MyCity » Ambulanta -> Arhiva Ambulante » Šta mi je zaraženo ?

Šta mi je zaraženo ?

Napisano na dan: 1.2.2009

Šta mi je zaraženo ?
Sledeća strana Pagination

Idi na vrh

Poslao: 01 Feb 2009 17:30
Idi na vrh
offline
  • RJ 
  • SuperModerator
  • Supermoderator vojnih foruma
  • Gavrilo Milentijević
  • Komandir stanice milicije Gornje Polje
  • Pridružio: 12 Feb 2005
  • Poruke: 9575
  • Gde živiš: ovalni kabinet

U temi o Malware Bytes-u....
[Link mogu videti samo ulogovani korisnici] Helen mi je sugerisao da sam Rootkitovan - o čemu se radi ?

Evo log filea sa Hijack-a


Scan saved at 17:22:11, on 1.2.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CpuIdlePro\cpuidle.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
D:\Novo\Hijack_this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: VirtualNetwork module - {6C517674-DE1C-4493-977C-34A1BFAB35BA} - C:\Program Files\VirtualNetwork\VirtualNetwork.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdlePro\cpuidle.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_All.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [Link mogu videti samo ulogovani korisnici]
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD1A55E2-48A6-4477-8D50-05DED312E91C}: NameServer = 10.10.2.69,10.10.2.79



Poslao: 01 Feb 2009 17:34
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Ne slusas me:

Ovako ne valja:


Klikni desno dugme misa na ikonicu programa i odaberi opciju Rename:


Zadaj mu neko bezvezno ime, recimo GH5.EXE ili TR3.EXE, ili bilo sta drugo samo da se ne spominje HijackThis:


I onda mi postavi novi log.



Poslao: 01 Feb 2009 18:09
Idi na vrh
offline
  • RJ 
  • SuperModerator
  • Supermoderator vojnih foruma
  • Gavrilo Milentijević
  • Komandir stanice milicije Gornje Polje
  • Pridružio: 12 Feb 2005
  • Poruke: 9575
  • Gde živiš: ovalni kabinet

Čekaj, ako sam te dobro razumeo ja sam raspakovao HJ na desktop i nazvao ga drrr

Evo loga

Logfile of HijackThis v1.99.1
Scan saved at 18:07:23, on 1.2.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CpuIdlePro\cpuidle.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
C:\Documents and Settings\vule\Desktop\drrr.exe.exe
C:\Documents and Settings\vule\Desktop\drrr.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: VirtualNetwork module - {6C517674-DE1C-4493-977C-34A1BFAB35BA} - C:\Program Files\VirtualNetwork\VirtualNetwork.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdlePro\cpuidle.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_All.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD1A55E2-48A6-4477-8D50-05DED312E91C}: NameServer = 10.10.2.69,10.10.2.79
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

Poslao: 01 Feb 2009 18:11
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

* Klikni desnim tasterom miša na AVG ikonicu ( ) u donjem, desnom uglu ekrana.
* Kada se pokrene AVG Control Center, dvoklikni na AVG Resident Shield komponentu.
* U prozoru koji se otvori, deštikliraj opciju Turn on AVG Resident Shield i klikni OK.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.

----------------------

Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Poslao: 02 Feb 2009 11:22
Idi na vrh
offline
  • RJ 
  • SuperModerator
  • Supermoderator vojnih foruma
  • Gavrilo Milentijević
  • Komandir stanice milicije Gornje Polje
  • Pridružio: 12 Feb 2005
  • Poruke: 9575
  • Gde živiš: ovalni kabinet

Evo loga CF...


ComboFix 09-02-01.01 - vule 2009-02-02 11:10:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.256 [GMT 1:00]
Running from: d:\novo\DL2\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\Ford Racing 2.lnk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.

2009-02-02 11:13 . 2009-02-02 11:13 <DIR> d-------- c:\program files\microsoft frontpage
2009-01-30 12:33 . 2009-02-02 11:14 98,668 --a------ c:\windows\system32\drivers\c27e4db6.sys
2009-01-25 23:12 . 2009-01-25 23:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 23:12 . 2009-01-25 23:12 <DIR> d-------- c:\documents and settings\vule\Application Data\Malwarebytes
2009-01-25 23:12 . 2009-01-25 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 23:12 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 23:12 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-23 15:05 . 2009-01-23 15:05 <DIR> d-------- c:\program files\Free PDF to Word Doc Converter
2009-01-16 23:43 . 2009-01-16 23:43 <DIR> d-------- c:\program files\C-Media
2009-01-14 17:24 . 2009-01-14 17:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NexonEU
2009-01-14 17:21 . 2004-07-26 19:00 86,085 --a------ c:\windows\system32\ImageDrive.cpl
2009-01-13 13:16 . 2009-01-13 13:16 <DIR> d-------- c:\program files\Hasbro
2009-01-11 19:08 . 2009-01-11 19:08 <DIR> d-------- C:\DepositFiles
2009-01-11 12:15 . 2009-01-11 12:15 <DIR> d-------- c:\documents and settings\vule\Application Data\KC Softwares
2009-01-10 22:03 . 2009-01-13 21:34 <DIR> d-------- c:\program files\MC2
2009-01-09 13:03 . 2009-01-09 14:46 <DIR> d-------- c:\program files\StarWraith
2009-01-09 13:03 . 2009-01-09 13:03 796,672 --a------ c:\windows\GPInstall.exe
2009-01-09 11:32 . 2009-01-09 11:32 <DIR> d-------- c:\program files\Cat Daddy Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 10:13 --------- d-----w c:\program files\Chameleon Clock
2009-02-01 17:58 --------- d-----w c:\documents and settings\vule\Application Data\AVG7
2009-02-01 17:44 --------- d-----w c:\program files\ReGetDx
2009-02-01 17:14 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-31 18:49 --------- d-----w c:\documents and settings\vule\Application Data\uTorrent
2009-01-30 16:30 --------- d-----w c:\documents and settings\vule\Application Data\skypePM
2009-01-30 16:30 --------- d-----w c:\documents and settings\vule\Application Data\Skype
2009-01-30 10:28 --------- d-----w c:\program files\SpeedFan
2009-01-29 13:37 --------- d-----w c:\program files\AIMP2
2009-01-15 15:30 138,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-13 12:28 --------- d-----w c:\program files\Risk II
2009-01-11 10:11 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 22:05 --------- d-----w c:\documents and settings\vule\Application Data\Lavasoft
2009-01-10 22:04 --------- d-----w c:\program files\Flash Strike
2009-01-09 20:52 --------- d-----w c:\program files\PopCap Games
2009-01-09 13:44 --------- d-----w c:\program files\Real Alternative
2009-01-09 13:44 --------- d-----w c:\program files\Common Files\InterVideo
2009-01-09 13:44 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 13:44 --------- d-----w c:\program files\32ujmo99032
2009-01-09 09:06 --------- d-----w c:\program files\»ĂĎëÓÎϷϵÁĐ
2008-12-28 17:39 --------- d-----w c:\program files\Empire Interactive
2008-12-16 14:58 --------- d-----w c:\program files\Bomberic 2
2008-12-16 14:40 --------- d-----w c:\documents and settings\All Users\Application Data\ABBYY
2008-12-16 12:17 --------- d-----w c:\documents and settings\vule\Application Data\ABBYY
2008-12-16 12:04 --------- d-----w c:\program files\Devastation Zone Troopers
2008-12-09 09:01 --------- d-----w c:\program files\Air Guard Full
2008-12-08 10:22 --------- d-----w c:\documents and settings\vule\Application Data\Daimler
2008-12-08 08:37 --------- d-----w c:\program files\Alcohol Soft
2008-12-05 18:00 --------- d-----w c:\documents and settings\vule\Application Data\Memonix
2008-12-05 15:49 --------- d-----w c:\program files\Buka
2008-12-05 14:33 --------- d-----w c:\documents and settings\vule\Application Data\Groove Games
2008-12-05 14:03 --------- d-----w c:\documents and settings\All Users\Application Data\Sandlot Games
2008-12-05 13:53 --------- d-----w c:\program files\ReflexiveArcade
2008-12-05 13:49 --------- d-----w c:\documents and settings\All Users\Application Data\ScreenSeven
2008-12-05 13:38 --------- d-----w c:\program files\Neoact
2008-11-08 16:12 45,056 ----a-w c:\windows\NCUNINST.EXE
2008-01-02 23:17 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-11-25 17:15 81,920 ----a-w c:\documents and settings\vule\Application Data\ezpinst.exe
2007-11-25 17:15 47,360 ----a-w c:\documents and settings\vule\Application Data\pcouffin.sys
.

------- Sigcheck -------

2006-09-09 02:02 2198144 ba08992ecfb4b23b9204add12ab385ea c:\windows\system32\ntkrnlpa.exe

2006-09-09 00:01 2321024 ef63859e4fd9cb3ec31a111481f4b1b6 c:\windows\system32\ntoskrnl.exe

2006-09-09 01:48 1616896 7f9583eff8102bce8bd6716744018f83 c:\windows\explorer.exe

2006-09-09 07:45 125720 b04b182a92c119511dd3cdbe18602db1 c:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"HomeAlarm"="c:\program files\Chameleon Clock\ChamClock.exe" [2006-10-26 915456]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-20 590848]
"CpuIdle"="c:\program files\CpuIdlePro\cpuidle.exe" [2008-06-22 903168]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 c:\windows\system32\nvmctray.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-10 219136]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\vule\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-09-24 225280]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
S3 CD-Lock;CD-Lock;\??\e:\cdm.sys --> e:\cdm.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\At1.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At10.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At11.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At12.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At13.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At14.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At15.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At16.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At17.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At18.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At19.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At2.job
- c:\windows\system32\318UADNI.exe []

2009-01-31 c:\windows\Tasks\At20.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At21.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At22.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At23.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At24.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At25.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At26.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At27.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At28.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At29.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At3.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At30.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At31.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At32.job
- c:\windows\system32\318UADNI.exe []

2009-01-31 c:\windows\Tasks\At33.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At34.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At35.job
- c:\windows\system32\318UADNI.exe []

2009-02-02 c:\windows\Tasks\At36.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At37.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At38.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At39.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At4.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At40.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At41.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At42.job
- c:\windows\system32\318UADNI.exe []

2009-02-01 c:\windows\Tasks\At43.job
- c:\windows\system32\318UADNI.exe []

2009-01-31 c:\windows\Tasks\At44.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At45.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At46.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At47.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At48.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At5.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At6.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At7.job
- c:\windows\system32\318UADNI.exe []

2009-01-30 c:\windows\Tasks\At8.job
- c:\windows\system32\318UADNI.exe []

2009-01-31 c:\windows\Tasks\At9.job
- c:\windows\system32\318UADNI.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: Do&wnload by ReGet Deluxe - c:\progra~1\COMMON~1\REGETS~1\CC_Link.htm
IE: Download A&ll by ReGet Deluxe - c:\progra~1\COMMON~1\REGETS~1\CC_All.htm
TCP: {CD1A55E2-48A6-4477-8D50-05DED312E91C} = 10.10.2.69,10.10.2.79
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\vule\Application Data\Mozilla\Firefox\Profiles\dna8zdip.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
FF - plugin: c:\documents and settings\All Users\Application Data\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-02-02 11:14:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c27e4db6]
"ImagePath"="\SystemRoot\System32\drivers\c27e4db6.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-583907252-602162358-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\s-1-5-21-583907252-602162358-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:55,91,13,95,05,3c,92,de,4d,b4,d4,1b,24,22,47,ea,77,7f,38,47,7b,27,bf,
70,9c,f1,39,f4,19,f5,1c,18,c0,a6,8c,04,9d,c8,73,81,21,d1,5d,fd,08,2d,b6,31,\
"??"=hex:c5,21,56,08,6b,8a,47,f4,b1,d9,36,d0,61,40,df,7a
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\WdfMgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-02 11:17:05 - machine was rebooted [vule]
ComboFix-quarantined-files.txt 2009-02-02 10:17:01

Pre-Run: 3,044,933,632 bytes free
Post-Run: 3,042,377,728 bytes free

295

Poslao: 02 Feb 2009 18:54
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\c27e4db6.sys

Folder::
c:\program files\»ĂĎëÓÎϷϵÁĐ
c:\program files\32ujmo99032

AtJob::

Driver::
c27e4db6


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

MyCity » Ambulanta -> Arhiva Ambulante » Šta mi je zaraženo ?

Ko je trenutno na forumu
 

Ukupno su 1007 korisnika na forumu :: 73 registrovanih, 13 sakrivenih i 921 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 9k38, acatomic, Ailton, Alexa77, alexbr, amonsrb, Arsenije, Ba4e, bbelic, Bobrock1, Bojan198527, Boris BM, Bubimir, Chainsaw, Crazzer, Cvijo_ue, cvrle312, DeerHunter, Doca, Dorcolac, dunavzed, FileFinder, FOX, Foxdie, gasha, Gogi do, gomago, goxin, havoc995, HrcAk47, ILGromovnik, Jaz, Jose, KonstantinR, Koridor, Kubovac, L A Z A R, LostInSpaceandTime, Lucije Kvint, luka35, MarkoJ-Nis, Mcdado, mean_machine, Mi lao shu, milenko crazy north, Milometer, Mixelotti, Mlav, Mrav Obrad, neutrino, Oscar, Parker, pisac12, PrincipL, radionica1, ruso, sale755, sasakrajina, Silvertooth, smokovo1990, Srpska zauvjek, ss10, tajvankanasta, Tas011, Titan, Topaz9, virked, Vlad000, Vranjanac003, zokizemun, zoran77, Žoržo, 79693