Poslao: 26 Nov 2008 14:58
|
offline
- blagojer
- Novi MyCity građanin
- Pridružio: 26 Nov 2008
- Poruke: 6
|
Pozdrav,
Imam problem sa gore navedenim virusima. Instalirao sam total comander i unlocker, ali kada izbrisem ove foldere on vrate se za nekoliko sekundi. Uz to, kada je ukljucena mreza (LAN) program AutoCAD vidljivo sporije radi. Evo log fajla
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:43:17, on 26.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Autodesk Map 3D 2006\acad.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Documents and Settings\Administrator\Desktop\123\TR3.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = google.co.uk/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = google.co.uk/ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\dse235rgd0.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C1EA2ED-6F27-4987-8D95-B1FA288644BC}: NameServer = 192.168.0.1
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Service Starter: FireFox (SRVStarter_FireFox) - Eng. Usama El-Mokadem - C:\WINDOWS\system32\SuStur.exe
O23 - Service: Service Starter: svchost (SRVStarter_svchost) - Eng. Usama El-Mokadem - C:\WINDOWS\system32\SuStur.exe
--
End of file - 4570 bytes
Dopuna: 26 Nov 2008 14:58
Zaboravio sam napomenuti da stalno imam problema sa ovim virusima, kao buis.exe. Virusi se nalaze rtenutno na C i D particiji, nema USB-a u računaru!
|
|
|
|
Poslao: 26 Nov 2008 15:18
|
offline
- Piksi
- Elitni građanin
- Pridružio: 13 Nov 2003
- Poruke: 2435
|
Pozdrav...
* Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.
Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.
----------------------------------------
Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.
|
|
|
|
Poslao: 27 Nov 2008 10:52
|
offline
- blagojer
- Novi MyCity građanin
- Pridružio: 26 Nov 2008
- Poruke: 6
|
Zarazio sam još jedan računar IDENTIČNIM problemom, kada sam USB vlasnika prethodnog računara stavio u drugi računar!!!
ComboFix 08-11-26.03 - Administrator 2008-11-27 10:44:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1627 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\6ej0cbn.bat
C:\autorun.inf
c:\documents and settings\Administrator\ravmonlog
C:\fbeh81k.cmd
c:\windows\system32\dse235rgd0.dll
c:\windows\system32\kxvo.exe
c:\windows\system32\wedasgads0.dll
c:\windows\system32\wedasgads1.dll
D:\6ej0cbn.bat
D:\Autorun.inf
D:\fbeh81k.cmd
.
((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.
2008-11-26 13:30 . 2008-11-26 13:42 <DIR> d-------- c:\program files\TotalCmd
2008-11-26 09:40 . 2008-11-26 15:46 <DIR> d-------- c:\program files\Unlocker
2008-11-26 09:35 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2008-11-26 09:34 . 2008-11-26 09:34 <DIR> d-------- c:\program files\ESET
2008-11-26 09:34 . 2008-11-26 09:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-10 11:58 . 2003-10-14 10:52 45,056 -ra------ c:\windows\system32\msxml4a.dll
2008-11-10 11:54 . 2008-11-10 12:43 232 --a------ c:\windows\hpdj130.his
2008-11-10 11:54 . 2008-11-10 12:43 56 --a------ c:\windows\hpdj130.ini
2008-11-10 08:34 . 2008-11-10 08:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 09:43 --------- d-----w c:\program files\TeleCAD-GIS 2006
2008-11-26 09:32 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-26 09:32 --------- d-----w c:\program files\Symantec
2008-11-26 09:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-26 09:32 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-10 11:58 --------- d-----w c:\program files\Hewlett-Packard
2008-11-10 11:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-07 15:07 1,105,537 ----a-w C:\RealCom.exe
2008-09-29 14:37 24,428 --sha-w c:\windows\system32\ortecxar.pif
2008-09-29 14:24 4,685 --sha-w c:\windows\system32\wrda.sys
1997-06-23 03:00 123,664 --sha-w c:\windows\system32\Msjint35.dll
1997-06-23 12:06 24,848 --sha-w c:\windows\system32\Msjter35.dll
1997-06-23 12:06 252,176 --sha-w c:\windows\system32\Msrd2x35.dll
1997-06-23 12:06 287,504 --sha-w c:\windows\system32\Msxbse35.dll
2007-03-23 15:52 56,552 --sha-w c:\windows\system32\SuStur.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-10-01 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDVC"= cdvccodc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2006-09-17 06:53 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-09-01 18:54 7630848 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-09-01 18:54 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-02 16:18 98304 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2004-11-02 20:24 32768 c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 14:44 61952 c:\windows\system32\CHDAudPropShortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-09-01 18:54 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=3 (0x3)
"LightScribeService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18375:TCP"= 18375:TCP:NortonAV
"14204:TCP"= 14204:TCP:NortonAV
"12242:TCP"= 12242:TCP:NortonAV
"16096:TCP"= 16096:TCP:NortonAV
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
S2 SRVStarter_FireFox;Service Starter: FireFox;"c:\windows\system32\SuStur.exe" /Name:SRVStarter_FireFox /App:"c:\windows\system32\svchost.com" [2008-10-07 56552]
S2 SRVStarter_svchost;Service Starter: svchost;"c:\windows\system32\SuStur.exe" /Name:SRVStarter_svchost /App:"c:\winnt\system32\svchost.com" [2008-10-07 56552]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ee76210-8d4f-11dc-b8a0-001636e619c4}]
\Shell\AutoRun\command - F:\fbeh81k.cmd
\Shell\explore\Command - F:\fbeh81k.cmd
\Shell\open\Command - F:\fbeh81k.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d35ed76-1058-11dd-b996-001636e619c4}]
\Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6e0b2-f00f-11dc-b957-001636e619c4}]
\Shell\AutoRun\command - F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b83dd782-b0ed-11dd-ba75-001636e619c4}]
\Shell\AutoRun\command - F:\buis.exe
\Shell\explore\Command - F:\buis.exe
\Shell\open\Command - F:\buis.exe
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -
Notify-NavLogon - (no file)
MSConfigStartUp-RoxioAudioCentral - c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
MSConfigStartUp-RoxioDragToDisc - c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
MSConfigStartUp-RoxioEngineUtility - c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-27 10:44:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SRVStarter_FireFox]
"ImagePath"="\"c:\windows\system32\SuStur.exe\" /Name:SRVStarter_FireFox /App:\"c:\WINDOWS\system32\svchost.com\""
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SRVStarter_svchost]
"ImagePath"="\"c:\windows\system32\SuStur.exe\" /Name:SRVStarter_svchost /App:\"c:\WINNT\system32\svchost.com\""
.
Completion time: 2008-11-27 10:45:25
ComboFix-quarantined-files.txt 2008-11-27 10:45:21
Pre-Run: 39.353.909.248 bytes free
Post-Run: 39,766,470,656 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
174
|
|
|
|
Poslao: 27 Nov 2008 17:17
|
offline
- Piksi
- Elitni građanin
- Pridružio: 13 Nov 2003
- Poruke: 2435
|
Otvoriti Notepad i iskopirati sledeci tekst:
File::
C:\WINDOWS\system32\ortecxar.pif
C:\WINDOWS\system32\wrda.sys
c:\windows\system32\SuStur.exe
C:\RealCom.exe
Driver::
SRVStarter_FireFox
SRVStarter_svchost
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18375:TCP"=-
"14204:TCP"=-
"12242:TCP"=-
"16096:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ee76210-8d4f-11dc-b8a0-001636e619c4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d35ed76-1058-11dd-b996-001636e619c4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b83dd782-b0ed-11dd-ba75-001636e619c4}]
Snimiti na Desktop fajl iz Notepada kao "CFScript"
Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.
|
|
|
|
Poslao: 28 Nov 2008 09:22
|
offline
- blagojer
- Novi MyCity građanin
- Pridružio: 26 Nov 2008
- Poruke: 6
|
ComboFix 08-11-26.03 - Administrator 2008-11-28 9:13:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1660 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt.txt
* Created a new restore point
* Resident AV is active
FILE ::
C:\RealCom.exe
c:\windows\system32\ortecxar.pif
c:\windows\system32\SuStur.exe
c:\windows\system32\wrda.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\RealCom.exe
c:\windows\system32\ortecxar.pif
c:\windows\system32\SuStur.exe
c:\windows\system32\wrda.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SRVSTARTER_FIREFOX
-------\Legacy_SRVSTARTER_SVCHOST
-------\Service_SRVStarter_FireFox
-------\Service_SRVStarter_svchost
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.
2008-11-28 07:48 . 2008-11-28 07:48 <DIR> d-------- c:\windows\system32\xircom
2008-11-28 07:48 . 2008-11-28 07:48 <DIR> d--hs---- c:\windows\system32\dllcache
2008-11-28 07:48 . 2008-11-28 07:48 <DIR> d-------- c:\program files\microsoft frontpage
2008-11-26 13:30 . 2008-11-26 13:42 <DIR> d-------- c:\program files\TotalCmd
2008-11-26 09:40 . 2008-11-26 15:46 <DIR> d-------- c:\program files\Unlocker
2008-11-26 09:35 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2008-11-26 09:34 . 2008-11-26 09:34 <DIR> d-------- c:\program files\ESET
2008-11-26 09:34 . 2008-11-26 09:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-10 11:58 . 2003-10-14 10:52 45,056 -ra------ c:\windows\system32\msxml4a.dll
2008-11-10 11:54 . 2008-11-10 12:43 232 --a------ c:\windows\hpdj130.his
2008-11-10 11:54 . 2008-11-10 12:43 56 --a------ c:\windows\hpdj130.ini
2008-11-10 08:34 . 2008-11-10 08:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 15:16 --------- d-----w c:\program files\TeleCAD-GIS 2006
2008-11-26 09:32 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-26 09:32 --------- d-----w c:\program files\Symantec
2008-11-26 09:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-26 09:32 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-10 11:58 --------- d-----w c:\program files\Hewlett-Packard
2008-11-10 11:57 --------- d--h--w c:\program files\InstallShield Installation Information
1997-06-23 03:00 123,664 --sha-w c:\windows\system32\Msjint35.dll
1997-06-23 12:06 24,848 --sha-w c:\windows\system32\Msjter35.dll
1997-06-23 12:06 252,176 --sha-w c:\windows\system32\Msrd2x35.dll
1997-06-23 12:06 287,504 --sha-w c:\windows\system32\Msxbse35.dll
.
((((((((((((((((((((((((((((( snapshot@2008-11-27_10.45.04,64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-27 07:07:58 58,998 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-28 07:58:09 58,998 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-27 07:07:58 392,864 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-28 07:58:09 392,864 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-10-01 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDVC"= cdvccodc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2006-09-17 06:53 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-09-01 18:54 7630848 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-09-01 18:54 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-02 16:18 98304 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2004-11-02 20:24 32768 c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 14:44 61952 c:\windows\system32\CHDAudPropShortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-09-01 18:54 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=3 (0x3)
"LightScribeService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abf6e0b2-f00f-11dc-b957-001636e619c4}]
\Shell\AutoRun\command - F:\AUTORUN.EXE
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-28 09:15:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-11-28 9:16:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 09:16:48
ComboFix2.txt 2008-11-27 10:45:26
Pre-Run: 39.759.441.920 bytes free
Post-Run: 39,677,079,552 bytes free
157
|
|
|
|
|
Poslao: 28 Nov 2008 09:44
|
offline
- blagojer
- Novi MyCity građanin
- Pridružio: 26 Nov 2008
- Poruke: 6
|
Čini mi se da radi OK, izbrisani su svi meni poznati virusi. Samo ne znam šta ću sa USB-ova! Sad gdje god stavim USB prenesem problem. Inače, u pitanju je kancelarija, sa 5 računara, ovo je bio jedan... Da li postoji neki programčić da se instalira na USB, da ne dozvoljava ući bar ovim standardnim virusima? Kao onaj USB blocker, ali da štittim USB a ne računar?
|
|
|
|
Poslao: 28 Nov 2008 09:46
|
offline
- Piksi
- Elitni građanin
- Pridružio: 13 Nov 2003
- Poruke: 2435
|
Hajdemo prvo da sredimo te USB stickove ->
Skini sledeci program - http://amf.mycity.rs/personal/bobby/USB_blocker/usb_blocker.exe
- startuj ga i odaberi opciju Auto block
- ubaci USB stick u komp i sacekaj koji sekund (recimo 5-10 sekundi)
- program je sada uradio analizu sticka (vidi se u donjem delu programa, u logu)
- gore levo klikni duplo na slovo koje oznacava particiju, tj. tvoj USB stick
- dole kraj sata ce se pojaviti poruka da smes da izvadis USB stick iz kompa
- ne gasi program, vec ubaci sledeci USB stick i za njega isto sacekaj par sekundi, i tako redom za sve stickove, MP3 plejere, mobilni
- zapamti kojim redom su ubacivani stickovi
Kada sve to zavrsis, log u donjem delu programa ce sadrzati sve podatke koji su meni potrebni da bih video koji stick je zarazen.
Klikni desnim dugmetom misa na log/izvestaj i odaberi Save log.
Automatski ce se otvoriti Notepad i u njemu izvestaj.
Iskopiraj mi taj izvestaj ovde na forum.
|
|
|
|
Poslao: 28 Nov 2008 10:08
|
offline
- blagojer
- Novi MyCity građanin
- Pridružio: 26 Nov 2008
- Poruke: 6
|
Ako ti nešto znači, ja sam bio slobodan da u međuvremenu pokrenem ComboFix na svim računarima sa ubačenim USB-ovima
USB_blocker by bobby
Started at 28.11.2008 9:54:08
Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
C: 26f6549b-b749-11dd-baa4-806d6172696f
D: 26f6549c-b749-11dd-baa4-806d6172696f
========================================
Scanning fixed storage for autorun.inf files...
========================================
========================================
New device connected at 28.11.2008 9:57:10
Scanning for connected USB Mass storage...
========================================
F: a859b8b4-bba2-11dd-ab43-001b38ca2652
========================================
Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: a859b8b4-bba2-11dd-ab43-001b38ca2652
========================================
New device connected at 28.11.2008 9:58:53
Scanning for connected USB Mass storage...
========================================
F: 3c9ab0cf-bcfe-11dd-ab4b-001b38ca2652
========================================
Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
desktop.ini found on F:
Sanitizing Shell Menu...
No key for GUID: 3c9ab0cf-bcfe-11dd-ab4b-001b38ca2652
========================================
New device connected at 28.11.2008 10:00:06
Scanning for connected USB Mass storage...
========================================
F: 3c9ab0d1-bcfe-11dd-ab4b-001b38ca2652
========================================
Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: 3c9ab0d1-bcfe-11dd-ab4b-001b38ca2652
========================================
New device connected at 28.11.2008 10:00:11
Scanning for connected USB Mass storage...
========================================
F: 3c9ab0d1-bcfe-11dd-ab4b-001b38ca2652
========================================
Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: 3c9ab0d1-bcfe-11dd-ab4b-001b38ca2652
========================================
New device connected at 28.11.2008 10:00:16
Scanning for connected USB Mass storage...
========================================
F: 3c9ab0d1-bcfe-11dd-ab4b-001b38ca2652
========================================
Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: 3c9ab0d1-bcfe-11dd-ab4b-001b38ca2652
========================================
New device connected at 28.11.2008 10:01:11
Scanning for connected USB Mass storage...
========================================
F: 3c9ab0d2-bcfe-11dd-ab4b-001b38ca2652
========================================
Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: 3c9ab0d2-bcfe-11dd-ab4b-001b38ca2652
========================================
New device connected at 28.11.2008 10:01:25
Scanning for connected USB Mass storage...
========================================
F: 3c9ab0d2-bcfe-11dd-ab4b-001b38ca2652
========================================
Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: 3c9ab0d2-bcfe-11dd-ab4b-001b38ca2652
========================================
New device connected at 28.11.2008 10:01:39
Scanning for connected USB Mass storage...
========================================
F: 3c9ab0d2-bcfe-11dd-ab4b-001b38ca2652
========================================
Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: 3c9ab0d2-bcfe-11dd-ab4b-001b38ca2652
========================================
|
|
|
|
Poslao: 28 Nov 2008 19:57
|
offline
- Piksi
- Elitni građanin
- Pridružio: 13 Nov 2003
- Poruke: 2435
|
Nisi trebao tako (na svoju ruku), ali u redu. ComboFix je odradio posao...
Jedino što mogu da ti preporučim (pored USB Blockera Home Edition) je da prilikom ubacivanja sticka držiš taster SHIFT.
Na taj način ćeš izbeći autorun. Kasnije, uz uključen prikaz skrivenih fajlova, možeš da obrišeš sve sumnjive fajlove.
Ostaje nam da deinstaliramo ComboFix ->
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK
Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore
To je sve...
|
|
|
|