Antichrist, Studentski Glasnik i ostalo...

1

Antichrist, Studentski Glasnik i ostalo...

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:53 AM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lxdccoms.exe
D:\pomocni programi\matlab\webserver\bin\win32\matlabserver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\svchost.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\Sys32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\PROGRA~1\SaveNow\SaveNow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Documents and Settings\Jeka\Desktop\BlaBla\TR3.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer [Day of judgment]
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Sys32] c:\WINDOWS\Sys32.exe
O4 - HKLM\..\Run: [HService] c:\WINDOWS\msservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SaveNow] C:\PROGRA~1\SaveNow\SaveNow.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\pomocni programi\matlab\webserver\bin\win32\matlabserver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jeka/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

--
End of file - 6910 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Ovde su vidljivi tragovi nekoliko infekcija. Pažljivo isprati sledeća uputstva.



Arrow Preuzmi program Antichrist Fix na Desktop.
Dvoklikom pokrenuti AC-FIX.EXE

Pojaviće se upit o nastavku procesa - kliknuti OK

Priključiti sve USB memorijske uređaje kako bi bili dezinfikovani
(Uređaji koje treba priključiti: USB flash drive, telefon, fotoaparat...)

Napomena: uređaje ne isključivati pre završetka procesa.


Kliknuti OK kako bi proces čišćenja započeo

Kompjuter će se restartovati

Nakon ponovog pokretanja sistema, pojaviće se obaveštenje o završetku procesa - kliknuti OK

Izveštaj o izvršenom postupku (C:\AC-FIX\AC-FIX Log.txt) će se otvoriti u Notepad-u


Iskopiraj dobijeni izveštaj u temu na forumu.



-------------------------------------------------------------------------------------

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

> > > ANTICHRIST FIX < < <


Fix started @ 10:34:57 AM, 11/5/2008
Running on Microsoft Windows XP 5.1.2600 Service Pack 2

-------------------------------------------------------

|»»» Cleaning registry... Done!

|»»» Preparing for reboot... Done!

|»»» Rebooting...

|»»» Continuing fix @ 10:36:14 AM

|»»» Scanning for malicious files:

Found C:\WINDOWS\system32\oeminfo.ini »»» Deleted!
Found C:\WINDOWS\system32\oemlogo.bmp »»» Deleted!
Found C:\WINDOWS\itsme.ini »»» Deleted!
Found C:\WINDOWS\system32\blank.htm »»» Deleted!

|»»» Checking root directories...

|»»» Drive C (HDD):
Found C:\AutoRun.inf »»» Deleted!
Found C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
Files:
|»»»»» Deleting C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E} »»» Deleted!


|»»» Drive D (HDD):
Found D:\AutoRun.inf »»» Deleted!
Found D:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
Files:
|»»»»» Deleting D:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E} »»» Deleted!



-------------------------------------------------------

»»»»»» Finished!

»»»»»» Antichrist Fix v1.1 by dr_Bora



-------------------------------------------------------------------------------------


Nemam nista od navedenih kod sebe, ni usb flash ni mob. a ni foto aparat, tako da sam uradila ovo bez toga........mogu li kasnije kada dodjem do tih mojih stvari da uradim ponovo ovaj Antichrist Fix i da se to ochisti?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Citat:Nemam nista od navedenih kod sebe, ni usb flash ni mob. a ni foto aparat, tako da sam uradila ovo bez toga........mogu li kasnije kada dodjem do tih mojih stvari da uradim ponovo ovaj Antichrist Fix i da se to ochisti?

Sredićemo to kasnije, nije problem. Isprati ostatak uputstva.

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

> > > Studentski Glasnik Fix < < <


Fix pokrenuo Jeka u 10:40:14 AM, 11/5/2008
Operativni sistem Microsoft Windows XP 5.1.2600 Service Pack 2

-------------------------------------------------------

|»»» Skeniranje registra...
|»»» Maliciozne stavke su detektovane!
|»»» Brisanje stavki je uspešno izvršeno!

|»»» Priprema za restartovanje...

|»»» Restartovanje...

|»»» Skeniranje diskova...
>>>>>> C:\WINDOWS\SYS32.EXE »»» Datoteka je obrisana!
>>>>>> C:\WINDOWS\MSSERVICE.EXE »»» Datoteka je obrisana!
>>>>>> C:\WINDOWS\backup.dll »»» Datoteka je obrisana!
(HDD:) C:\AutoRun.inf »»» Datoteka je obrisana!
(HDD:) D:\AutoRun.inf »»» Datoteka je obrisana!

-------------------------------------------------------

»»»»»» Kraj rada u 10:41:37 AM.

»»»»»» Studentski glasnik Fix by dr_Bora

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Gore sam ti odgovorio na pitanje u vezi USB uređaja...


Hajde sada da rešimo i ovo ostalo.



Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

ComboFix 08-11-04.02 - Jeka 2008-11-05 10:50:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.578 [GMT -8:00]
Running from: c:\documents and settings\Jeka\Desktop\BlaBla\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\svchost.exe
c:\windows\system32\amvo.exe
c:\windows\system32\amvo0.dll
c:\windows\system32\mdm.exe
c:\windows\system32\wmcache.nld
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POWERMANAGER
-------\Service_Netcom3
-------\Service_PowerManager


((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 10:34 . 2008-11-05 10:34 <DIR> d-------- C:\AC-FIX
2008-11-05 09:21 . 2008-11-05 09:21 23,552 --a------ c:\documents and settings\Jeka\so7.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 01:00 --------- d-----w c:\program files\Lx_cats
2008-11-05 16:00 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2008-10-05 06:30 --------- d-----w c:\program files\SaveNow
2008-10-05 03:14 --------- d-----w c:\program files\RadLight
2008-10-01 03:19 --------- d-----w c:\documents and settings\Jeka\Application Data\Winamp
2008-09-18 00:23 7,780 ----a-w c:\documents and settings\Jeka\FMCodec.dat
2008-09-18 00:23 4 ----a-w c:\documents and settings\Jeka\WFSCHDL.dat
2008-09-11 17:01 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-05-12 08:11 8 --sh--r c:\documents and settings\All Users\Application Data\52DF72FF22.sys
2005-09-12 13:52 12,678,535 ----a-w c:\program files\e_guide.pdf
2001-08-23 21:00 180,224 --sha-r c:\windows\system32\cfgbkeqd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SpyClean"="c:\program files\Netcom3 Cleaner\SpyClean.exe" [2008-03-11 4505600]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-02-12 69632]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-02-12 397312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"SaveNow"="c:\progra~1\SaveNow\SaveNow.exe" [2001-12-18 167424]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe [2007-02-12 537520]
R2 PSI_SVC_2;Protexis Licensing V2;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;c:\windows\system32\drivers\asusgsb.sys [2007-07-12 12416]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D32.sys [2007-07-12 10752]
R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 9446]
S2 PowerManager;Power Manager;c:\windows\svchost.exe [ ]
S3 Netcom3;NetCom3 Service;c:\program files\Netcom3 Cleaner\PSCMonitor.exe [2006-11-18 856064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a983d72-8a8d-11dd-a2f8-f365ce40ddb2}]
\Shell\AutoRun\command - F:\xn1i9x.com
\Shell\explore\Command - F:\xn1i9x.com
\Shell\open\Command - F:\xn1i9x.com

*Newly Created Service* - POWERMANAGER
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-blank - c:\windows\system32\blank.htm


.
------- Supplementary Scan -------
.
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-05 10:52:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
d:\pomocni programi\matlab\webserver\bin\win32\matlabserver.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
d:\pomocni programi\matlab\bin\win32\MATLAB.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-05 10:54:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-05 18:54:35

Pre-Run: 200,122,368 bytes free
Post-Run: 859,283,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

125

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Uhh, pa ovde postoje i pravi virusi (file-infektor-i). Zašto nemaš instaliran antivirus?


Iz Control Panel > Add/Remove Programs deinstaliraj SaveNow.


-------------------------------------------------------------------------------------


Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\documents and settings\Jeka\so7.exe
c:\windows\system32\cfgbkeqd.dll

Folder::
c:\program files\Netcom3 Cleaner

Driver::
PowerManager
Netcom3

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyClean"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a983d72-8a8d-11dd-a2f8-f365ce40ddb2}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

ComboFix 08-11-04.02 - Jeka 2008-11-05 12:13:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT -8:00]
Running from: c:\documents and settings\Jeka\Desktop\BlaBla\ComboFix.exe
Command switches used :: c:\documents and settings\Jeka\Desktop\BlaBla\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Jeka\so7.exe
c:\windows\system32\cfgbkeqd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeka\so7.exe
c:\program files\Netcom3 Cleaner
c:\program files\Netcom3 Cleaner\Backup\{03579105-A212-416E-99DD-93D533BB30BD}.rbk
c:\program files\Netcom3 Cleaner\Backup\{12C17D93-BA25-43C4-BA8E-A93129FAF6E5}.rbk
c:\program files\Netcom3 Cleaner\Backup\{18F144D8-E647-4F3E-BC1B-463CA471CE9C}.rbk
c:\program files\Netcom3 Cleaner\Backup\{197C0764-86EE-4593-A22D-B35E575847C3}.rbk
c:\program files\Netcom3 Cleaner\Backup\{24FD5743-9041-47EA-A104-B26CB3C5CB64}.rbk
c:\program files\Netcom3 Cleaner\Backup\{28E5CBA5-4CDE-4E92-98A3-DCCF4137FD7A}.rbk
c:\program files\Netcom3 Cleaner\Backup\{31E89730-E83F-49C4-970E-7B2A1AA171FC}.rbk
c:\program files\Netcom3 Cleaner\Backup\{52529F3E-4030-4864-BC64-DF8340EEAF8B}.rbk
c:\program files\Netcom3 Cleaner\Backup\{6A628DA1-A67A-4B53-83CB-437FB49CED74}.rbk
c:\program files\Netcom3 Cleaner\Backup\{6D681815-D28F-4C43-A570-4064386EDC0A}.rbk
c:\program files\Netcom3 Cleaner\Backup\{74A72393-3765-45F4-8BE4-AE9C10B6DD64}.rbk
c:\program files\Netcom3 Cleaner\Backup\{75A100FC-59A6-42F5-9934-43B25E7A0D9D}.rbk
c:\program files\Netcom3 Cleaner\Backup\{81D7AB41-3789-4629-A09B-FF54E573E7CE}.rbk
c:\program files\Netcom3 Cleaner\Backup\{849AC9CD-F17F-47B9-B293-07A405443228}.rbk
c:\program files\Netcom3 Cleaner\Backup\{8BDF0F3F-6595-4932-ABBE-160E9A6A6BF8}.rbk
c:\program files\Netcom3 Cleaner\Backup\{903638AF-8FD2-48C1-8107-64FB90DD0DE6}.rbk
c:\program files\Netcom3 Cleaner\Backup\{92161305-D34B-48C4-B04F-BB9455404DF5}.rbk
c:\program files\Netcom3 Cleaner\Backup\{921AAF68-EF05-40D9-A248-45B44F696570}.rbk
c:\program files\Netcom3 Cleaner\Backup\{9300D515-77EE-4586-8682-994A6538C171}.rbk
c:\program files\Netcom3 Cleaner\Backup\{A1885574-87E5-4F43-B8D1-E54848266F3B}.rbk
c:\program files\Netcom3 Cleaner\Backup\{A21F53BD-98BF-4406-BA68-94782A0AA620}.rbk
c:\program files\Netcom3 Cleaner\Backup\{B07CBFEE-042B-4E0F-A27C-E6273709310D}.rbk
c:\program files\Netcom3 Cleaner\Backup\{B2E126C6-BD41-4FEA-BDC0-697147ABB220}.rbk
c:\program files\Netcom3 Cleaner\Backup\{B6711971-7687-4591-827B-DB685F39D1EA}.rbk
c:\program files\Netcom3 Cleaner\Backup\{BB6252C7-C252-42AD-9D91-1CF49319E9E3}.rbk
c:\program files\Netcom3 Cleaner\Backup\{CDB19A25-0F0F-4D94-862A-5643289D4B9A}.rbk
c:\program files\Netcom3 Cleaner\Backup\{CF1A2C99-4D99-4748-AE71-D71AB124D003}.rbk
c:\program files\Netcom3 Cleaner\Backup\{CF33661F-9C99-4EE8-B45E-FA367B23FD80}.rbk
c:\program files\Netcom3 Cleaner\Backup\{D0FEE3E7-6688-4570-A180-B0211809B920}.rbk
c:\program files\Netcom3 Cleaner\Backup\{DA8143DE-9582-4D38-AD3C-60F9356CEE2B}.rbk
c:\program files\Netcom3 Cleaner\Backup\{EBCDB782-8710-4C26-8633-DEA2FE826CBD}.rbk
c:\program files\Netcom3 Cleaner\Backup\{ED63FA44-F7B8-4EAC-ADDC-65EAC4758477}.rbk
c:\program files\Netcom3 Cleaner\Backup\{EEF6B47C-71B7-415C-A28E-2C265A6D7079}.rbk
c:\program files\Netcom3 Cleaner\Backup\{FB0C5657-3E9D-4368-955B-4BA86EE55BAF}.rbk
c:\program files\Netcom3 Cleaner\Backup\02_06_2008_23_14_47.fbk
c:\program files\Netcom3 Cleaner\BackupManager.dll
c:\program files\Netcom3 Cleaner\Database\IgnoreList.db
c:\program files\Netcom3 Cleaner\Database\Immunizer.db
c:\program files\Netcom3 Cleaner\Database\Spyware.db
c:\program files\Netcom3 Cleaner\hashes.md5
c:\program files\Netcom3 Cleaner\Logger.dll
c:\program files\Netcom3 Cleaner\Logs\2008_05_12.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_13.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_14.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_15.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_16.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_17.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_18.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_19.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_20.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_21.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_22.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_23.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_24.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_25.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_26.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_27.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_28.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_29.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_30.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_31.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_01.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_02.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_03.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_04.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_05.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_09.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_10.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_11.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_12.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_13.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_14.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_15.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_16.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_17.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_18.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_19.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_20.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_21.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_22.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_23.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_24.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_25.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_26.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_27.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_28.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_29.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_30.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_01.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_02.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_03.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_04.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_05.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_06.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_07.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_08.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_09.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_10.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_11.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_12.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_13.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_14.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_15.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_16.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_17.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_18.log
c:\program files\Netcom3 Cleaner\Logs\2008_08_27.log
c:\program files\Netcom3 Cleaner\Logs\2008_08_28.log
c:\program files\Netcom3 Cleaner\Logs\2008_08_30.log
c:\program files\Netcom3 Cleaner\Logs\2008_08_31.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_01.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_02.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_03.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_04.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_06.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_07.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_08.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_09.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_11.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_12.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_13.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_14.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_15.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_16.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_17.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_18.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_22.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_23.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_24.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_25.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_29.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_30.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_01.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_02.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_04.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_05.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_06.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_07.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_08.log
c:\program files\Netcom3 Cleaner\Logs\2008_11_05.log
c:\program files\Netcom3 Cleaner\MFC71.dll
c:\program files\Netcom3 Cleaner\msvcp71.dll
c:\program files\Netcom3 Cleaner\msvcr71.dll
c:\program files\Netcom3 Cleaner\PscMonitor.dll
c:\program files\Netcom3 Cleaner\PscMonitor.exe
c:\program files\Netcom3 Cleaner\RegistryChecker.dll
c:\program files\Netcom3 Cleaner\RegManagers.dll
c:\program files\Netcom3 Cleaner\SpyClean.exe
c:\program files\Netcom3 Cleaner\SpyGuard.dll
c:\program files\Netcom3 Cleaner\SpywareRemover.dll
c:\program files\Netcom3 Cleaner\unins000.dat
c:\program files\Netcom3 Cleaner\unins000.exe
c:\windows\IE4 Error Log.txt
c:\windows\svchost.exe
c:\windows\system32\cfgbkeqd.dll
c:\windows\system32\wmcache.nld

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POWERMANAGER


((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 10:34 . 2008-11-05 10:34 <DIR> d-------- C:\AC-FIX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 01:00 --------- d-----w c:\program files\Lx_cats
2008-11-05 19:09 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2008-10-05 03:14 --------- d-----w c:\program files\RadLight
2008-10-01 03:19 --------- d-----w c:\documents and settings\Jeka\Application Data\Winamp
2008-09-18 00:23 7,780 ----a-w c:\documents and settings\Jeka\FMCodec.dat
2008-09-18 00:23 4 ----a-w c:\documents and settings\Jeka\WFSCHDL.dat
2008-09-11 17:01 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-05-12 08:11 8 -csh--r c:\documents and settings\All Users\Application Data\52DF72FF22.sys
2005-09-12 13:52 12,678,535 -c--a-w c:\program files\e_guide.pdf
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_10.54.22.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-06 01:02:02 58,596 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-05 18:56:27 58,596 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-06 01:02:02 392,296 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-05 18:56:27 392,296 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-02-12 69632]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-02-12 397312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 188464]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe [2007-02-12 537520]
R2 PowerManager;Power Manager;c:\windows\svchost.exe [2001-08-24 36352]
R2 PSI_SVC_2;Protexis Licensing V2;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;c:\windows\system32\drivers\asusgsb.sys [2007-07-12 12416]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D32.sys [2007-07-12 10752]
R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 9446]

*Newly Created Service* - POWERMANAGER
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-05 12:15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
d:\pomocni programi\matlab\webserver\bin\win32\matlabserver.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-05 12:18:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-05 20:18:10
ComboFix2.txt 2008-11-05 18:54:38

Pre-Run: 1,929,166,848 bytes free
Post-Run: 1,916,526,592 bytes free

261

nemam :-( imala sam neki pre ali je drug koji je pokusavao da "popravi" komp. izgleda zbutao nesto izbrisao.......Instaliracu NOD32

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Nemoj NOD da instaliraš. avast! je pogodniji za ovaj problem.

http://www.avast.com/eng/avast_4_home.html

Instaliraj pa se onda javi - dobićeš dalje uputstvo.

Ko je trenutno na forumu
 

Ukupno su 947 korisnika na forumu :: 33 registrovanih, 3 sakrivenih i 911 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Aleksandar Tomić, babaroga, Bane san, Bluper, Bubimir, CikaKURE, djboj, Faki-Valjevo, gasha, ivan1973, janbo, kovinacc, Litostroton, loon123, MB120mm, mercedesamg, Misirac, mkukoleca, mnn2, nemkea71, novator, ObicanUser, pein, pera bager, Posmatrac77OKB, Romibrat, sasovsky, stegonosa, Tvrtko I, voja64, Yellow Pinky, zzapNDjuric99