kako da obrisem win32/autrun.ABHWorm

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

a da ponovim postopak ? zaista nisam otvarao dokument posle imenovanja u CFScript.txt. te nemam pojma jel je snimljen sa sadrzajem. ali cu proveriti sada. ps ako nije problem , kada si po podne na stranici? okvirno, no nista te naravski ne obavezuje da budes, pozdrav

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

U stanu sam najverovatnije ceo dan, ali me polako obara grip.

Pokusaj ponovo sa CFScriptovima. Ja cu s vremena na vreme da zavirim u temu, da proverim da li si nesto uspeo da uradis.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ok. ako operes limun srednje velicine ili veliki... i iseckas ga na tanke reznjeve(kolutice), te ga sa sve korom pojedes u cugu... i popijes danas 3x 2 andola... virus gripa ce uteci... *naravski da su 1 do 2 jabuke dnevno OBAVEZNE! a rezultate ces videti... (ps. jbg lakse je tebi iseci limun nego meni da pravim fajlove i dokumente o kojima ne znam bas dovoljno ali i "moje lecenje" u tvojoj ambulanti ce dati rezultat, kada ja ovladam primenom "terapije" a sada idem uradit nanovo onaj CFScript : (dali snimim u notepad i ovo "FCOPY" ili samo ona cetiri d: sa svim tekstom koji sledi ?
ovo je taj kod koji si mi poslao
FCOPY::
d:\windows\system32\serhost.exe|d:\to_upload\serhost.exe.vir
d:\windows\system32\dllcache\mkllb.dll|d:\to_upload\mkllb.dll.vir
d:\windows\system32\dllcache\ntisapi.dll|d:\to_upload\ntisapi.dll.vir
d:\windows\system32\dllcache\ntoist.dll|d:\to_upload\ntoist.dll.vir

Dopuna: 25 Dec 2008 12:22

FCOPY::
d:\windows\system32\serhost.exe|d:\to_upload\serhost.exe.vir
d:\windows\system32\dllcache\mkllb.dll|d:\to_upload\mkllb.dll.vir
d:\windows\system32\dllcache\ntisapi.dll|d:\to_upload\ntisapi.dll.vir
d:\windows\system32\dllcache\ntoist.dll|d:\to_upload\ntoist.dll.vir

gornji kod sam u celosti kopirao u Notepad, nazvavsi taj dokument CFScript (280 kB), iskopirao sam ga na desktop, prevukao u Combo Fix kombo mi izbaci prozor sa sledecom porukom : "You cannot renama ComboFix as ComboFix. Please use another name, preferbaly made up ofalfanumeric characters", bez obzira na nju, pojavi se i onaj plavi procor Combo Fixa koji krece nesto da radi(cujem da drnda). ugasio sam ga

Dopuna: 25 Dec 2008 12:24

ne 280 kb vec 280 bajta

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Tu sam sada.
Spremicu ja CFScript, pa cu da ti postavim na upload.
Javljam se za dva minuta.

Dopuna: 25 Dec 2008 12:32

Skini skript sa sledeceg linka na desktop:
[Link mogu videti samo ulogovani korisnici]

Nakon toga prevuci taj fajl na ikonicu ComboFixa.
Postavi mi izvestaj koji ce biti kreiran na kraju.

Dalje, proveri da li je kreiran folder D:\to_upload
Ukoliko jeste, uploaduj mi sve fajlove iz tog foldera na proveru.
Link ka formi za upload imas u mojim prethodnim porukama.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

nisam video da si tu... u medjuvremenu napravih nanovo combofix sa onim CFScriptom... i nadogradio sam ComboFix, kad je navalio da ga nadogradim... resetovah komp i uradih ovo dole :
ComboFix 08-12-24.01 - drazen 2008-12-25 12:36:16.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.34 [GMT 1:00]
Running from: d:\documents and settings\drazen\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\drazen\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

d:\windows\system32\serhost.exe --> d:\to_upload\serhost.exe.vir
d:\windows\system32\dllcache\mkllb.dll --> d:\to_upload\mkllb.dll.vir
d:\windows\system32\dllcache\ntisapi.dll --> d:\to_upload\ntisapi.dll.vir
d:\windows\system32\dllcache\ntoist.dll --> d:\to_upload\ntoist.dll.vir
.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

2008-12-25 12:36 . 2008-12-25 12:36 <DIR> d-------- D:\to_upload
2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\documents and settings\drazen\Application Data\Malwarebytes
2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-21 16:32 . 2008-12-03 19:52 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 16:32 . 2008-12-03 19:52 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-12-17 12:06 . 2008-12-17 12:07 <DIR> d-------- d:\program files\Common Files\Nokia
2008-12-16 18:52 . 2008-12-16 18:52 <DIR> d-------- d:\program files\Makayama Software
2008-12-16 18:52 . 2004-09-07 12:16 626,688 --------- d:\windows\system32\DGPDVDRipperStudio.ocx
2008-12-15 16:27 . 2008-12-15 16:27 <DIR> d-------- d:\documents and settings\drazen\Application Data\ImTOO Software Studio
2008-12-15 01:58 . 2008-12-15 01:58 <DIR> d-------- d:\program files\CoreAAC
2008-12-05 08:33 . 2008-12-05 08:37 <DIR> d-------- d:\program files\PDFCreator
2008-12-05 08:33 . 2004-03-09 00:00 662,288 --a------ d:\windows\system32\MSCOMCT2.OCX
2008-12-05 08:33 . 2005-10-15 12:32 196,608 --a------ d:\windows\system32\pdfcmnnt.dll
2008-12-05 08:33 . 1998-06-24 00:00 137,000 --a------ d:\windows\system32\MSMAPI32.OCX
2008-12-05 08:33 . 1998-07-06 00:00 23,552 --a------ d:\windows\system32\MSMPIDE.DLL
2008-12-01 17:50 . 2008-12-01 17:49 410,976 --a------ d:\windows\system32\deploytk.dll
2008-11-29 10:23 . 2008-11-29 10:23 <DIR> d--hs---- d:\windows\system32\RECYCLER

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 11:26 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-12-25 10:38 --------- d-----w d:\documents and settings\drazen\Application Data\Skype
2008-12-25 08:25 --------- d-----w d:\documents and settings\drazen\Application Data\skypePM
2008-12-17 12:37 --------- d-----w d:\documents and settings\drazen\Application Data\Nokia
2008-12-17 11:07 --------- d-----w d:\program files\Common Files\PCSuite
2008-12-17 11:06 --------- d-----w d:\program files\Nokia
2008-12-16 08:10 --------- d-----w d:\program files\ImTOO
2008-12-15 00:58 --------- d-----w d:\program files\GRETECH
2008-12-05 07:35 14,290 -c--a-w d:\program files\settings.dat
2008-12-01 16:49 --------- d-----w d:\program files\Java
2008-11-26 21:27 --------- d-----w d:\program files\Common Files\Adobe
2008-11-25 23:14 --------- d-----w d:\program files\Opera
2008-11-04 07:59 --------- d-----w d:\documents and settings\All Users\Application Data\Installations
2008-03-01 23:39 32 -c--a-w d:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-24 09:47 251,392 ----a-w d:\program files\opera\program\plugins\dapop.dll
2008-08-07 15:26 56 -csh--r d:\windows\system32\DCF64F123F.sys
2008-08-07 15:26 10,022 -csha-w d:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-24 10:49:17 16,384 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-25 11:25:39 16,384 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-24 10:49:17 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-25 11:25:39 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-24 10:49:17 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-25 11:25:39 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-25 11:25:39 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_794.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{F4F10C1D-87C7-404A-B4B3-000000000000}"= "d:\progra~1\DAP\SBSearch.dll" [2008-08-24 32768]

[HKEY_CLASSES_ROOT\clsid\{f4f10c1d-87c7-404a-b4b3-000000000000}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"LogitechSoftwareUpdate"="d:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DownloadAccelerator"="d:\program files\DAP\DAP.EXE" [2008-08-24 3053056]
"JFSW2Launch"="d:\documents and settings\drazen\Application Data\Transcend\JFSW2\JFSW2Launch.exe" [2008-04-02 45056]
"Transparent Icon Labels"="d:\program files\Transparent Icon Labels\Transparent Icon Labels.exe" [2008-09-20 126976]
"Nokia.PCSync"="d:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="d:\windows\system32\sistray.EXE" [2001-12-24 327680]
"SiS KHooker"="d:\windows\system32\khooker.exe" [2002-01-25 290816]
"SiSUSBRG"="d:\windows\sisUSBrg.exe" [2002-02-21 28675]
"nod32kui"="d:\program files\Eset\nod32kui.exe" [2007-04-25 949376]
"LVCOMSX"="d:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"LogitechVideoRepair"="d:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="d:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codec"= l3codecp.acm
"vidc.XVID"= xvid.dll
"msacm.enc"= ITIG726.acm
"vidc.I263"= i263_32.drv
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=d:\windows\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2008-08-24 10:47 3053056 d:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:06 1667584 d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-09-23 14:17 21755688 d:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-10 06:28 36352 d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys [2007-04-25 15424]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);d:\windows\system32\drivers\sis7012.sys [2007-04-25 174848]
S2 Nod 32;Nod 32;d:\windows\system32\serhost.exe [2007-04-25 36864]
S3 Dhcssp;Dhcssp; []
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 d:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-05-26 d:\windows\Tasks\Uniblue SpeedUpMyPC.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]
IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - d:\program files\DAP\dapextie.htm
IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: d:\windows\system32\imon.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
FF - ProfilePath - d:\documents and settings\drazen\Application Data\Mozilla\Firefox\Profiles\91rv9iys.default\
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
FF - component: d:\documents and settings\drazen\Application Data\Mozilla\Firefox\Profiles\91rv9iys.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - component: d:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-12-25 12:41:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(688-)
d:\windows\system32\imon.dll
.
Completion time: 2008-12-25 12:44:48
ComboFix-quarantined-files.txt 2008-12-25 11:43:55
ComboFix2.txt 2008-12-24 21:28:44
ComboFix3.txt 2008-12-24 13:08:38
ComboFix4.txt 2008-12-24 10:58:59

Pre-Run: 1,658,990,592 bytes free
Post-Run: 1,648,869,376 bytes free

176

Dopuna: 25 Dec 2008 12:58

na linku koji si mi poslao ja dobijem belu pozadinu sa ovim tekstom(jel to da kopiram u ComboFix ili u Notepad? ili moj brouser ne vidi fajl kako treba ili sam je u potpunom ne znaju? :

File::
d:\windows\system32\mshhfhh.dll

Driver::
Dhcssp

FCOPY::
d:\windows\system32\serhost.exe|d:\to_upload\serhost.exe.vir
d:\windows\system32\dllcache\mkllb.dll|d:\to_upload\mkllb.dll.vir
d:\windows\system32\dllcache\ntisapi.dll|d:\to_upload\ntisapi.dll.vir
d:\windows\system32\dllcache\ntoist.dll|d:\to_upload\ntoist.dll.vir

Dopuna: 25 Dec 2008 13:08

trenutno sam u Notepad kopirao SVE tj sav tekst sa one bele internet stranice i snimio na desktop. posle ove poruke cu taj CFScript prevuci u ComboFix i javim se sa rezultatom

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Dobro si ucinio.
Cekamo rezultate

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

.. evo rezultata predhodno opisanog postupka :
ComboFix 08-12-24.01 - drazen 2008-12-25 13:08:21.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.45 [GMT 1:00]
Running from: d:\documents and settings\drazen\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\drazen\Desktop\CFScript.txt
* Resident AV is active


FILE ::
d:\windows\system32\mshhfhh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

d:\windows\system32\serhost.exe --> d:\to_upload\serhost.exe.vir
d:\windows\system32\dllcache\mkllb.dll --> d:\to_upload\mkllb.dll.vir
d:\windows\system32\dllcache\ntisapi.dll --> d:\to_upload\ntisapi.dll.vir
d:\windows\system32\dllcache\ntoist.dll --> d:\to_upload\ntoist.dll.vir
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Dhcssp


((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

2008-12-25 12:36 . 2008-12-25 13:08 <DIR> d-------- D:\to_upload
2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\documents and settings\drazen\Application Data\Malwarebytes
2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-21 16:32 . 2008-12-03 19:52 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 16:32 . 2008-12-03 19:52 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-12-17 12:06 . 2008-12-17 12:07 <DIR> d-------- d:\program files\Common Files\Nokia
2008-12-16 18:52 . 2008-12-16 18:52 <DIR> d-------- d:\program files\Makayama Software
2008-12-16 18:52 . 2004-09-07 12:16 626,688 --------- d:\windows\system32\DGPDVDRipperStudio.ocx
2008-12-15 16:27 . 2008-12-15 16:27 <DIR> d-------- d:\documents and settings\drazen\Application Data\ImTOO Software Studio
2008-12-15 01:58 . 2008-12-15 01:58 <DIR> d-------- d:\program files\CoreAAC
2008-12-05 08:33 . 2008-12-05 08:37 <DIR> d-------- d:\program files\PDFCreator
2008-12-05 08:33 . 2004-03-09 00:00 662,288 --a------ d:\windows\system32\MSCOMCT2.OCX
2008-12-05 08:33 . 2005-10-15 12:32 196,608 --a------ d:\windows\system32\pdfcmnnt.dll
2008-12-05 08:33 . 1998-06-24 00:00 137,000 --a------ d:\windows\system32\MSMAPI32.OCX
2008-12-05 08:33 . 1998-07-06 00:00 23,552 --a------ d:\windows\system32\MSMPIDE.DLL
2008-12-01 17:50 . 2008-12-01 17:49 410,976 --a------ d:\windows\system32\deploytk.dll
2008-11-29 10:23 . 2008-11-29 10:23 <DIR> d--hs---- d:\windows\system32\RECYCLER

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 12:18 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-12-25 10:38 --------- d-----w d:\documents and settings\drazen\Application Data\Skype
2008-12-25 08:25 --------- d-----w d:\documents and settings\drazen\Application Data\skypePM
2008-12-17 12:37 --------- d-----w d:\documents and settings\drazen\Application Data\Nokia
2008-12-17 11:07 --------- d-----w d:\program files\Common Files\PCSuite
2008-12-17 11:06 --------- d-----w d:\program files\Nokia
2008-12-16 08:10 --------- d-----w d:\program files\ImTOO
2008-12-15 00:58 --------- d-----w d:\program files\GRETECH
2008-12-05 07:35 14,290 -c--a-w d:\program files\settings.dat
2008-12-01 16:49 --------- d-----w d:\program files\Java
2008-11-26 21:27 --------- d-----w d:\program files\Common Files\Adobe
2008-11-25 23:14 --------- d-----w d:\program files\Opera
2008-11-04 07:59 --------- d-----w d:\documents and settings\All Users\Application Data\Installations
2008-03-01 23:39 32 -c--a-w d:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-24 09:47 251,392 ----a-w d:\program files\opera\program\plugins\dapop.dll
2008-08-07 15:26 56 -csh--r d:\windows\system32\DCF64F123F.sys
2008-08-07 15:26 10,022 -csha-w d:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w d:\windows\ERDNT\subs\ERDNT.EXE
- 2008-12-24 10:49:17 16,384 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-25 12:17:07 16,384 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-24 10:49:17 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-25 12:17:07 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-24 10:49:17 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-25 12:17:07 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-25 12:17:02 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_48c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{F4F10C1D-87C7-404A-B4B3-000000000000}"= "d:\progra~1\DAP\SBSearch.dll" [2008-08-24 32768]

[HKEY_CLASSES_ROOT\clsid\{f4f10c1d-87c7-404a-b4b3-000000000000}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"LogitechSoftwareUpdate"="d:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DownloadAccelerator"="d:\program files\DAP\DAP.EXE" [2008-08-24 3053056]
"JFSW2Launch"="d:\documents and settings\drazen\Application Data\Transcend\JFSW2\JFSW2Launch.exe" [2008-04-02 45056]
"Transparent Icon Labels"="d:\program files\Transparent Icon Labels\Transparent Icon Labels.exe" [2008-09-20 126976]
"Nokia.PCSync"="d:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="d:\windows\system32\sistray.EXE" [2001-12-24 327680]
"SiS KHooker"="d:\windows\system32\khooker.exe" [2002-01-25 290816]
"SiSUSBRG"="d:\windows\sisUSBrg.exe" [2002-02-21 28675]
"nod32kui"="d:\program files\Eset\nod32kui.exe" [2007-04-25 949376]
"LVCOMSX"="d:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"LogitechVideoRepair"="d:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="d:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codec"= l3codecp.acm
"vidc.XVID"= xvid.dll
"msacm.enc"= ITIG726.acm
"vidc.I263"= i263_32.drv
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=d:\windows\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2008-08-24 10:47 3053056 d:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:06 1667584 d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-09-23 14:17 21755688 d:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-10 06:28 36352 d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-11-28 d:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-05-26 d:\windows\Tasks\Uniblue SpeedUpMyPC.job
- d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]
IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - d:\program files\DAP\dapextie.htm
IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: d:\windows\system32\imon.dll
FF - ProfilePath - d:\documents and settings\drazen\Application Data\Mozilla\Firefox\Profiles\91rv9iys.default\
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
FF - component: d:\documents and settings\drazen\Application Data\Mozilla\Firefox\Profiles\91rv9iys.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - component: d:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-12-25 13:16:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(692)
d:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\program files\ESET\nod32krn.exe
d:\windows\system32\slserv.exe
d:\windows\system32\wdfmgr.exe
d:\program files\Logitech\Video\FxSvr2.exe
d:\program files\PC Connectivity Solution\ServiceLayer.exe
d:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
d:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
d:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
d:\program files\PC Connectivity Solution\Transports\NclIrSrv.exe
d:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-25 13:26:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-25 12:26:10
ComboFix2.txt 2008-12-25 11:44:50
ComboFix3.txt 2008-12-24 21:28:44
ComboFix4.txt 2008-12-24 13:08:38
ComboFix5.txt 2008-12-25 12:06:12

Pre-Run: 1,656,930,304 bytes free
Post-Run: 1,590,321,152 bytes free

195

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

E, sada mi trebaju na proveru svi fajlovi koje je ComboFix iskopirao u folder d:\to_upload.
Ili ih spakuj u jedan ZIP ili RAR (sta vec imas od odgovarajucih programa), ili ih pojedinacno uploaduj preko sledece forme:
[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

.. opis : pošto sam prevuko CFscript, kreiran na gore opisan način, u ComboFix, ComboFix je počeo sa radom... .. na samom početku rada na kratko je iskočio NOD-ov crveni prozor sa nekim upozorenjem... to je bilo jako kratko i nestalo je(nisam uspeo pročitati sadržaj)takva situacija je bila i kod ranijih startovanja ComboFixa. sam je nastavio dalje... .. pošto je izlistao puno onih redova obeleženih brojevima, iskočio je prozorčić sa crvenim krugom i X-om za upozorenje "ako želim dalje mora restart". pošao sam dalje... posle restarta je nastavio da radi... i dao je gornji izveštaj

Dopuna: 25 Dec 2008 13:59

poslao sam zapakovan fajl na onaj upload nacin

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pregledao sam. Nasli smo uljeze

Otvoriti Notepad i iskopirati sledeci tekst:

File::
d:\windows\system32\serhost.exe
d:\windows\system32\dllcache\mkllb.dll
d:\windows\system32\dllcache\ntisapi.dll
d:\windows\system32\dllcache\ntoist.dll

Folder::
d:\to_upload

Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

==============================

Napravi i novi log uz pomoc programa HijackThis i postavi mi i njega ovde.