Poslao: 06 Maj 2009 09:47
Nakon čišćenja virusa ostao je rep od zaraze,tačnije (prijavljuje da Windows ne može da nađe KesenjanganSosial.exe.Kako da ga otkačim u run-u i kako da pokrenem regedit jer mi ne da da uđem već mi daje opciju "otvori pomoću..."?
Hijack ne mogu da pokrenem ni regedit čak ni u safe modu...Particije otvaram bez problema.
Poslao: 06 Maj 2009 13:16
[Link mogu videti samo ulogovani korisnici]
Preimenuj HijackThis.exe u tr3.exe pre pokretanja.
Poslao: 06 Maj 2009 14:07
Napisano: 06 Maj 2009 13:45
Ne mogu da ga preimenujem
Dopuna: 06 Maj 2009 13:48
Sve [to probam od aplikacija da otvorim na kompu prikažemi poruku "otvori pomoću".Da se virus nije uvukao u exe. fajlove...
Dopuna: 06 Maj 2009 14:07
Ispravka preimenovao sam ga u TR3.exe ali i dalje ne može da ga pokrene i nakon pokretanja daje opciju "otvori pomoću".
Poslao: 06 Maj 2009 16:16
Napisano: 06 Maj 2009 15:05
Možeš li ovo da pokreneš:
[Link mogu videti samo ulogovani korisnici]
Ako si uspeo, nakon toga bi trebalo da možeš pokretati exe file-ove.
Dopuna: 06 Maj 2009 16:16
Šta se dogodi kada klikneš desnim tasterom na exe file (npr. HijackThis)?
Koja opcija je default (boldovana)? Postoji li opcija Open u meniju?
Radi li kada izabereš Open?
Poslao: 07 Maj 2009 13:34
Napisano: 07 Maj 2009 10:25
Open je default,postoji kao opcija i kada je pokrenem desnim klikom otvara mi "otvori pomoću".
Dopuna: 07 Maj 2009 10:27
Sada ću probati sa Fix exe pa ću ostaviti poruku šta se desilo.
Dopuna: 07 Maj 2009 11:58
Isto je i sa Fix exe.
Skinuo sam AVG8.5 sa kojim sam skenirao prvi put računar i instalirao Symantec i pokrenuo scan na istom,koji je počeo da nalazi viruse,tačnije "Infostealer".Moguće je da se virus uvukao u exe fajlove pa zbog toga pravi problem.
Dopuna: 07 Maj 2009 13:24
Skinuo sam viruse sa Symantecom i pokrenuo Fix exe.Sve radi kako treba.Mnogo hvala
Dopuna: 07 Maj 2009 13:34
Za svaki slučaj da ostavim log fajl.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:30:08, on 7.5.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Virtual CD v4\System\vcdsecs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\X\Desktop\TR3.exe\TR3.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [Link mogu videti samo ulogovani korisnici]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GlobalCom
O1 - Hosts: [Link mogu videti samo ulogovani korisnici]
O1 - Hosts: [Link mogu videti samo ulogovani korisnici]
O1 - Hosts: [Link mogu videti samo ulogovani korisnici]
O1 - Hosts: [Link mogu videti samo ulogovani korisnici]
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VCDPlayer] C:\PROGRA~1\VIRTUA~1\System\VCDPlay.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\AdobeR.exe
O4 - HKLM\..\Run: [soundmix] C:\WINDOWS\system32\soundmix.exe
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
O4 - HKLM\..\Run: [System File] C:\WINDOWS\MY DOCUMENTS.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Default User"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus-1002] "C:\Documents and Settings\X\Local Settings\Application Data\br3027on.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ParagrafLexAlarm.lnk = C:\Program Files\ParagrafLex\browser\ParagrafLexAlarm.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - [Link mogu videti samo ulogovani korisnici]\content\include\XPPatchInstaller.CAB
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\X\LOCALS~1\Temp\hpdj.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Virtual CD v4 Security service (VCDSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4\System\vcdsecs.exe
O24 - Desktop Component 0: (no name) - [Link mogu videti samo ulogovani korisnici]
End of file - 6677 bytes
Poslao: 07 Maj 2009 16:39
Ovde ima tragova nekoliko infekcija. Ako si raspoložen da ''počistimo''...
Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]
Privremeno deaktiviraj antivirus.
Startuj ComboFix i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.
Poslao: 08 Maj 2009 12:01
Skinuo sam AVG i pokrenuo Combo,evo i log ...
ComboFix 09-04-27.04 - X 08.05.2009 11:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.59 [GMT 2:00]
Running from: c:\documents and settings\X\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-5-8 )))))))))))))))))))))))))))))))
2009-05-07 12:04 . 2009-05-07 12:04 -------- d-----w c:\program files\Lavalys
2009-05-07 11:39 . 2009-05-07 11:39 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-07 11:39 . 2009-05-07 11:39 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-07 11:39 . 2009-05-07 11:39 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-07 11:39 . 2009-05-07 11:41 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-07 11:39 . 2009-05-07 11:39 -------- d-----w c:\documents and settings\X\Application Data\AVGTOOLBAR
2009-05-07 11:38 . 2009-05-07 11:38 -------- d-----w c:\program files\AVG
2009-05-07 11:38 . 2009-05-08 09:34 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-06 10:19 . 2004-08-04 01:07 31232 -c--a-w c:\windows\system32\dllcache\tools.dll
2009-05-06 10:18 . 2004-08-04 01:07 7680 -c--a-w c:\windows\system32\dllcache\migregdb.exe
2009-05-06 10:17 . 2004-08-04 01:07 18944 -c--a-w c:\windows\system32\dllcache\cprofile.exe
2009-05-06 10:16 . 2003-03-24 14:52 188480 -c--a-w c:\windows\system32\dllcache\cfgwiz.exe
2009-05-06 10:16 . 2003-03-24 14:52 16439 -c--a-w c:\windows\system32\dllcache\author.exe
2009-05-06 10:16 . 2003-03-24 14:52 20540 -c--a-w c:\windows\system32\dllcache\author.dll
2009-05-06 10:16 . 2004-08-04 01:07 290816 -c--a-w c:\windows\system32\dllcache\adsiis51.dll
2009-05-06 10:16 . 2004-08-04 01:07 43520 -c--a-w c:\windows\system32\dllcache\admwprox.dll
2009-05-06 10:16 . 2003-03-24 14:52 16439 -c--a-w c:\windows\system32\dllcache\admin.exe
2009-05-06 10:16 . 2003-03-24 14:52 20540 -c--a-w c:\windows\system32\dllcache\admin.dll
2009-05-06 09:56 . 2004-08-04 01:07 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-05-06 09:56 . 2004-08-04 01:07 13312 ----a-w c:\windows\system32\irclass.dll
2009-05-06 09:56 . 2004-08-04 01:07 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-05-06 09:56 . 2004-08-04 01:07 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-05-04 13:40 . 2009-05-04 18:53 -------- d--h--w C:\$AVG8.VAULT$
2009-05-04 09:03 . 2009-05-04 09:03 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-4
2009-05-04 07:36 . 2009-05-04 07:36 6751 ----a-w c:\documents and settings\X\Local Settings\Application Data\Bron.tok.A17.em.bin
2009-05-04 07:12 . 2009-05-04 07:12 -------- d-----w c:\documents and settings\X\Local Settings\Application Data\Bron.tok-17-4
2009-04-28 10:20 . 2009-04-28 10:20 -------- d-----w c:\documents and settings\X\Paragraf-Lex
2009-04-28 10:18 . 2009-04-28 10:18 -------- d-----w c:\documents and settings\X\Local Settings\Application Data\Paragraf-Lex
2009-04-28 08:49 . 2009-04-28 08:50 -------- d-----w c:\program files\ParagrafLex
2009-04-15 09:03 . 2009-04-15 09:03 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-15
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-05-07 11:53 . 2004-06-11 13:29 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-07 11:47 . 2004-06-11 13:35 -------- d-----w c:\program files\Norton SystemWorks
2009-05-07 11:46 . 2004-06-11 13:43 92688 ----a-w c:\documents and settings\X\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 10:14 . 2001-08-23 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-05-06 10:11 . 2004-06-10 11:04 23332 ----a-w c:\windows\system32\emptyregdb.dat
2009-05-04 16:42 . 2004-06-10 13:24 -------- d-----w c:\program files\Serials 2000
2009-04-01 09:13 . 2009-04-01 09:13 47656 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok.A17.em.bin
2004-10-07 17:04 . 2004-10-07 17:04 56 --sha-r c:\windows\system32\A76EFF3E0E.sys
2004-10-07 17:04 . 2004-10-07 17:04 1682 --sha-w c:\windows\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-01-07 46592]
"washindex"="c:\program files\Washer\washidx.exe" [2002-07-17 33792]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\X\Start Menu\Programs\Startup\
ParagrafLexAlarm.lnk - c:\program files\ParagrafLex\browser\ParagrafLexAlarm.exe [2009-4-28 481779]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-07 11:39 10520 ----a-w c:\windows\system32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave3"= serwvdrv.dll
"wave4"= serwvdrv.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop(2).ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop(2).ini
backup=c:\windows\pss\desktop(2).iniCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^X^Start Menu^Programs^Startup^desktop(2).ini]
path=c:\documents and settings\X\Start Menu\Programs\Startup\desktop(2).ini
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
"c:\\Program Files\\ParagrafLex\\browser\\jre\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"12714:TCP"= 12714:TCP:NortonAV
"16843:TCP"= 16843:TCP:NortonAV
"12600:TCP"= 12600:TCP:NortonAV
"12327:TCP"= 12327:TCP:NortonAV
"14785:TCP"= 14785:TCP:NortonAV
"13997:TCP"= 13997:TCP:NortonAV
"14314:TCP"= 14314:TCP:NortonAV
"18442:TCP"= 18442:TCP:NortonAV
"15262:TCP"= 15262:TCP:NortonAV
"15104:TCP"= 15104:TCP:NortonAV
"16722:TCP"= 16722:TCP:NortonAV
"16272:TCP"= 16272:TCP:NortonAV
"13015:TCP"= 13015:TCP:NortonAV
"15859:TCP"= 15859:TCP:NortonAV
"18413:TCP"= 18413:TCP:NortonAV
"18841:TCP"= 18841:TCP:NortonAV
"12239:TCP"= 12239:TCP:NortonAV
"17926:TCP"= 17926:TCP:NortonAV
"14590:TCP"= 14590:TCP:NortonAV
"13144:TCP"= 13144:TCP:NortonAV
"15523:TCP"= 15523:TCP:NortonAV
"15108:TCP"= 15108:TCP:NortonAV
"16533:TCP"= 16533:TCP:NortonAV
"12490:TCP"= 12490:TCP:NortonAV
"17381:TCP"= 17381:TCP:NortonAV
"17676:TCP"= 17676:TCP:NortonAV
"14230:TCP"= 14230:TCP:NortonAV
"14283:TCP"= 14283:TCP:NortonAV
"12957:TCP"= 12957:TCP:NortonAV
"15895:TCP"= 15895:TCP:NortonAV
"15789:TCP"= 15789:TCP:NortonAV
"15155:TCP"= 15155:TCP:NortonAV
"14508:TCP"= 14508:TCP:NortonAV
"17749:TCP"= 17749:TCP:NortonAV
"13093:TCP"= 13093:TCP:NortonAV
"15806:TCP"= 15806:TCP:NortonAV
"14989:TCP"= 14989:TCP:NortonAV
"14449:TCP"= 14449:TCP:NortonAV
"16797:TCP"= 16797:TCP:NortonAV
"14529:TCP"= 14529:TCP:NortonAV
"13805:TCP"= 13805:TCP:NortonAV
"12913:TCP"= 12913:TCP:NortonAV
"14587:TCP"= 14587:TCP:NortonAV
"14450:TCP"= 14450:TCP:NortonAV
"14933:TCP"= 14933:TCP:NortonAV
"18387:TCP"= 18387:TCP:NortonAV
"12849:TCP"= 12849:TCP:NortonAV
"17810:TCP"= 17810:TCP:NortonAV
"18978:TCP"= 18978:TCP:NortonAV
"13670:TCP"= 13670:TCP:NortonAV
"13326:TCP"= 13326:TCP:NortonAV
"18781:TCP"= 18781:TCP:NortonAV
"15816:TCP"= 15816:TCP:NortonAV
"17256:TCP"= 17256:TCP:NortonAV
"13630:TCP"= 13630:TCP:NortonAV
R1 GhPciScan;GhostPciScanner; [x]
R1 vcdmpdrv;vcdmpdrv;c:\windows\system32\DRIVERS\vcdmpdrv.sys [2002-05-28 49168]
R4 Ltmadoysd;Ltmadoysd; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-07 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-07 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-07 298264]
S2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2002-08-14 135168]
\Shell\AutoRun\command - F:\
\Shell\explore\Command - f:\recycler\autorun.exe -ExploreCurDir
\Shell\open\Command - f:\recycler\autorun.exe -OpenCurDir
\Shell\Auto\command - F:\AdobeR.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e
\Shell\AutoRun\command - F:\
\Shell\explore\Command - f:\recycler\autorun.exe -ExploreCurDir
\Shell\open\Command - f:\recycler\autorun.exe -OpenCurDir
\Shell\AutoRun\command - F:\
\Shell\explore\Command - f:\recycler\autorun.exe -ExploreCurDir
\Shell\open\Command - f:\recycler\autorun.exe -OpenCurDir
\Shell\Auto\command - F:\AdobeR.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e
\Shell\Auto\command - F:\AdobeR.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e
\Shell\AutoRun\command - H:\
\Shell\explore\Command - h:\recycler\autorun.exe -ExploreCurDir
\Shell\open\Command - h:\recycler\autorun.exe -OpenCurDir
\Shell\AutoRun\command - F:\
\Shell\explore\Command - f:\recycler\autorun.exe -ExploreCurDir
\Shell\open\Command - f:\recycler\autorun.exe -OpenCurDir
Contents of the 'Scheduled Tasks' folder
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Tok-Cirrhatus-1002 - c:\documents and settings\X\Local Settings\Application Data\br3027on.exe
HKU-Default-Run-Tok-Cirrhatus-1860 - c:\documents and settings\NetworkService\Local Settings\Application Data\br4743on.exe
HKU-Default-Run-Tok-Cirrhatus - (no file)
Notify-AtiExtEvent - (no file)
------- Supplementary Scan -------
uStart Page = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: DirectAnimation Java Classes - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\xmldso.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - [Link mogu videti samo ulogovani korisnici]\content\include\XPPatchInstaller.CAB
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-05-08 11:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3956)
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\DAP\DAPIEBar.dll
Completion time: 2009-05-08 11:55
ComboFix-quarantined-files.txt 2009-05-08 09:53
Pre-Run: 17.553.936.384 bytes free
Post-Run: 18.173.980.672 bytes free
232 --- E O F --- 2009-03-16 12:50
Poslao: 08 Maj 2009 15:08
Otvori AVG 8 Control Center (desni klik na AVG ikonicu ( ) u donjem, desnom uglu ekrana, stavka Open AVG User Interface).
* Kada se pokrene AVG Control Center, dvoklikni na Resident Shield komponentu.
* U prozoru koji se otvori, deštikliraj opciju Resident Shield active i klikni Save changes.
Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.
Skini i pokreni: [Link mogu videti samo ulogovani korisnici]
Na kraju rada, program zatvori klikom na Ok.
Obriši verziju ComboFix-a koju imaš i skini najnoviju sa ranije datih linkova.
Otvoriti Notepad i iskopirati sledeci tekst:
c:\documents and settings\X\Local Settings\Application Data\Bron.tok.A17.em.bin
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok.A17.em.bin
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-4
c:\documents and settings\X\Local Settings\Application Data\Bron.tok-17-4
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-15
Snimiti na Desktop fajl iz Notepada kao "CFScript"
Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.
Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.
Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.
Poslao: 08 Maj 2009 17:16
Napisano: 08 Maj 2009 17:02
CFLog sa skeniranja
ComboFix 09-05-07.A0 - X 08.05.2009 16:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.99 [GMT 2:00]
Running from: c:\documents and settings\X\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\X\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok.A17.em.bin
c:\documents and settings\X\Local Settings\Application Data\Bron.tok.A17.em.bin
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-15
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-4
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok.A17.em.bin
c:\documents and settings\X\Local Settings\Application Data\Bron.tok-17-4
c:\documents and settings\X\Local Settings\Application Data\Bron.tok.A17.em.bin
c:\documents and settings\X\RavMonLog
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 )))))))))))))))))))))))))))))))
2009-05-07 12:04 . 2009-05-07 12:04 -------- d-----w c:\program files\Lavalys
2009-05-07 11:39 . 2009-05-07 11:39 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-07 11:39 . 2009-05-07 11:39 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-07 11:39 . 2009-05-07 11:39 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-07 11:39 . 2009-05-08 10:07 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-07 11:39 . 2009-05-08 14:14 -------- d-----w c:\documents and settings\X\Application Data\AVGTOOLBAR
2009-05-07 11:38 . 2009-05-07 11:38 -------- d-----w c:\program files\AVG
2009-05-07 11:38 . 2009-05-08 10:02 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-06 10:19 . 2004-08-04 01:07 31232 -c--a-w c:\windows\system32\dllcache\tools.dll
2009-05-06 10:18 . 2004-08-04 01:07 7680 -c--a-w c:\windows\system32\dllcache\migregdb.exe
2009-05-06 10:17 . 2004-08-04 01:07 18944 -c--a-w c:\windows\system32\dllcache\cprofile.exe
2009-05-06 10:16 . 2003-03-24 14:52 188480 -c--a-w c:\windows\system32\dllcache\cfgwiz.exe
2009-05-06 10:16 . 2003-03-24 14:52 16439 -c--a-w c:\windows\system32\dllcache\author.exe
2009-05-06 10:16 . 2003-03-24 14:52 20540 -c--a-w c:\windows\system32\dllcache\author.dll
2009-05-06 10:16 . 2004-08-04 01:07 290816 -c--a-w c:\windows\system32\dllcache\adsiis51.dll
2009-05-06 10:16 . 2004-08-04 01:07 43520 -c--a-w c:\windows\system32\dllcache\admwprox.dll
2009-05-06 10:16 . 2003-03-24 14:52 16439 -c--a-w c:\windows\system32\dllcache\admin.exe
2009-05-06 10:16 . 2003-03-24 14:52 20540 -c--a-w c:\windows\system32\dllcache\admin.dll
2009-05-06 09:56 . 2004-08-04 01:07 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-05-06 09:56 . 2004-08-04 01:07 13312 ----a-w c:\windows\system32\irclass.dll
2009-05-06 09:56 . 2004-08-04 01:07 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-05-06 09:56 . 2004-08-04 01:07 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-05-04 13:40 . 2009-05-08 11:43 -------- d--h--w C:\$AVG8.VAULT$
2009-04-28 10:20 . 2009-04-28 10:20 -------- d-----w c:\documents and settings\X\Paragraf-Lex
2009-04-28 10:18 . 2009-04-28 10:18 -------- d-----w c:\documents and settings\X\Local Settings\Application Data\Paragraf-Lex
2009-04-28 08:49 . 2009-04-28 08:50 -------- d-----w c:\program files\ParagrafLex
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-05-07 11:53 . 2004-06-11 13:29 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-07 11:47 . 2004-06-11 13:35 -------- d-----w c:\program files\Norton SystemWorks
2009-05-07 11:46 . 2004-06-11 13:43 92688 ----a-w c:\documents and settings\X\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 10:14 . 2001-08-23 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-05-06 10:11 . 2004-06-10 11:04 23332 ----a-w c:\windows\system32\emptyregdb.dat
2009-05-04 16:42 . 2004-06-10 13:24 -------- d-----w c:\program files\Serials 2000
2004-10-07 17:04 . 2004-10-07 17:04 56 --sha-r c:\windows\system32\A76EFF3E0E.sys
2004-10-07 17:04 . 2004-10-07 17:04 1682 --sha-w c:\windows\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
+ 2009-05-08 14:46 . 2009-05-08 14:46 16384 c:\windows\Temp\Perflib_Perfdata_568.dat
+ 2008-10-16 12:09 . 2008-10-16 12:09 92696 c:\windows\SoftwareDistribution\SelfUpdate\cdm.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 68856]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-08 1932568]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-01-07 46592]
"washindex"="c:\program files\Washer\washidx.exe" [2002-07-17 33792]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\X\Start Menu\Programs\Startup\
ParagrafLexAlarm.lnk - c:\program files\ParagrafLex\browser\ParagrafLexAlarm.exe [2009-4-28 481779]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-07 11:39 10520 ----a-w c:\windows\system32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave3"= serwvdrv.dll
"wave4"= serwvdrv.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop(2).ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop(2).ini
backup=c:\windows\pss\desktop(2).iniCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^X^Start Menu^Programs^Startup^desktop(2).ini]
path=c:\documents and settings\X\Start Menu\Programs\Startup\desktop(2).ini
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\ParagrafLex\\browser\\jre\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7.5.2009 13:39 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7.5.2009 13:39 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7.5.2009 13:38 298264]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [11.6.2004 15:37 135168]
S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?]
S1 vcdmpdrv;vcdmpdrv;c:\windows\system32\drivers\vcdmpdrv.sys [10.6.2004 15:27 49168]
Contents of the 'Scheduled Tasks' folder
------- Supplementary Scan -------
uStart Page = [Link mogu videti samo ulogovani korisnici]
uSearch Page = [Link mogu videti samo ulogovani korisnici]
uSearch Bar = [Link mogu videti samo ulogovani korisnici]
mDefault_Search_URL = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = [Link mogu videti samo ulogovani korisnici]
uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]
mSearchAssistant = [Link mogu videti samo ulogovani korisnici]
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: DirectAnimation Java Classes - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\xmldso.cab
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - [Link mogu videti samo ulogovani korisnici]\content\include\XPPatchInstaller.CAB
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-05-08 16:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2400)
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\program files\DAP\DAPIEBar.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
------------------------ Other Running Processes ------------------------
c:\program files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Virtual CD v4\System\VCDSecS.exe
c:\program files\ParagrafLex\browser\jre\bin\java.exe
Completion time: 2009-05-08 16:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-08 14:56
ComboFix2.txt 2009-05-08 09:55
Pre-Run: 18.108.923.904 bytes free
Post-Run: bytes free
[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
185 --- E O F --- 2009-03-16 12:50
Dopuna: 08 Maj 2009 17:16
UsbNoRisc fajl sa svih USB memorijskih uredjaja
USBNoRisk 2.1 by bobby
Started at 8.5.2009 17:00:42
Scanning for connected USB Mass storage...
Scanning for other storage...
D: {44626478-1dcf-11d9-b449-bd9c281666d3}
C: {63ad96d4-1db3-11d9-a613-806d6172696f}
Scanning fixed storage for autorun.inf files...
No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 63ad96d4-1db3-11d9-a613-806d6172696f
No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 44626478-1dcf-11d9-b449-bd9c281666d3
Initial scan finished!
New device connected at 8.5.2009 17:01:26
Scanning for connected USB mass storage...
F: {214c9034-3a0e-11de-9009-87133137cbd6}
Added F:
Scanning USB mass storage for files...
No blocked files found on F:
No Autorun.inf files found on F:
No mountpoint found for 214c9034-3a0e-11de-9009-87133137cbd6
No Desktop.ini files found on F:
No mimics found on drive F:
Removed F:
New device connected at 8.5.2009 17:05:40
Scanning for connected USB mass storage...
G: {0ec82756-48e8-11dd-8ef9-85a2920f8cd1}
Added G:
Scanning USB mass storage for files...
No blocked files found on G:
No Autorun.inf files found on G:
No mountpoint found for 0ec82756-48e8-11dd-8ef9-85a2920f8cd1
desktop.ini found on G:
Content of G:\Razvoj\Projekti gotovi\emir dokument\desktop.ini
Files referenced from G:\Razvoj\Projekti gotovi\emir dokument\desktop.ini
No mimics found on drive G:
Removed G: