MyCity » Ambulanta -> Arhiva Ambulante » Cudan fajl u system32

Cudan fajl u system32

Napisano na dan: 10.10.2009

Strana:
1
2

Cudan fajl u system32

Sledeća strana

Pagination

Odgovori

Strana:
1
2

MilM Poslao: 10 Okt 2009 00:14 Idi na vrh
offline MilM Novi MyCity građanin Pridružio: 09 Okt 2009 Poruke: 10	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Nemam nekih problema sa compom, ali sam uocio preko programa WinPatrol da imam u folderu system32 cudan fajl (??????.LOG). On spada u grupu skrivenih fajlova i mogao sam ga videti tek kada sam odstrihirao opciju Hide extension for known file types (radi se o notepad fajlu). Tada sam uocio da ima jos jedan fajl sa kockicama, ali bez extenzije i nije notepad fajl, vec sistemski. Takodje, ZonaAlarm cesto izbacuje prozorcic kako Generic host process for Win32 zeli da se poveze sa serverom (nize u tom prozoru vidi se da je u pitanju jedan od svchost.exe fajlova). Ako mu zabranim prolaz nista spektakularno se ne desava, nema gubljenja konekcije i sasvim normalno se moze nastaviti raditi. Zato mi je to nesto sumnjivo, jer moguce je da se nesto zamaskiralo u svchost. Skenirao sam sistem sa spybotom i ad-awareom, ali nikakva napast nije pronadjena. Zamolio bih vas da pogledate da li ima kakav malware, spyware, keylogger ili neka druga posast ovog savremenog informatickog vremena. Pa da pocemo: DDS (Ver_09-09-29.01) - NTFSx86 Run by bbb at 21:50:35,43 on pet 10/09/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.152 [GMT 2:00] AV: ESET NOD32 Antivirus 4.0 On-access scanning enabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ZoneAlarm Pro Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ASWLSVC.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\TUProgSt.exe C:\WINDOWS\system32\ASWL2K.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\bbb\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = google.ba BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live pomagac za prijavljivanje: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe" uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice mRun: [WinPatrol] "c:\program files\billp studios\winpatrol\winpatrol.exe" -expressboot dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab TCP: {0D5314DD-03E3-49BC-BCF7-28A7463A3065} = 87.250.98.250 208.67.222.222 Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: AtiExtEvent - Ati2evxx.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\bbb\applic~1\mozilla\firefox\profiles\cwyea2tj.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/ FF - component: c:\documents and settings\bbb\application data\mozilla\firefox\profiles\cwyea2tj.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll FF - plugin: c:\documents and settings\bbb\application data\mozilla\firefox\profiles\cwyea2tj.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 750 FF - user.js: content.notify.interval - 750000 FF - user.js: content.max.tokenizing.time - 2250000 ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-23 64160] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-12-12 77312] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-5 353680] R2 CAPI;CAPI 2.0 Service;c:\windows\system32\drivers\capi.sys [2001-3-21 26064] R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-5 55152] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432] R2 NDISCAPI;NDIS CAPI Service;c:\windows\system32\drivers\ndiscapi.sys [2001-3-21 27792] R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512] R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-4-6 603904] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2009-4-5 2831232] R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2009-4-4 16269] R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2009-4-5 7808] R3 wdxwmac;PCI ISDN Card NDIS WAN Driver;c:\windows\system32\drivers\wdxwmac.sys [2001-3-21 272016] S3 fsssvc;Windows Live Porodicna bezbednost;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360] S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592] =============== Created Last 30 ================ 2009-10-05 01:07 <DIR> --d----- c:\docume~1\bbb\applic~1\RCP 5 2009-10-05 01:07 <DIR> --d----- c:\program files\ReaConverter 5.5 Pro 2009-10-05 00:35 <DIR> --d----- c:\windows\system32\ReaConverter_5.5_Pro 2009-10-02 22:11 3,255 a------- c:\windows\system32\wbem\Outlook_01ca439c9158865c.mof 2009-10-02 22:11 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys 2009-10-02 22:11 14,592 a------- c:\windows\system32\drivers\kbdhid.sys 2009-10-02 21:23 53,760 a------- c:\windows\system32\drivers\vfwwdm32.dll 2009-10-02 21:23 28,672 a------- c:\windows\system32\drivers\vidcap.ax 2009-10-02 21:23 91,136 a------- c:\windows\system32\drivers\kswdmcap.ax 2009-10-02 21:23 43,008 a------- c:\windows\system32\drivers\ksxbar.ax 2009-10-02 21:23 61,952 a------- c:\windows\system32\drivers\kstvtune.ax 2009-10-02 21:22 <DIR> --d----- c:\program files\IVT Corporation 2009-09-26 22:29 <DIR> --d----- c:\program files\MSSOAP 2009-09-26 22:28 <DIR> --d----- c:\program files\Webroot 2009-09-12 13:29 <DIR> --d----- c:\docume~1\bbb\applic~1\WinPatrol 2009-09-12 13:29 <DIR> --d----- c:\program files\BillP Studios 2009-09-12 01:20 153,088 -c------ c:\windows\system32\dllcache\triedit.dll ==================== Find3M ==================== 2009-10-07 18:48 4,212 a---h--- c:\windows\system32\zllictbl.dat 2009-08-18 05:23 14,336 a------- c:\windows\system32\svchost.exe 2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll 2009-05-10 20:53 81,920 a------- c:\docume~1\bbb\applic~1\ezpinst.exe 2009-05-10 20:53 47,360 a------- c:\docume~1\bbb\applic~1\pcouffin.sys ============= FINISH: 21:51:22,14 =============== mycity.rs/must-login.png mycity.rs/must-login.png mycity.rs/must-login.png mycity.rs/must-login.png

Profil

dr_Bora Poslao: 10 Okt 2009 22:34 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pozdrav... Pokreni program Gmer i pređi na Files karticu. U levom prozoru (klikćući na +) odaberi sledeći folder: C:\WINDOWS\system32\drivers a u desnom obeleži file atapi.sys. Zatim klikni taster Copy i sačuvaj kopiju tog file-a. Upload-uj tu sačuvanu kopiju file-a preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

Profil

MilM Poslao: 10 Okt 2009 23:08 Idi na vrh
offline MilM Novi MyCity građanin Pridružio: 09 Okt 2009 Poruke: 10	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uploadovao sam trazeni fajl, dr_Boro. Cekam daljnje instrukcije. Izvini na cekanju, uzivao sam u fudbalu veceras, ))) Pozdrav.

Profil

dr_Bora Poslao: 10 Okt 2009 23:18 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop: Bleeping Computer Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu); Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save. Kada preuzimanje programa bude završeno: deaktiviraj zaštitni softver (uputstvo); zatvori pokrenute programe; dvoklikom pokreni program ComboFix. U toku rada, ComboFix će:proveriti postoji li novija verzija programa: klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE: klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju: obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja: prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta); na kraju rada, otvoriti Notepad sa izveštajem o skeniranju. Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu: klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All; klikni desnim tasterom miša na obeleženi tekst i izaberi Copy; klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste. Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt); Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

Profil

MilM Poslao: 11 Okt 2009 00:10 Idi na vrh
offline MilM Novi MyCity građanin Pridružio: 09 Okt 2009 Poruke: 10	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! ComboFix 09-10-10.01 - bbb 10/10/2009 23:39.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.634 [GMT 2:00] Running from: c:\documents and settings\bbb\Desktop\ComboFix.exe AV: ESET NOD32 Antivirus 4.0 On-access scanning disabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ZoneAlarm Pro Firewall disabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Created a new restore point . ADS - svchost.exe: deleted 88 bytes in 2 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\bbb\My Documents\backup.reg c:\windows\Installer\4e7966.msi c:\windows\Installer\78d10.msi . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_npf ((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 ))))))))))))))))))))))))))))))) . 2009-10-04 23:07 . 2009-10-10 06:01 -------- d-----w- c:\documents and settings\bbb\Application Data\RCP 5 2009-10-04 23:07 . 2009-10-04 23:08 -------- d-----w- c:\program files\ReaConverter 5.5 Pro 2009-10-04 22:35 . 2009-10-04 22:35 -------- d-----w- c:\windows\system32\ReaConverter_5.5_Pro 2009-10-02 20:11 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys 2009-10-02 20:11 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2009-10-02 19:30 . 2009-10-02 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth 2009-10-02 19:23 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\drivers\vfwwdm32.dll 2009-09-26 20:29 . 2009-09-26 20:29 -------- d-----w- c:\program files\MSSOAP 2009-09-26 20:28 . 2009-09-26 20:28 -------- d-----w- c:\program files\Webroot 2009-09-12 11:29 . 2009-09-12 11:29 -------- d-----w- c:\documents and settings\bbb\Application Data\WinPatrol 2009-09-12 11:29 . 2009-09-12 11:29 -------- d-----w- c:\program files\BillP Studios 2009-09-11 23:20 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2009-09-11 19:12 . 2009-09-11 19:12 -------- d-----w- c:\program files\NOS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-07 16:48 . 2009-04-04 22:18 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2009-10-04 17:56 . 2009-04-18 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-02 19:22 . 2009-10-02 19:22 -------- d-----w- c:\program files\IVT Corporation 2009-10-02 19:22 . 2009-04-04 21:43 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-26 20:02 . 2009-04-19 15:20 -------- d-----w- c:\program files\DAEMON Tools Toolbar 2009-09-20 02:01 . 2009-04-25 05:15 -------- d-----w- c:\documents and settings\bbb\Application Data\Skype 2009-09-19 22:06 . 2009-04-25 05:29 -------- d-----w- c:\documents and settings\bbb\Application Data\skypePM 2009-09-12 11:03 . 2009-08-20 09:05 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-11 19:14 . 2009-04-05 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-09-06 17:11 . 2009-06-13 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NFS Underground 2009-08-30 22:40 . 2009-04-18 20:34 -------- d-----w- c:\documents and settings\bbb\Application Data\SUPERAntiSpyware.com 2009-08-23 09:11 . 2009-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-23 09:08 . 2009-08-23 09:08 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-23 09:08 . 2009-08-23 09:08 -------- d-----w- c:\program files\Lavasoft 2009-08-18 03:23 . 2004-08-03 23:56 14336 ----a-w- c:\windows\system32\svchost.exe 2009-08-13 08:10 . 2009-04-18 17:06 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-05 09:01 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-27 341312] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-10-2 1044480] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2 "c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\FlashGet\\flashget.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/23/2009 11:11 64160] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 17:49 77312] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 14:23 106208] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 14:24 93336] R2 CAPI;CAPI 2.0 Service;c:\windows\system32\drivers\capi.sys [3/21/2001 12:21 26064] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 14:23 727720] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/5/2009 02:10 55152] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 16:49 1028432] R2 NDISCAPI;NDIS CAPI Service;c:\windows\system32\drivers\ndiscapi.sys [3/21/2001 12:21 27792] R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [4/6/2009 23:40 603904] R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [4/5/2009 21:54 2831232] R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [4/4/2009 23:53 16269] R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [4/5/2009 21:56 7808] R3 wdxwmac;PCI ISDN Card NDIS WAN Driver;c:\windows\system32\drivers\wdxwmac.sys [3/21/2001 12:21 272016] S3 fsssvc;Windows Live Porodicna bezbednost;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 18:08 533360] S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 01:56 14336] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [11/30/2007 11:27 558592] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-10-10 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 14:28] 2009-09-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 09:12] . . ------- Supplementary Scan ------- . uStart Page = google.ba IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 TCP: {0D5314DD-03E3-49BC-BCF7-28A7463A3065} = 87.250.98.250 208.67.222.222 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/ FF - component: c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 750 FF - user.js: content.notify.interval - 750000 FF - user.js: content.max.tokenizing.time - 2250000 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net Rootkit scan 2009-10-10 23:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\sccfg.sys 266 bytes scan completed successfully hidden files: 1 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2052111302-162531612-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1488C924-EE36-9560-84E8-5F441643D60F}] "hapljofgdfkaakhg"=hex:6b,61,6f,6a,65,6d,65,6d,70,69,69,69,6c,67,6a,64,6c,61, 66,65,67,6a,00,00 "iabnhmofnmcmmkpeod"=hex:6a,61,68,6b,6c,6e,61,63,6b,6d,6f,6e,61,63,70,6f,63,6c, 6b,68,00,e0 "eajhnfhnej"=hex:66,61,68,6f,61,61,62,66,62,66,6a,6e,00,31 "daiheema"=hex:64,62,66,6e,6e,61,67,6c,63,70,69,6d,64,6c,67,61,6f,70,6e,66,6c, 6f,69,69,70,70,70,6a,69,68,69,6c,64,6c,6a,64,67,69,6a,6d,00,00 [HKEY_USERS\S-1-5-21-2052111302-162531612-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F71C53F3-AB48-E415-BBB0-1B4F92F00B25}] "iaokodbppalljddfom"=hex:6a,61,62,62,6f,6b,62,64,6e,6d,70,6b,61,67,70,6b,6f,70, 6e,6b,00,01 "haikajeggdfhdlcj"=hex:6b,61,66,62,61,65,6f,6b,64,6e,6b,66,68,67,63,68,61,66, 63,6b,6f,6f,00,7f "eaglophfem"=hex:69,61,61,6c,61,63,68,64,68,70,6a,67,65,64,6c,6c,62,61,00,ff "dalmnamk"=hex:64,62,6f,6b,66,65,68,62,67,6c,6a,6c,6e,6d,6c,68,69,63,66,6e,6d, 6d,64,6a,6d,65,6d,65,69,66,64,63,64,6f,6b,6d,62,63,61,63,00,3d [HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.22.02] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F71C53F3-AB48-E415-BBB0-1B4F92F00B25}\InProcServer32] "faekfebejkln"=hex:69,61,61,6c,61,63,68,64,68,70,6a,67,65,64,6c,6c,62,61,00,ff "eaekkeidmc"=hex:64,62,6f,6b,66,65,68,62,67,6c,6a,6c,6e,6d,6c,68,69,63,66,6e, 6d,6d,64,6a,6d,65,6d,65,69,66,64,63,64,6f,6b,6d,62,63,61,63,00,3d "gaekfebejklncp"=hex:69,61,61,6c,61,63,68,64,68,70,6a,67,65,64,6c,6c,62,61,00, ff "faekkeidmcej"=hex:64,62,6f,6b,66,65,68,62,67,6c,6a,6c,6e,6d,6c,68,69,63,66,6e, 6d,6d,64,6a,6d,65,6d,65,69,66,64,63,64,6f,6b,6d,62,63,61,63,00,3d . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1192) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3812) c:\windows\system32\WININET.dll c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ZoneLabs\vsmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\HPZipm12.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\Lavasoft\Ad-Aware\AAWTray.exe . ************************************************************************* . Completion time: 2009-10-10 23:55 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-10 21:55 Pre-Run: 6.304.063.488 bytes free Post-Run: 6.168.870.912 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5 232 --- E O F --- 2009-09-11 23:38

Profil

dr_Bora Poslao: 11 Okt 2009 00:27 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Otvoriti Notepad i iskopirati sledeci tekst: RegLock:: [HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.22.02] RegNull:: [HKEY_USERS\S-1-5-21-2052111302-162531612-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1488C924-EE36-9560-84E8-5F441643D60F}] [HKEY_USERS\S-1-5-21-2052111302-162531612-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F71C53F3-AB48-E415-BBB0-1B4F92F00B25}] [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F71C53F3-AB48-E415-BBB0-1B4F92F00B25}\InProcServer32*] Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Profil

MilM Poslao: 11 Okt 2009 01:21 Idi na vrh
offline MilM Novi MyCity građanin Pridružio: 09 Okt 2009 Poruke: 10	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! ComboFix 09-10-10.01 - bbb 10/11/2009 1:04.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.635 [GMT 2:00] Running from: c:\documents and settings\bbb\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\bbb\Desktop\CFScript.txt AV: ESET NOD32 Antivirus 4.0 On-access scanning disabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ZoneAlarm Pro Firewall disabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 ))))))))))))))))))))))))))))))) . 2009-10-04 23:07 . 2009-10-10 06:01 -------- d-----w- c:\documents and settings\bbb\Application Data\RCP 5 2009-10-04 23:07 . 2009-10-04 23:08 -------- d-----w- c:\program files\ReaConverter 5.5 Pro 2009-10-04 22:35 . 2009-10-04 22:35 -------- d-----w- c:\windows\system32\ReaConverter_5.5_Pro 2009-10-02 20:11 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys 2009-10-02 20:11 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2009-10-02 19:30 . 2009-10-02 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth 2009-10-02 19:23 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\drivers\vfwwdm32.dll 2009-09-26 20:29 . 2009-09-26 20:29 -------- d-----w- c:\program files\MSSOAP 2009-09-26 20:28 . 2009-09-26 20:28 -------- d-----w- c:\program files\Webroot 2009-09-12 11:29 . 2009-09-12 11:29 -------- d-----w- c:\documents and settings\bbb\Application Data\WinPatrol 2009-09-12 11:29 . 2009-09-12 11:29 -------- d-----w- c:\program files\BillP Studios 2009-09-11 23:20 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2009-09-11 19:12 . 2009-09-11 19:12 -------- d-----w- c:\program files\NOS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-07 16:48 . 2009-04-04 22:18 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2009-10-04 17:56 . 2009-04-18 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-02 19:22 . 2009-10-02 19:22 -------- d-----w- c:\program files\IVT Corporation 2009-10-02 19:22 . 2009-04-04 21:43 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-26 20:02 . 2009-04-19 15:20 -------- d-----w- c:\program files\DAEMON Tools Toolbar 2009-09-20 02:01 . 2009-04-25 05:15 -------- d-----w- c:\documents and settings\bbb\Application Data\Skype 2009-09-19 22:06 . 2009-04-25 05:29 -------- d-----w- c:\documents and settings\bbb\Application Data\skypePM 2009-09-12 11:03 . 2009-08-20 09:05 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-11 19:14 . 2009-04-05 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-09-06 17:11 . 2009-06-13 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NFS Underground 2009-08-30 22:40 . 2009-04-18 20:34 -------- d-----w- c:\documents and settings\bbb\Application Data\SUPERAntiSpyware.com 2009-08-23 09:11 . 2009-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-23 09:08 . 2009-08-23 09:08 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-23 09:08 . 2009-08-23 09:08 -------- d-----w- c:\program files\Lavasoft 2009-08-18 03:23 . 2004-08-03 23:56 14336 ------w- c:\windows\system32\svchost.exe 2009-08-13 08:10 . 2009-04-18 17:06 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-05 09:01 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-27 341312] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-10-2 1044480] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2 "c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\FlashGet\\flashget.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/23/2009 11:11 64160] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 17:49 77312] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 14:23 106208] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 14:24 93336] R2 CAPI;CAPI 2.0 Service;c:\windows\system32\drivers\capi.sys [3/21/2001 12:21 26064] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 14:23 727720] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/5/2009 02:10 55152] R2 NDISCAPI;NDIS CAPI Service;c:\windows\system32\drivers\ndiscapi.sys [3/21/2001 12:21 27792] R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [4/6/2009 23:40 603904] R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [4/5/2009 21:54 2831232] R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [4/4/2009 23:53 16269] R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [4/5/2009 21:56 7808] R3 wdxwmac;PCI ISDN Card NDIS WAN Driver;c:\windows\system32\drivers\wdxwmac.sys [3/21/2001 12:21 272016] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 16:49 1028432] S3 fsssvc;Windows Live Porodicna bezbednost;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 18:08 533360] S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 01:56 14336] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [11/30/2007 11:27 558592] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-10-10 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 14:28] 2009-09-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 09:12] . . ------- Supplementary Scan ------- . uStart Page = google.ba IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/ FF - component: c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 750 FF - user.js: content.notify.interval - 750000 FF - user.js: content.max.tokenizing.time - 2250000 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net Rootkit scan 2009-10-11 01:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\sccfg.sys 266 bytes scan completed successfully hidden files: 1 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1192) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2060) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2009-10-10 1:09 ComboFix-quarantined-files.txt 2009-10-10 23:09 ComboFix2.txt 2009-10-10 21:55 Pre-Run: 6.164.815.872 bytes free Post-Run: 6.147.579.904 bytes free Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5 173 --- E O F --- 2009-09-11 23:38

Profil

dr_Bora Poslao: 11 Okt 2009 09:12 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Otvoriti Notepad i iskopirati sledeci tekst: `DeQuarantine:: C:\Qoobox\Quarantine\C\documents and settings\bbb\My Documents\backup.reg.vir Quit::` Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Profil

MilM Poslao: 11 Okt 2009 10:26 Idi na vrh
offline MilM Novi MyCity građanin Pridružio: 09 Okt 2009 Poruke: 10	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Napisano: 11 Okt 2009 10:14 Odmah cu ovo uraditi Boro, ali moram ti reci da sam sada dobio informaciju od spybota da je otkriven i zaustavljen proces koji je izlistan kao posledica zlonamernog softvera. Prikacicu PrtScn da vidis o cemu se radi. Da li ovo znaci da je winlogon keylogger u stvari? Dopuna: 11 Okt 2009 10:26 U vezi prethodnog, samo da napomenem da se iskakanje prozora od spybota desilo nakon azuriranja ad-awarea. Ne znam da li ima to neke vaznosti, ali ipak da ja to tebi napomenem. Evo loga od combofixa: C:\Qoobox\Quarantine\C\documents and settings\bbb\My Documents\backup.reg.vir -> C:\documents and settings\bbb\My Documents\backup.reg ( 0 bytes )

Profil

dr_Bora Poslao: 11 Okt 2009 10:44 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Otvori: C:\WINDOWS\system32 Upload-uj file-ove: winlogon.exe winIogon.exe (ako postoji, primeti da je razlika u jednom slovu od onog prethodnog) Upload link: http://www.mycity.rs/ambulanta-upload.php

Profil

MyCity » Ambulanta -> Arhiva Ambulante » Cudan fajl u system32

Ko je trenutno na forumu

Ukupno su 1211 korisnika na forumu :: 41 registrovanih, 7 sakrivenih i 1163 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: 357magnum, _Petar, AC-DC, ajo baba, Atomski čoban, Bobrock1, BRATORIII, dekan.m, Dimitrise93, Djokislav, Djokkinen, doktor1964, DonRumataEstorski, Dorcolac, FileFinder, flash12, frenki1986, Insan, Istman, krkalon, Kubovac, kunktator, Lieutenant, ljubacv, Mercury, Mi lao shu, Milometer, opt1, panzerwaffe, pein, pristinski korpus, procesor, savaskytec, ser.hill, Smajser, Srle993, suton, Trpe Grozni, Tvrtko I, VJ, voja64

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by