MyCity » Ambulanta -> Arhiva Ambulante » kako da obrisem win32/autrun.ABHWorm

kako da obrisem win32/autrun.ABHWorm

Napisano na dan: 24.12.2008

Strana:
1
2
3
4
5

kako da obrisem win32/autrun.ABHWorm

Pagination

Prethodna strana

Sledeća strana

Pagination

Odgovori

Strana:
1
2
3
4
5

milnem Poslao: 25 Dec 2008 10:53 Idi na vrh
offline milnem Novi MyCity građanin Pridružio: 24 Dec 2008 Poruke: 23 Gde živiš: Novi Sad	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! a da ponovim postopak ? zaista nisam otvarao dokument posle imenovanja u CFScript.txt. te nemam pojma jel je snimljen sa sadrzajem. ali cu proveriti sada. ps ako nije problem , kada si po podne na stranici? okvirno, no nista te naravski ne obavezuje da budes, pozdrav

Profil

bobby Poslao: 25 Dec 2008 11:01 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! U stanu sam najverovatnije ceo dan, ali me polako obara grip. Pokusaj ponovo sa CFScriptovima. Ja cu s vremena na vreme da zavirim u temu, da proverim da li si nesto uspeo da uradis.

Profil

milnem Poslao: 25 Dec 2008 12:24 Idi na vrh
offline milnem Novi MyCity građanin Pridružio: 24 Dec 2008 Poruke: 23 Gde živiš: Novi Sad	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! ok. ako operes limun srednje velicine ili veliki... i iseckas ga na tanke reznjeve(kolutice), te ga sa sve korom pojedes u cugu... i popijes danas 3x 2 andola... virus gripa ce uteci... *naravski da su 1 do 2 jabuke dnevno OBAVEZNE! a rezultate ces videti... (ps. jbg lakse je tebi iseci limun nego meni da pravim fajlove i dokumente o kojima ne znam bas dovoljno ali i "moje lecenje" u tvojoj ambulanti ce dati rezultat, kada ja ovladam primenom "terapije" a sada idem uradit nanovo onaj CFScript : (dali snimim u notepad i ovo "FCOPY" ili samo ona cetiri d: sa svim tekstom koji sledi ? ovo je taj kod koji si mi poslao FCOPY:: d:\windows\system32\serhost.exe\|d:\to_upload\serhost.exe.vir d:\windows\system32\dllcache\mkllb.dll\|d:\to_upload\mkllb.dll.vir d:\windows\system32\dllcache\ntisapi.dll\|d:\to_upload\ntisapi.dll.vir d:\windows\system32\dllcache\ntoist.dll\|d:\to_upload\ntoist.dll.vir Dopuna: 25 Dec 2008 12:22 FCOPY:: d:\windows\system32\serhost.exe\|d:\to_upload\serhost.exe.vir d:\windows\system32\dllcache\mkllb.dll\|d:\to_upload\mkllb.dll.vir d:\windows\system32\dllcache\ntisapi.dll\|d:\to_upload\ntisapi.dll.vir d:\windows\system32\dllcache\ntoist.dll\|d:\to_upload\ntoist.dll.vir gornji kod sam u celosti kopirao u Notepad, nazvavsi taj dokument CFScript (280 kB), iskopirao sam ga na desktop, prevukao u Combo Fix kombo mi izbaci prozor sa sledecom porukom : "You cannot renama ComboFix as ComboFix. Please use another name, preferbaly made up ofalfanumeric characters", bez obzira na nju, pojavi se i onaj plavi procor Combo Fixa koji krece nesto da radi(cujem da drnda). ugasio sam ga Dopuna: 25 Dec 2008 12:24 ne 280 kb vec 280 bajta

Profil

bobby Poslao: 25 Dec 2008 12:32 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Tu sam sada. Spremicu ja CFScript, pa cu da ti postavim na upload. Javljam se za dva minuta. Dopuna: 25 Dec 2008 12:32 Skini skript sa sledeceg linka na desktop: http://amf.mycity.rs/programs/CFScript.txt Nakon toga prevuci taj fajl na ikonicu ComboFixa. Postavi mi izvestaj koji ce biti kreiran na kraju. Dalje, proveri da li je kreiran folder D:\to_upload Ukoliko jeste, uploaduj mi sve fajlove iz tog foldera na proveru. Link ka formi za upload imas u mojim prethodnim porukama.

Profil

milnem Poslao: 25 Dec 2008 13:08 Idi na vrh
offline milnem Novi MyCity građanin Pridružio: 24 Dec 2008 Poruke: 23 Gde živiš: Novi Sad	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! nisam video da si tu... u medjuvremenu napravih nanovo combofix sa onim CFScriptom... i nadogradio sam ComboFix, kad je navalio da ga nadogradim... resetovah komp i uradih ovo dole : ComboFix 08-12-24.01 - drazen 2008-12-25 12:36:16.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.34 [GMT 1:00] Running from: d:\documents and settings\drazen\Desktop\ComboFix.exe Command switches used :: d:\documents and settings\drazen\Desktop\CFScript.txt * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- d:\windows\system32\serhost.exe --> d:\to_upload\serhost.exe.vir d:\windows\system32\dllcache\mkllb.dll --> d:\to_upload\mkllb.dll.vir d:\windows\system32\dllcache\ntisapi.dll --> d:\to_upload\ntisapi.dll.vir d:\windows\system32\dllcache\ntoist.dll --> d:\to_upload\ntoist.dll.vir . ((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 ))))))))))))))))))))))))))))))) . 2008-12-25 12:36 . 2008-12-25 12:36 <DIR> d-------- D:\to_upload 2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware 2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\documents and settings\drazen\Application Data\Malwarebytes 2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-21 16:32 . 2008-12-03 19:52 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys 2008-12-21 16:32 . 2008-12-03 19:52 15,504 --a------ d:\windows\system32\drivers\mbam.sys 2008-12-17 12:06 . 2008-12-17 12:07 <DIR> d-------- d:\program files\Common Files\Nokia 2008-12-16 18:52 . 2008-12-16 18:52 <DIR> d-------- d:\program files\Makayama Software 2008-12-16 18:52 . 2004-09-07 12:16 626,688 --------- d:\windows\system32\DGPDVDRipperStudio.ocx 2008-12-15 16:27 . 2008-12-15 16:27 <DIR> d-------- d:\documents and settings\drazen\Application Data\ImTOO Software Studio 2008-12-15 01:58 . 2008-12-15 01:58 <DIR> d-------- d:\program files\CoreAAC 2008-12-05 08:33 . 2008-12-05 08:37 <DIR> d-------- d:\program files\PDFCreator 2008-12-05 08:33 . 2004-03-09 00:00 662,288 --a------ d:\windows\system32\MSCOMCT2.OCX 2008-12-05 08:33 . 2005-10-15 12:32 196,608 --a------ d:\windows\system32\pdfcmnnt.dll 2008-12-05 08:33 . 1998-06-24 00:00 137,000 --a------ d:\windows\system32\MSMAPI32.OCX 2008-12-05 08:33 . 1998-07-06 00:00 23,552 --a------ d:\windows\system32\MSMPIDE.DLL 2008-12-01 17:50 . 2008-12-01 17:49 410,976 --a------ d:\windows\system32\deploytk.dll 2008-11-29 10:23 . 2008-11-29 10:23 <DIR> d--hs---- d:\windows\system32\RECYCLER . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-25 11:26 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP 2008-12-25 10:38 --------- d-----w d:\documents and settings\drazen\Application Data\Skype 2008-12-25 08:25 --------- d-----w d:\documents and settings\drazen\Application Data\skypePM 2008-12-17 12:37 --------- d-----w d:\documents and settings\drazen\Application Data\Nokia 2008-12-17 11:07 --------- d-----w d:\program files\Common Files\PCSuite 2008-12-17 11:06 --------- d-----w d:\program files\Nokia 2008-12-16 08:10 --------- d-----w d:\program files\ImTOO 2008-12-15 00:58 --------- d-----w d:\program files\GRETECH 2008-12-05 07:35 14,290 -c--a-w d:\program files\settings.dat 2008-12-01 16:49 --------- d-----w d:\program files\Java 2008-11-26 21:27 --------- d-----w d:\program files\Common Files\Adobe 2008-11-25 23:14 --------- d-----w d:\program files\Opera 2008-11-04 07:59 --------- d-----w d:\documents and settings\All Users\Application Data\Installations 2008-03-01 23:39 32 -c--a-w d:\documents and settings\All Users\Application Data\ezsid.dat 2008-08-24 09:47 251,392 ----a-w d:\program files\opera\program\plugins\dapop.dll 2008-08-07 15:26 56 -csh--r d:\windows\system32\DCF64F123F.sys 2008-08-07 15:26 10,022 -csha-w d:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-12-24_11.57.18.46 ))))))))))))))))))))))))))))))))))))))))) . - 2008-12-24 10:49:17 16,384 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-12-25 11:25:39 16,384 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-12-24 10:49:17 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-12-25 11:25:39 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-12-24 10:49:17 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-12-25 11:25:39 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-12-25 11:25:39 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_794.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{F4F10C1D-87C7-404A-B4B3-000000000000}"= "d:\progra~1\DAP\SBSearch.dll" [2008-08-24 32768] [HKEY_CLASSES_ROOT\clsid\{f4f10c1d-87c7-404a-b4b3-000000000000}] [HKEY_CLASSES_ROOT\SearchHook.SrchHook.1] [HKEY_CLASSES_ROOT\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}] [HKEY_CLASSES_ROOT\SearchHook.SrchHook] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584] "LogitechSoftwareUpdate"="d:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608] "ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 15360] "DownloadAccelerator"="d:\program files\DAP\DAP.EXE" [2008-08-24 3053056] "JFSW2Launch"="d:\documents and settings\drazen\Application Data\Transcend\JFSW2\JFSW2Launch.exe" [2008-04-02 45056] "Transparent Icon Labels"="d:\program files\Transparent Icon Labels\Transparent Icon Labels.exe" [2008-09-20 126976] "Nokia.PCSync"="d:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280] "PC Suite Tray"="d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiS Tray"="d:\windows\system32\sistray.EXE" [2001-12-24 327680] "SiS KHooker"="d:\windows\system32\khooker.exe" [2002-01-25 290816] "SiSUSBRG"="d:\windows\sisUSBrg.exe" [2002-02-21 28675] "nod32kui"="d:\program files\Eset\nod32kui.exe" [2007-04-25 949376] "LVCOMSX"="d:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "WinampAgent"="d:\program files\Winamp\winampa.exe" [2007-10-10 36352] "LogitechVideoRepair"="d:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752] "LogitechVideoTray"="d:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088] "SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600] "Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3codec"= l3codecp.acm "vidc.XVID"= xvid.dll "msacm.enc"= ITIG726.acm "vidc.I263"= i263_32.drv "msacm.divxa32"= msaud32_divx.acm [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk] path=d:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk backup=d:\windows\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator] --a------ 2008-08-24 10:47 3053056 d:\program files\DAP\DAP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 00:06 1667584 d:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] -ra------ 2008-09-23 14:17 21755688 d:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-10-10 06:28 36352 d:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "d:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys [2007-04-25 15424] R3 SiS7012;Service for AC'97 Sample Driver (WDM);d:\windows\system32\drivers\sis7012.sys [2007-04-25 174848] S2 Nod 32;Nod 32;d:\windows\system32\serhost.exe [2007-04-25 36864] S3 Dhcssp;Dhcssp; [] . Contents of the 'Scheduled Tasks' folder 2008-11-28 d:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job - d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] 2007-05-26 d:\windows\Tasks\Uniblue SpeedUpMyPC.job - d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm IE: &Download with &DAP - d:\program files\DAP\dapextie.htm IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: d:\windows\system32\imon.dll Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll FF - ProfilePath - d:\documents and settings\drazen\Application Data\Mozilla\Firefox\Profiles\91rv9iys.default\ FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q= FF - component: d:\documents and settings\drazen\Application Data\Mozilla\Firefox\Profiles\91rv9iys.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll FF - component: d:\program files\DAP\DAPFireFox\components\DAPFireFox.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net Rootkit scan 2008-12-25 12:41:47 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(688-) d:\windows\system32\imon.dll . Completion time: 2008-12-25 12:44:48 ComboFix-quarantined-files.txt 2008-12-25 11:43:55 ComboFix2.txt 2008-12-24 21:28:44 ComboFix3.txt 2008-12-24 13:08:38 ComboFix4.txt 2008-12-24 10:58:59 Pre-Run: 1,658,990,592 bytes free Post-Run: 1,648,869,376 bytes free 176 Dopuna: 25 Dec 2008 12:58 na linku koji si mi poslao ja dobijem belu pozadinu sa ovim tekstom(jel to da kopiram u ComboFix ili u Notepad? ili moj brouser ne vidi fajl kako treba ili sam je u potpunom ne znaju? : File:: d:\windows\system32\mshhfhh.dll Driver:: Dhcssp FCOPY:: d:\windows\system32\serhost.exe\|d:\to_upload\serhost.exe.vir d:\windows\system32\dllcache\mkllb.dll\|d:\to_upload\mkllb.dll.vir d:\windows\system32\dllcache\ntisapi.dll\|d:\to_upload\ntisapi.dll.vir d:\windows\system32\dllcache\ntoist.dll\|d:\to_upload\ntoist.dll.vir Dopuna: 25 Dec 2008 13:08 trenutno sam u Notepad kopirao SVE tj sav tekst sa one bele internet stranice i snimio na desktop. posle ove poruke cu taj CFScript prevuci u ComboFix i javim se sa rezultatom

Profil

bobby Poslao: 25 Dec 2008 13:35 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Dobro si ucinio. Cekamo rezultate

Profil

milnem Poslao: 25 Dec 2008 13:36 Idi na vrh
offline milnem Novi MyCity građanin Pridružio: 24 Dec 2008 Poruke: 23 Gde živiš: Novi Sad	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! .. evo rezultata predhodno opisanog postupka : ComboFix 08-12-24.01 - drazen 2008-12-25 13:08:21.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.45 [GMT 1:00] Running from: d:\documents and settings\drazen\Desktop\ComboFix.exe Command switches used :: d:\documents and settings\drazen\Desktop\CFScript.txt * Resident AV is active FILE :: d:\windows\system32\mshhfhh.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- d:\windows\system32\serhost.exe --> d:\to_upload\serhost.exe.vir d:\windows\system32\dllcache\mkllb.dll --> d:\to_upload\mkllb.dll.vir d:\windows\system32\dllcache\ntisapi.dll --> d:\to_upload\ntisapi.dll.vir d:\windows\system32\dllcache\ntoist.dll --> d:\to_upload\ntoist.dll.vir . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_Dhcssp ((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 ))))))))))))))))))))))))))))))) . 2008-12-25 12:36 . 2008-12-25 13:08 <DIR> d-------- D:\to_upload 2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware 2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\documents and settings\drazen\Application Data\Malwarebytes 2008-12-21 16:32 . 2008-12-21 16:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-21 16:32 . 2008-12-03 19:52 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys 2008-12-21 16:32 . 2008-12-03 19:52 15,504 --a------ d:\windows\system32\drivers\mbam.sys 2008-12-17 12:06 . 2008-12-17 12:07 <DIR> d-------- d:\program files\Common Files\Nokia 2008-12-16 18:52 . 2008-12-16 18:52 <DIR> d-------- d:\program files\Makayama Software 2008-12-16 18:52 . 2004-09-07 12:16 626,688 --------- d:\windows\system32\DGPDVDRipperStudio.ocx 2008-12-15 16:27 . 2008-12-15 16:27 <DIR> d-------- d:\documents and settings\drazen\Application Data\ImTOO Software Studio 2008-12-15 01:58 . 2008-12-15 01:58 <DIR> d-------- d:\program files\CoreAAC 2008-12-05 08:33 . 2008-12-05 08:37 <DIR> d-------- d:\program files\PDFCreator 2008-12-05 08:33 . 2004-03-09 00:00 662,288 --a------ d:\windows\system32\MSCOMCT2.OCX 2008-12-05 08:33 . 2005-10-15 12:32 196,608 --a------ d:\windows\system32\pdfcmnnt.dll 2008-12-05 08:33 . 1998-06-24 00:00 137,000 --a------ d:\windows\system32\MSMAPI32.OCX 2008-12-05 08:33 . 1998-07-06 00:00 23,552 --a------ d:\windows\system32\MSMPIDE.DLL 2008-12-01 17:50 . 2008-12-01 17:49 410,976 --a------ d:\windows\system32\deploytk.dll 2008-11-29 10:23 . 2008-11-29 10:23 <DIR> d--hs---- d:\windows\system32\RECYCLER . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-25 12:18 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP 2008-12-25 10:38 --------- d-----w d:\documents and settings\drazen\Application Data\Skype 2008-12-25 08:25 --------- d-----w d:\documents and settings\drazen\Application Data\skypePM 2008-12-17 12:37 --------- d-----w d:\documents and settings\drazen\Application Data\Nokia 2008-12-17 11:07 --------- d-----w d:\program files\Common Files\PCSuite 2008-12-17 11:06 --------- d-----w d:\program files\Nokia 2008-12-16 08:10 --------- d-----w d:\program files\ImTOO 2008-12-15 00:58 --------- d-----w d:\program files\GRETECH 2008-12-05 07:35 14,290 -c--a-w d:\program files\settings.dat 2008-12-01 16:49 --------- d-----w d:\program files\Java 2008-11-26 21:27 --------- d-----w d:\program files\Common Files\Adobe 2008-11-25 23:14 --------- d-----w d:\program files\Opera 2008-11-04 07:59 --------- d-----w d:\documents and settings\All Users\Application Data\Installations 2008-03-01 23:39 32 -c--a-w d:\documents and settings\All Users\Application Data\ezsid.dat 2008-08-24 09:47 251,392 ----a-w d:\program files\opera\program\plugins\dapop.dll 2008-08-07 15:26 56 -csh--r d:\windows\system32\DCF64F123F.sys 2008-08-07 15:26 10,022 -csha-w d:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-12-24_11.57.18.46 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-20 19:02:28 163,328 ----a-w d:\windows\ERDNT\subs\ERDNT.EXE - 2008-12-24 10:49:17 16,384 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-12-25 12:17:07 16,384 -c--a-w d:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-12-24 10:49:17 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-12-25 12:17:07 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-12-24 10:49:17 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-12-25 12:17:07 32,768 -c--a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-12-25 12:17:02 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_48c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{F4F10C1D-87C7-404A-B4B3-000000000000}"= "d:\progra~1\DAP\SBSearch.dll" [2008-08-24 32768] [HKEY_CLASSES_ROOT\clsid\{f4f10c1d-87c7-404a-b4b3-000000000000}] [HKEY_CLASSES_ROOT\SearchHook.SrchHook.1] [HKEY_CLASSES_ROOT\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}] [HKEY_CLASSES_ROOT\SearchHook.SrchHook] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584] "LogitechSoftwareUpdate"="d:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608] "ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 15360] "DownloadAccelerator"="d:\program files\DAP\DAP.EXE" [2008-08-24 3053056] "JFSW2Launch"="d:\documents and settings\drazen\Application Data\Transcend\JFSW2\JFSW2Launch.exe" [2008-04-02 45056] "Transparent Icon Labels"="d:\program files\Transparent Icon Labels\Transparent Icon Labels.exe" [2008-09-20 126976] "Nokia.PCSync"="d:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280] "PC Suite Tray"="d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiS Tray"="d:\windows\system32\sistray.EXE" [2001-12-24 327680] "SiS KHooker"="d:\windows\system32\khooker.exe" [2002-01-25 290816] "SiSUSBRG"="d:\windows\sisUSBrg.exe" [2002-02-21 28675] "nod32kui"="d:\program files\Eset\nod32kui.exe" [2007-04-25 949376] "LVCOMSX"="d:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "WinampAgent"="d:\program files\Winamp\winampa.exe" [2007-10-10 36352] "LogitechVideoRepair"="d:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752] "LogitechVideoTray"="d:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088] "SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600] "Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3codec"= l3codecp.acm "vidc.XVID"= xvid.dll "msacm.enc"= ITIG726.acm "vidc.I263"= i263_32.drv "msacm.divxa32"= msaud32_divx.acm [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk] path=d:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk backup=d:\windows\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator] --a------ 2008-08-24 10:47 3053056 d:\program files\DAP\DAP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 00:06 1667584 d:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] -ra------ 2008-09-23 14:17 21755688 d:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-10-10 06:28 36352 d:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "d:\\Program Files\\Skype\\Phone\\Skype.exe"= . Contents of the 'Scheduled Tasks' folder 2008-11-28 d:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job - d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] 2007-05-26 d:\windows\Tasks\Uniblue SpeedUpMyPC.job - d:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm IE: &Download with &DAP - d:\program files\DAP\dapextie.htm IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: d:\windows\system32\imon.dll FF - ProfilePath - d:\documents and settings\drazen\Application Data\Mozilla\Firefox\Profiles\91rv9iys.default\ FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q= FF - component: d:\documents and settings\drazen\Application Data\Mozilla\Firefox\Profiles\91rv9iys.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll FF - component: d:\program files\DAP\DAPFireFox\components\DAPFireFox.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net Rootkit scan 2008-12-25 13:16:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(692) d:\windows\system32\imon.dll . ------------------------ Other Running Processes ------------------------ . d:\program files\IVT Corporation\BlueSoleil\BTNtService.exe d:\program files\Java\jre6\bin\jqs.exe d:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE d:\program files\ESET\nod32krn.exe d:\windows\system32\slserv.exe d:\windows\system32\wdfmgr.exe d:\program files\Logitech\Video\FxSvr2.exe d:\program files\PC Connectivity Solution\ServiceLayer.exe d:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe d:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe d:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe d:\program files\PC Connectivity Solution\Transports\NclIrSrv.exe d:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe d:\windows\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-12-25 13:26:19 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-25 12:26:10 ComboFix2.txt 2008-12-25 11:44:50 ComboFix3.txt 2008-12-24 21:28:44 ComboFix4.txt 2008-12-24 13:08:38 ComboFix5.txt 2008-12-25 12:06:12 Pre-Run: 1,656,930,304 bytes free Post-Run: 1,590,321,152 bytes free 195

Profil

bobby Poslao: 25 Dec 2008 13:42 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! E, sada mi trebaju na proveru svi fajlovi koje je ComboFix iskopirao u folder d:\to_upload. Ili ih spakuj u jedan ZIP ili RAR (sta vec imas od odgovarajucih programa), ili ih pojedinacno uploaduj preko sledece forme: http://www.mycity.rs/ambulanta-upload.php

Profil

milnem Poslao: 25 Dec 2008 13:59 Idi na vrh
offline milnem Novi MyCity građanin Pridružio: 24 Dec 2008 Poruke: 23 Gde živiš: Novi Sad	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! .. opis : pošto sam prevuko CFscript, kreiran na gore opisan način, u ComboFix, ComboFix je počeo sa radom... .. na samom početku rada na kratko je iskočio NOD-ov crveni prozor sa nekim upozorenjem... to je bilo jako kratko i nestalo je(nisam uspeo pročitati sadržaj)takva situacija je bila i kod ranijih startovanja ComboFixa. sam je nastavio dalje... .. pošto je izlistao puno onih redova obeleženih brojevima, iskočio je prozorčić sa crvenim krugom i X-om za upozorenje "ako želim dalje mora restart". pošao sam dalje... posle restarta je nastavio da radi... i dao je gornji izveštaj Dopuna: 25 Dec 2008 13:59 poslao sam zapakovan fajl na onaj upload nacin

Profil

bobby Poslao: 25 Dec 2008 14:02 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pregledao sam. Nasli smo uljeze Otvoriti Notepad i iskopirati sledeci tekst: `File:: d:\windows\system32\serhost.exe d:\windows\system32\dllcache\mkllb.dll d:\windows\system32\dllcache\ntisapi.dll d:\windows\system32\dllcache\ntoist.dll Folder:: d:\to_upload` Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja. ============================== Napravi i novi log uz pomoc programa HijackThis i postavi mi i njega ovde.

Profil

MyCity » Ambulanta -> Arhiva Ambulante » kako da obrisem win32/autrun.ABHWorm

Ko je trenutno na forumu

Ukupno su 1031 korisnika na forumu :: 40 registrovanih, 8 sakrivenih i 983 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: Bluper, Bobrock1, cavatina, CikaKURE, darkangel, DeerHunter, djboj, dragoljub11987, DragoslavS, FOX, Georgius, Herman Terrance Aubrey, Karla, kokodakalo, ladro, ljuba, Lucije Kvint, mercedesamg, milan47, milenko crazy north, Milometer, MiroslavD, Panter, pein, predragc, RED4G-304, repac, ruma, Snorks, theNedjeljko, Tila Painen, tomigun, tubular, vaso1, VJ, vladaa012, voja64, vukovi, YU-UKI, Žoržo

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by