3db6-11de-b67a-806d6172696f}
F: {8245a7d2-3daa-11de-8022-806d6172696f}
G: {8245a7d3-3daa-11de-8022-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

No blocked files found on H:
No Autorun.inf files found on H:
No mountpoint found for fe21aa0e-3e36-11de-8025-00508d59a11d
No Desktop.ini files found on H:
No mimics found on drive H:
----------------------------------------

No blocked files found on I:
No Autorun.inf files found on I:
No mountpoint found for 710e41e0-46fc-11de-802b-00508d59a11d
----------------------------------------
Desktop.ini found at I:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 0c44db79-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 0c44db7a-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

No blocked files found on F:
No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 8245a7d2-3daa-11de-8022-806d6172696f
No Desktop.ini files found on F:
----------------------------------------

No blocked files found on G:
No Autorun.inf files found on G:
No mountpoint found for G:
No mountpoint found for 8245a7d3-3daa-11de-8022-806d6172696f
No Desktop.ini files found on G:
----------------------------------------

autorun.inf found in Qoobox
----------------------------------------
Content of C:\QooBox\Quarantine\C\WINDOWS\system32\autorun.inf.vir
----------------------------------------
[autorun]
Open=
shell\Open=I LOVE MY PEANUT
shell\Open\Command=WScript.exe .\24233.vbs
shell\Open\Default=1
shell\Explore=Explore
shell\Explore\Command=WScript.exe .\24233.vbs
----------------------------------------
========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
710e41e0-46fc-11de-802b-00508d59a11d
Drive letter for GUID: I:
SectionStart = 28
SectionEnd = 38
f_delete:
file "I:\24233.vbs" deleted successfully
f_delete:
file "I:\101207.cmd" deleted successfully
f_delete:
file "I:\20271.cmd" deleted successfully
f_delete:
file "I:\e.cmd" deleted successfully
f_delete:
file "I:\jdhc2x2.com" deleted successfully
f_delete:
file "I:\msvcr71.dll" deleted successfully
f_delete:
file "I:\AdobeR.exe" deleted successfully
----------------------------------------
Delete folder tree I:\MSOCache:
----------------------------------------
Delete: I:\MSOCache\90000804-6000-11D3-8CFE-0150048383C0\KB915866.exe > Done!
Delete: I:\MSOCache\90000804-6000-11D3-8CFE-0150048383C0 > Done!
Delete: I:\MSOCache > Done!
----------------------------------------
Delete folder tree I:\RESTORE:
----------------------------------------
Delete: I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini > Done!
Delete: I:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013 > Error!
Delete: I:\RESTORE > Error!
Delete: I:\RESTORE > Error!
----------------------------------------
Folder list for I:\:
----------------------------------------

d----   0   I:\GRACEJ~1   I:\GRACE JONES
d----   0   I:\pdf   I:\pdf
d----   0   I:\ELECTR~1.2   I:\Electro house 2008 vol.2
d--hs   0   I:\Recycled   I:\Recycled
---hs   19794   I:\explorer.exe   I:\explorer.exe
dr-hs   0   I:\RECYCLER   I:\RECYCLER
d----   0   I:\HARD_M~1   I:\Hard_Mix-Brazilian_House-WEB-(MPM0003)-2009-CopyCAT
d----   0   I:\HED_KA~1   I:\Hed_Kandi_The_Mix_Spring_2009-3_CD-2009
d----   0   I:\JOHNNY~1._LE   I:\Johnny_Fiasco-Groove_On_(Incl._Lego_Remix)-(KFD010)-WEB-2009-SOULFUL
d----   0   I:\JUSTIN~1._MA   I:\Justin_Michael_and_Born_to_Funk_Ft._Maya-Change_is_on_the_Way-_PM067_-WEB-2009-BSiDE
d----   0   I:\LA_VID~1.2   I:\La_Vida_Loca_-_The_Latin_House_Party_Vol.2
d----   0   I:\VA-BUD~1   I:\VA - Buddha Bar - Sunlounger (2009)
d----   0   I:\VA_-_H~1   I:\VA_-_House_this_(Mixed_by_Kneedeep)-2009-MST
d----   0   I:\VA_-_M~1   I:\VA_-_Music_For_Cocktails_(Elite_Edition)-2CD-2009-LiR
d----   0   I:\VA-BAR~1   I:\VA-Bar_Vista-Latino-2CD-2009
d----   0   I:\VA-CHI~1   I:\VA-Chill Jazz Sessions (2009)
d----   0   I:\VONMON~1   I:\Von Mondo - House Jazz Masters (2006)
d----   0   I:\BORN_T~1   I:\Born_To_Funk-Get_Funky-(GKF061)-WEB-2008-IMT
dr-hs   0   I:\RESTORE   I:\RESTORE

----------------------------------------

fe21aa0e-3e36-11de-8025-00508d59a11d
Drive letter for GUID: H:
SectionStart = 21
SectionEnd = 27
f_delete:
file "H:\24233.vbs" deleted successfully
f_delete:
file "H:\101207.cmd" deleted successfully
f_delete:
file "H:\ngjavz.exe" deleted successfully
f_delete:
file "H:\20271.cmd" deleted successfully
----------------------------------------
Folder list for H:\:
----------------------------------------

dr-hs   0   H:\RECYCLER   H:\RECYCLER
d----   0   H:\Testovi   H:\Testovi
d----   0   H:\OMGAUDIO   H:\OMGAUDIO

----------------------------------------

0c44db79-3db6-11de-b67a-806d6172696f
Drive letter for GUID: C:
SectionStart = 0
SectionEnd = 6
f_delete:
file "C:\24233.vbs" deleted successfully
File C:\windows\system32\24233.vbs will not be deleted because it is in protected folder
File C:\windows\system32\101207.cmd will not be deleted because it is in protected folder
f_delete:
file "C:\101207.cmd" deleted successfully
----------------------------------------
Folder list for C:\:
----------------------------------------

--a--   0   C:\AUTOEXEC.BAT   C:\AUTOEXEC.BAT
--a--   211   C:\Boot.bak   C:\Boot.bak
-rahs   281   C:\boot.ini   C:\boot.ini
drahs   0   C:\cmdcons   C:\cmdcons
--a--   260272   C:\cmldr   C:\cmldr
d---s   0   C:\ComboFix   C:\ComboFix
--a--   9214   C:\ComboFix.txt   C:\ComboFix.txt
--a--   0   C:\CONFIG.SYS   C:\CONFIG.SYS
d----   0   C:\DOCUME~1   C:\Documents and Settings
prot-   536449024      C:\hiberfil.sys
-rahs   0   C:\IO.SYS   C:\IO.SYS
-rahs   0   C:\MSDOS.SYS   C:\MSDOS.SYS
-rahs   47564   C:\NTDETECT.COM   C:\NTDETECT.COM
-rahs   250048   C:\ntldr   C:\ntldr
prot-   805306368      C:\pagefile.sys
d----   0   C:\proba   C:\proba
dr---   0   C:\PROGRA~1   C:\Program Files
d----   0   C:\Qoobox   C:\Qoobox
d--hs   0   C:\SYSTEM~1   C:\System Volume Information
d----   0   C:\USBNOR~1   C:\USBNoRisk
--a--   5493   C:\USBNOR~1.RAR   C:\USBNoRisk.rar
d----   0   C:\WINDOWS   C:\WINDOWS

----------------------------------------

0c44db7a-3db6-11de-b67a-806d6172696f
Drive letter for GUID: D:
SectionStart = 7
SectionEnd = 11
f_delete:
file "D:\24233.vbs" deleted successfully
f_delete:
file "D:\101207.cmd" deleted successfully
----------------------------------------
Folder list for D:\:
----------------------------------------

d----   0   D:\BAAL008   D:\BAAL008
d----   0   D:\CAFECO~1   D:\cafe copacabana
d----   0   D:\HOUSE   D:\HOUSE
d----   0   D:\JOEYNE~1   D:\Joey Negro - Ride The Rhythm
d----   0   D:\KM5_IB~1   D:\KM5_ibiza volumen_9
d----   0   D:\LONGE   D:\LONGE
--a--   29679616   D:\MICHEL~1.MP3   D:\Michel_Cleis_-_La_Mezcla.mp3
d----   0   D:\MOONBE~1   D:\Moonbeam-When_Tears_Are_Dropping_Form_The_Sky-(TRAUM111)-WEB-2009-1KING
d----   0   D:\PESME   D:\PESME
d--hs   0   D:\RECYCLER   D:\RECYCLER
d----   0   D:\ROSS_C~1   D:\Ross_Couch_Night_and_Day__Album_Sampler___BRR016__WEB_2009_EMM
d----   0   D:\SHOVEL~1   D:\Shovell_And_The_Latin_Hooligans-Soul_Makossa-(DFTD227D)-WEB-2009-EPiCFAiL
d--hs   0   D:\SYSTEM~1   D:\System Volume Information
d----   0   D:\VA-SUB~1   D:\VA-Subliminal_Sessions_Summer_2009_(Unmixed_Mixed_by_Erick_Morillo)-2009

----------------------------------------

8245a7d2-3daa-11de-8022-806d6172696f
Drive letter for GUID: F:
SectionStart = 12
SectionEnd = 16
f_delete:
file "F:\24233.vbs" deleted successfully
f_delete:
file "F:\101207.cmd" deleted successfully
----------------------------------------
Folder list for F:\:
----------------------------------------

d----   0   F:\OUTNUM~1.3   F:\Out.Numbered.3
d--hs   0   F:\RECYCLER   F:\RECYCLER
--a--   730896384   F:\SPERMD~2.AVI   F:\sperm drain-a.avi
--a--   728752128   F:\SPERMD~1.AVI   F:\sperm drain-b.avi
d--hs   0   F:\SYSTEM~1   F:\System Volume Information
--ahs   6656   F:\Thumbs.db   F:\Thumbs.db
d----   0   F:\UPINSM~1   F:\up in smoke
d----   0   F:\water   F:\water

----------------------------------------

8245a7d3-3daa-11de-8022-806d6172696f
Drive letter for GUID: G:
SectionStart = 17
SectionEnd = 20
f_delete:
file "G:\24233.vbs" deleted successfully
----------------------------------------
Folder list for G:\:
----------------------------------------

-rahs   21   G:\101207.cmd   G:\101207.cmd
dr---   0   G:\Dacha   G:\Dacha
dr---   0   G:\DRUM   G:\DRUM
d--hs   0   G:\found.000   G:\found.000
dr---   0   G:\HIPHOP~1   G:\hip hop
dr---   0   G:\HOUSE   G:\HOUSE
-rahs   0   G:\kht   G:\kht
dr---   0   G:\LONGE   G:\LONGE
dr---   0   G:\obuka   G:\obuka
d----   0   G:\podaci   G:\podaci
d--hs   0   G:\RECYCLER   G:\RECYCLER
dr---   0   G:\REGGAE   G:\REGGAE
d--hs   0   G:\SYSTEM~1   G:\System Volume Information

----------------------------------------

Poslao: 22 Jun 2009 23:32
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Daj jos i sledeci skript:
{0c44db79-3db6-11de-b67a-806d6172696f}
#.#
f_delete: %DRIVE%windows\system32\24233.vbs
f_delete: %DRIVE%windows\system32\101207.cmd

{8245a7d3-3daa-11de-8022-806d6172696f}
f_delete: %DRIVE%101207.cmd
folder_list: %DRIVE%

{710e41e0-46fc-11de-802b-00508d59a11d}
f_delete: %DRIVE%explorer.exe
folder_delete: %DRIVE%RECYCLED
folder_list: %DRIVE%

MyCity » Ambulanta -> Arhiva Ambulante » windows script host

Ko je trenutno na forumu
 

Ukupno su 1155 korisnika na forumu :: 37 registrovanih, 7 sakrivenih i 1111 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Alexandar-1973, Andrija357, antonije64, bojcistv, Buzdovan, cenejac111, CikaKURE, comi_pfc, d bos, debeli, galerija, Georgius, krkalon, ladro, ljuba, Lucije Kvint, mercedesamg, Mi lao shu, MikeHammer, milan.vukovic, milenko crazy north, Milometer, Milos82, opt1, Parker, repac, rodoljub, sasa87, stalja, Stanlio, stegonosa, Trpe Grozni, vathra, vladetije, zapclink, |_MeD_|