C:windows/sistem32/cvo0.dll TR/Vundo.gen

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ispratio sam uputstvo za deinstalaciju ComboFix-a. U Run konzoli sam upisao combofix /u lupio enter i on se deinstalirao, nakon deinstalacije odradio sam sken avirom i nije dala nikakve informacije o infekcijama. Nakon toga racunar nije pokazivao znake infekcije do oko 16h kada me je kolega obavestio da se opet pojavio tr\vundo.gen ali na drugom mestu i danas prepodne oko tri puta se pojavio.

Dopuna: 11 Nov 2008 21:05

Upravo sam se cuo sa kolegom na poslu, sistem restore se zaista nije resetovao. To jest bio je ukljucen, a pre sveg ovog posla je bio iskljucen. Da li je moguce da je virus ukljucio sistem restore, jer je bila jos jedna anomalija koju sam zaboravio da napisem. Pre skena ComboFixo-m nisam mogao ukljuciti prikaz skrivenih fajlova i foldera.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nije do infekcije. System Restore je uključio ComboFix.
Naravno, možeš ga isključiti, ako tako želiš.

Što se tiče činjenice da nisi mogao da uključiš prikaz skrivenih fajlova i foldera, to je tipično za infekciju koju si imao.

Možeš da mi postaviš novi ComboFix log, kako bi bili sigurni da se infekcija ne vraća.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-11-07.01 - Novum 2008-11-13 7:07:53.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.151 [GMT 1:00]
Running from: c:\documents and settings\Novum\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-11 10:34 . 2008-11-11 10:34 <DIR> d-------- c:\documents and settings\Novum\Application Data\vlc
2008-11-09 08:45 . 2008-11-09 08:45 <DIR> d--hs---- c:\documents and settings\Administrator\PrivacIE
2008-11-07 17:14 . 2008-11-07 17:15 <DIR> d-------- c:\documents and settings\Novum\.dvdcss
2008-11-07 16:56 . 2008-11-07 16:57 <DIR> d-------- c:\program files\FormatFactory
2008-11-07 08:00 . 1980-01-01 00:00 149,000 --a------ C:\grldr
2008-11-07 08:00 . 2008-11-05 21:52 829 -ra------ C:\menu.lst
2008-11-07 07:59 . 2008-11-10 08:04 <DIR> d-------- C:\boot1
2008-11-04 17:36 . 2008-11-04 17:36 <DIR> d-------- c:\documents and settings\Novum\Application Data\XBMC
2008-11-04 17:35 . 2008-11-05 08:28 <DIR> d-------- c:\program files\XBMC
2008-11-03 08:42 . 2008-11-03 08:42 <DIR> d-------- c:\documents and settings\Novum\Application Data\Thinstall
2008-10-27 21:40 . 2008-10-27 21:40 <DIR> d-------- c:\program files\QuickTime
2008-10-25 06:10 . 2008-10-25 06:10 <DIR> d-------- C:\wincmd
2008-10-25 06:10 . 2008-11-11 13:57 1,125 --a------ c:\windows\wincmd.ini
2008-10-25 06:10 . 2002-01-21 04:00 545 --a------ c:\windows\UC.PIF
2008-10-25 06:10 . 2002-01-21 04:00 545 --a------ c:\windows\RAR.PIF
2008-10-25 06:10 . 2002-01-21 04:00 545 --a------ c:\windows\PKZIP.PIF
2008-10-25 06:10 . 2002-01-21 04:00 545 --a------ c:\windows\PKUNZIP.PIF
2008-10-25 06:10 . 2002-01-21 04:00 545 --a------ c:\windows\NOCLOSE.PIF
2008-10-25 06:10 . 2002-01-21 04:00 545 --a------ c:\windows\LHA.PIF
2008-10-25 06:10 . 2002-01-21 04:00 545 --a------ c:\windows\ARJ.PIF
2008-10-24 07:40 . 2008-10-24 07:40 0 --a------ c:\windows\CDMIMPRT.INI
2008-10-14 07:13 . 2008-10-17 09:52 65,536 --a------ c:\windows\IFinst27.exe
2008-10-13 07:17 . 2008-11-13 07:01 <DIR> d-------- c:\program files\AIMP2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 21:36 --------- d-----w c:\documents and settings\Novum\Application Data\uTorrent
2008-11-11 09:30 --------- d-----w c:\program files\VideoLAN
2008-11-11 08:27 --------- d-----w c:\documents and settings\Novum\Application Data\XnView
2008-11-11 07:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-11 07:28 --------- d-----w c:\program files\SpywareBlaster
2008-11-10 08:04 --------- d-----w c:\documents and settings\Novum\Application Data\OpenOffice.org2
2008-11-09 12:44 --------- d-----w c:\documents and settings\Novum\Application Data\Free Download Manager
2008-11-08 13:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-16 19:54 --------- d-----w c:\program files\OMRON
2008-10-11 09:24 --------- d-----w c:\program files\Opera
2008-10-07 10:35 --------- d-----w c:\program files\Free Download Manager
2008-10-07 10:34 --------- d-----w c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2008-10-07 10:18 --------- d-----w c:\documents and settings\Novum\Application Data\Uniblue
2008-10-07 10:18 --------- d-----w c:\documents and settings\Novum\Application Data\Sony
2008-10-07 10:18 --------- d-----w c:\documents and settings\Novum\Application Data\BSplayer
2008-10-07 10:18 --------- d-----w c:\documents and settings\Novum\Application Data\Autodesk
2008-10-07 10:18 --------- d-----w c:\documents and settings\Novum\Application Data\ACD Systems
2008-10-07 10:18 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite
2008-10-07 10:18 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-07 10:12 --------- d-----w c:\documents and settings\Novum\Application Data\AdobeUM
2008-09-29 05:44 --------- d-----w c:\program files\CCleaner
2008-09-28 18:36 --------- d-----w c:\program files\Common Files\Stardock
2008-09-16 17:45 --------- d-----w c:\program files\COMODO
2008-09-15 06:30 45,696 ----a-w c:\documents and settings\Novum\Application Data\GDIPFONTCACHEV1.DAT
2008-09-13 08:32 --------- d-----w c:\program files\AML Products
2008-09-10 21:23 10,488 ----a-w c:\windows\system32\crcnat.exe
2008-09-04 12:34 155,995 ----a-w c:\windows\java\Packages\WAXJNRJ1.ZIP
2008-08-22 01:08 878,592 ----a-w c:\windows\system32\wininet.dll
2008-08-22 01:08 43,008 ----a-w c:\windows\system32\licmgr10.dll
2008-08-22 01:07 18,944 ----a-w c:\windows\system32\corpol.dll
2008-08-22 01:06 72,704 ----a-w c:\windows\system32\admparse.dll
2008-08-22 01:06 71,680 ----a-w c:\windows\system32\iesetup.dll
2008-08-22 01:06 434,176 ----a-w c:\windows\system32\vbscript.dll
2008-08-22 01:05 48,640 ------w c:\windows\system32\PrivacIE.dll
2008-08-22 01:05 48,128 ----a-w c:\windows\system32\mshtmler.dll
2008-08-22 01:05 35,840 ----a-w c:\windows\system32\imgutil.dll
2008-08-22 01:04 45,568 ----a-w c:\windows\system32\mshta.exe
2008-08-22 00:57 156,160 ----a-w c:\windows\system32\msls31.dll
2007-03-20 12:26 106 ----a-w c:\documents and settings\Novum\Application Data\wklnhst.dat
1998-04-27 19:15 570,128 ------w c:\program files\Common Files\dao350.dll
1998-04-26 23:00 570,128 ----a-w c:\program files\DAO350.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"S7UB Start"="c:\siemens\Common\S7ubtoox\s7ubtstx.exe" [2000-10-25 102400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-23 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 132760]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-10-27 413696]
"SoundMan"="SOUNDMAN.EXE" [2005-08-01 c:\windows\SOUNDMAN.EXE]
"SMSERIAL"="sm56hlpr.exe" [2005-07-06 c:\windows\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Novum\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - d:\programi\ObjectDock\ObjectDock\ObjectDock.exe [2006-03-12 1802309]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\launch4j-tmp\\JDownloader.exe"=

R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\DRIVERS\dpmtrcdd.sys [2001-06-27 30080]
R2 s7osmcax;s7osmcax;c:\windows\system32\Drivers\s7osmcax.sys [2004-12-23 175159]
R2 s7otranx;s7otranx;c:\windows\system32\Drivers\S7otranx.sys [2004-12-23 494647]
R3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\DRIVERS\EKBfltr.sys [2005-08-01 5504]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [2000-03-28 30704]
S3 S7OUPC2X;SIMATIC PC Adapter USB Driver;c:\windows\system32\DRIVERS\s7oupc2x.sys [2005-01-14 21536]
S3 usbprint;Microsoft USB PRINTER Class;c:\windows\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{726d49bf-ded5-11dc-9aab-0002e34a0ee9}]
\shell\Setup\command - setup.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: Download video with Free Download Manager - [Link mogu videti samo ulogovani korisnici]\program files\Free Download Manager\dlfvideo.htm
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 -: Preuzmi odabrano Free Download Manager-om - [Link mogu videti samo ulogovani korisnici]\program files\Free Download Manager\dlselected.htm
O8 -: Preuzmi sa Free Download Managerom - [Link mogu videti samo ulogovani korisnici]\program files\Free Download Manager\dllink.htm
O8 -: Preuzmi sve sa Free Download Manager-om - [Link mogu videti samo ulogovani korisnici]\program files\Free Download Manager\dlall.htm
O17 -: HKLM\CCS\Interface\{ECD91C86-B41C-4745-8A3A-08819DC6A155}: NameServer = 80.93.224.1,80.93.224.2

O16 -: Microsoft XML Parser for Java - [Link mogu videti samo ulogovani korisnici]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-11-13 07:11:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> d:\programi\ObjectDock\ObjectDock\DockShellHook.dll
.
Completion time: 2008-11-13 7:13:49
ComboFix-quarantined-files.txt 2008-11-13 06:13:26
ComboFix2.txt 2008-11-09 12:28:11

Pre-Run: 14.275.190.784 bytes free
Post-Run: 14,389,571,584 bytes free

151

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Postavljeni log je čist. Na tvom računaru nema tragova malware-a.

Sada možeš deinstalirati ComboFix po ovom uputstvu.

Ukoliko postoje neke detekcije u System Restore folderima, isključi pa uključi System Restore.
(na tebi je da odlučiš da li će ti SR biti uključen ili isključen)

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Combofix je deinstaliran.
Ovo je rezultat.


Nisam znao to za ukljucenje pa iskljucenje System Restore.
Jos jednom hvala lepo, na ukazanoj pomoci tebi i AMF timu.
Pozdrav.