Backdoor.IRC.ZGE

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 09-02-19.01 - Korisnik 2009-02-23 14:33:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.603 [GMT 1:00]
Running from: c:\documents and settings\Korisnik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Korisnik\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\Juchde.exe
c:\windows\system32\Juchdp.exe
c:\windows\system32\ortecxar.pif
c:\windows\system32\wrda.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Juchdp.exe
c:\windows\system32\ortecxar.pif
c:\windows\system32\wrda.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SRVSTARTER_LEREX
-------\Legacy_SRVSTARTER_NERW
-------\Service_Nec7d3
-------\Service_SRVStarter_Lerex
-------\Service_SRVStarter_nerw


((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-19 12:18 . 2009-02-19 12:24 5,637,845 --a------ c:\program files\youtubedownloader.exe
2009-02-18 18:03 . 2009-02-18 18:03 <DIR> d-------- c:\program files\Secunia
2009-02-18 17:47 . 2009-02-18 17:47 <DIR> d-------- c:\program files\EA Games
2009-02-10 15:13 . 2009-02-10 15:13 <DIR> d-------- c:\windows\Sun
2009-02-10 15:12 . 2009-02-10 15:12 <DIR> d-------- c:\program files\Java
2009-02-10 15:12 . 2009-02-10 15:12 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-10 15:12 . 2009-02-10 15:12 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-10 15:00 . 2009-02-10 15:00 607,640 --a------ C:\xpiinstall-6u11-fcs-bin-b90-windows-i586-25_nov_2008(2).exe
2009-02-01 19:31 . 2009-02-18 17:48 620 --a------ c:\windows\eReg.dat
2009-01-28 21:52 . 2009-01-28 21:52 <DIR> d-------- c:\program files\Oberon Media
2009-01-28 21:52 . 2009-01-28 21:52 <DIR> d-------- c:\program files\Common Files\Oberon Media
2009-01-28 14:19 . 2009-01-28 14:19 287 --a------ c:\windows\EReg072.dat
2009-01-28 14:18 . 2009-01-28 14:18 <DIR> d-------- c:\program files\Electronic Arts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 13:10 --------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-02-18 17:05 --------- d-----w c:\program files\YouTube Downloader
2009-02-18 16:49 12,464 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-01-28 20:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-03 15:47 1,851,544 ----a-w C:\install_flash_player.exe
2008-10-26 21:39 583 ----a-w c:\program files\Default.jcd
2008-10-26 21:34 275 ----a-w c:\program files\FGUpdate3.ini
2008-10-26 21:34 1,098 ----a-w c:\program files\fgbhocfg.ini
2008-10-26 21:34 0 ----a-w c:\program files\FGUpdate2.ini
2008-10-26 21:34 0 ----a-w c:\program files\Default.bk1
2008-08-11 18:09 424 ----a-w c:\program files\fgres1.ini
2007-09-25 09:33 22,486 ----a-w c:\program files\cd.ico
2007-09-25 09:29 18,296 ----a-w c:\program files\WHATSNEW.TXT
2008-11-18 16:45 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-18 16:45 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-18 16:45 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-18 16:45 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-18 16:45 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-07-01 07:11 391 --sha-w c:\windows\system32\vburcs.cmd
.

------- Sigcheck -------

2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\system32\dllcache\tcpip.sys
2004-08-03 22:14 359040 6a603809f598332dbedd535bdbce313e c:\windows\system32\drivers\tcpip.sys

2004-08-03 23:56 2114048 abb26a155bc1e404bead274fd7549475 c:\windows\explorer.exe
2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 c:\windows\FlyakiteOSX\Backup\explorer.exe
2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 c:\windows\FlyakiteOSX\TempFiles\explorer.exe
2008-04-14 01:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\explorer.exe
2004-08-03 23:56 2114048 abb26a155bc1e404bead274fd7549475 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-21 13:21:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_680.dat
+ 2009-02-23 13:36:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_680.dat
+ 2009-02-23 13:36:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_698.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-04 486856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-25 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-05-12 1722880]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-10 136600]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2004-12-28 c:\windows\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Korisnik\Start Menu\Programs\Startup\
Y'z Toolbar.lnk - c:\windows\BricoPacks\Longhorn Inspirat\YzToolBar\YzToolBar.exe [2002-09-29 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.AP41"= APmpg4v1.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= L3codecp.acm
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"d:\\igrarije\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdrv2.sys [2008-05-12 133120]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-10-27 7808]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &Download All with FlashGet - c:\program files\jc_all.htm
IE: &Download with FlashGet - c:\program files\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\1he95k9q.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-02-23 14:36:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-1659004503-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\SETUPAPI.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-23 14:39:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 13:39:38
ComboFix2.txt 2009-02-21 13:24:52

Pre-Run: 12.597.809.152 bytes free
Post-Run: 12,586,745,856 bytes free

171 --- E O F --- 2008-11-29 15:44:07



NEBITNO KOLIKO CE TRAJATI VAZNO JE DA "DEATH SHALL HAVE NO DOMINATION"

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

U ovom slucaju Malware shall have no dominion

Kazi mi kakvo je sad stanje...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pa jos uvek je tu, i jos uvek ne mogu da obrisem taj folder u Recycler-u, inace nema vise onog fantomskog prozorcica Personal settings da se sam od sebe ukljucuje.
Ponovo sam skenirala BitDefenderom i sad kaze i da je prepozano i izbrisao taj virus, ali i da je to stavka na kojoj nije izvrsena nikakva akcija?! Pa sad...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Folder Recycler i da hoces ne mozes da obrises... On sam po sebi nije maliciozan... Dalje... Kazi mi tacno ime fajla koji je Bitdefender detektovao... Cudi me da stvari nisu bolje...

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

USBNoRisk 1.5 by bobby

Started at 24.2.2009 21:04:46

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {76bdb0ac-b3db-11dc-9a4f-806d6172696f}
D: {76bdb0ad-b3db-11dc-9a4f-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------
Autorun.inf on C: - None
----------------------------------------

Sanitizing Shell Menu...
----------------------------------------
No key found for C:
No key found for 76bdb0ac-b3db-11dc-9a4f-806d6172696f
========================================

Autorun.inf on D: - None
----------------------------------------

Sanitizing Shell Menu...
----------------------------------------
No key found for D:
No key found for 76bdb0ad-b3db-11dc-9a4f-806d6172696f
========================================



New device connected at 24.2.2009 21:07:00

Scanning for connected USB mass storage...
----------------------------------------
G: {64e58a74-b6f4-11dc-a8a2-81599d0b2bab}
Added G:
========================================

Scanning USB mass storage for files...
----------------------------------------
----------------------------------------
Autorun.inf on G: - None
----------------------------------------

Sanitizing Shell Menu...
----------------------------------------
No key found for 64e58a74-b6f4-11dc-a8a2-81599d0b2bab
========================================

----------------------------------------

Desktop.ini on G: - None
----------------------------------------

========================================

========================================
Removed G:
========================================
evo i ovo!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ja stvarno ne vidim nista vise maliciozno...Kazi mi sta to detektuje Bitdefender?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Fajl gde je lociran je ovako opisan:
Infected: <System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALED COMPONENTS\ {28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}\Stub Path=>C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

Dopuna: 23 Feb 2009 21:38

Inace ovaj famozni folder "recycler...." se pojavio i na flesu, i to nakon sto sam sad podesila da se vide skriveni folderi. Ne znam kako je tamo dospeo, a ni da li je inficiran, nisam ga skenirala antivirusom.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Kao sto rekoh taj famozni recycler i treba da ostane skriven i famozan zato sto je sistemski folder...

Dalje, skini ovaj fajl pokreni dvoklikom


[Link mogu videti samo ulogovani korisnici]


Posle par sekundi otvorice ti se notepad... Iskopiraj mi ovde njegov sadrzaj.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
"StubPath"="C:\\RECYCLER\\S-1-5-21-1482476501-1644491937-682003330-1013\\ise32.exe"

吠慲敺楮爠来獩牴⁹湵獯渠⁥潰瑳橯⹩⸮ഠ




evo ga.....

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Skini ovaj file :


[Link mogu videti samo ulogovani korisnici]

pokreni ga dvoklikom pa klikni Yes... I restartuj racunar...

Zatim pusti Bitdefender da proskenira hard i javi dal ima detekcija...