MyCity » Ambulanta -> Arhiva Ambulante » Rootkit problem

Rootkit problem

Napisano na dan: 24.6.2011
1

Rootkit problem
Sledeća strana Pagination

Idi na vrh

Poslao: 24 Jun 2011 10:41
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Pozz. Nemam vecih problema sa racunarno, samo malo startup neki put zna da potraje duze. Avast prijavljuje Rootkit u sistem32/drivers folderu. Skenirao sam kompjuter sa Avastom i Malwarebytes, avas je naso neka 2 fajla(sumljam da su bila zarazena) koje je izbrisao, a Malwarebytes nista. Evo logova:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Dimitrije at 9:11:02 on 2011-06-24
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.869 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
D:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
D:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
D:\Program Files\COMODO\Time Machine\ClientService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
D:\Program Files\VMware\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
D:\Program Files\COMODO\Time Machine\CTMTRAY.exe
D:\Program Files\AVAST Software\Avast\AvastUI.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\UI0Detect.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
mSearchAssistant =
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - d:\program files\lastpass\LPBar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - d:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - d:\program files\lastpass\LPBar.dll
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
mRun: [COMODO_TimeMachine] "d:\program files\comodo\time machine\CTMTRAY.exe"
mRun: [avast] "d:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: + Offline &Explorer: Download the link - file://d:\program files\offline explorer\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://d:\program files\offline explorer\Add_AllO.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: LastPass - file://d:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass ?????????? ????????? - file://d:\program files\lastpass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - d:\program files\lastpass\LPBar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: d:\program files\vmware\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{97D69B6F-5FE6-455F-9758-1CE371667471} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{97D69B6F-5FE6-455F-9758-1CE371667471} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
STS: {1984D045-52CF-49cd-DB77-08F378FEA4DB} - No File
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - d:\program files\stardock\fences\FencesMenu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dimitrije\appdata\roaming\mozilla\firefox\profiles\ymjltxfa.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=685749&p=
FF - component: c:\users\dimitrije\appdata\roaming\mozilla\firefox\profiles\ymjltxfa.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: d:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R0 AFS;AFS;c:\windows\system32\drivers\AFS.SYS [2011-5-11 77004]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-7 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-7 307928]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-1-6 238960]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-1-6 37592]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-3-12 218688]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-7 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-3-7 53592]
R2 avast! Antivirus;avast! Antivirus;d:\program files\avast software\avast\AvastSvc.exe [2011-5-11 42184]
R2 ClientService;COMODO Time Machine Client Service;d:\program files\comodo\time machine\ClientService.exe [2010-7-20 280888]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-1-7 378984]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-11-11 539248]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-1-21 328808]
R3 SbieDrv;SbieDrv;d:\program files\sandboxie\SbieDrv.sys [2011-3-24 126696]
S2 AdvancedSystemCareService;Advanced SystemCare Service;d:\program files\iobit\advanced systemcare 4\ascservice.exe --> d:\program files\iobit\advanced systemcare 4\ASCService.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AGJQT;AGJQT;c:\users\dimitr~1\appdata\local\temp\agjqt.exe --> c:\users\dimitr~1\appdata\local\temp\AGJQT.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-4-22 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-4-22 8456]
S3 FUAAQIQC;FUAAQIQC;c:\users\dimitr~1\appdata\local\temp\FUAAQIQC.exe [2011-6-24 338816]
S3 IBB;IBB;c:\users\dimitr~1\appdata\local\temp\ibb.exe --> c:\users\dimitr~1\appdata\local\temp\IBB.exe [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-12-2 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-12-2 8576]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 VSPerfDrv100;Performance Tools Driver 10.0;d:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2009-12-8 48128]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-4-3 1343400]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-7 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-7 136176]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 Secunia PSI Agent;Secunia PSI Agent;d:\program files\secunia\psi\psia.exe [2011-1-10 993848]
S4 Secunia Update Agent;Secunia Update Agent;d:\program files\secunia\psi\sua.exe [2011-1-10 399416]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
S4 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-06-23 11:10:34 -------- d-----w- c:\users\dimitrije\appdata\roaming\Microsoft Games
2011-06-18 19:17:56 -------- d-----w- c:\users\dimitrije\appdata\local\CrashDumps
2011-06-18 09:10:53 -------- d-----w- c:\program files\IObit
2011-06-17 12:34:41 -------- d-----w- c:\programdata\Norton
2011-06-17 12:34:27 -------- d-----w- c:\users\dimitrije\appdata\local\NPE
2011-06-16 12:58:30 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-16 12:58:29 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-16 12:58:28 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-15 12:05:38 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 12:05:38 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 12:05:38 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 12:05:36 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 12:05:36 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 12:05:31 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 12:05:30 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-15 12:05:29 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 12:00:21 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 12:00:21 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 12:00:20 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-12 17:03:23 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-06-12 17:03:12 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-06-12 17:02:06 -------- d-----w- c:\windows\system32\RsFx
2011-06-12 16:56:12 -------- d-----w- c:\program files\Microsoft SQL Server
2011-06-12 16:53:40 -------- d-----w- c:\programdata\PreEmptive Solutions
2011-06-12 16:49:17 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-06-12 16:49:10 -------- d-----w- c:\program files\IIS
2011-06-12 16:47:58 2478272 ----a-w- c:\programdata\microsoft\visualstudio\10.0\1033\ResourceCache.dll
2011-06-12 16:37:04 -------- d-----w- c:\windows\system32\1033
2011-06-12 16:36:16 -------- d-----w- c:\program files\Microsoft F#
2011-06-12 16:36:16 -------- d-----w- c:\program files\HTML Help Workshop
2011-06-12 16:36:15 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-06-12 16:36:15 -------- d-----w- c:\program files\common files\Merge Modules
2011-06-12 13:10:05 -------- d-----w- c:\users\dimitrije\appdata\roaming\OpenOffice.org
2011-06-09 14:25:37 -------- d-----w- C:\Program Files (x86)
2011-06-09 14:23:40 -------- d-----w- c:\program files\VirtualDJ
2011-06-08 12:33:08 -------- d-----w- c:\users\dimitrije\appdata\roaming\com.adobe.dmp.contentviewer
2011-06-05 11:55:21 -------- d-----w- c:\programdata\NokiaAccount
2011-06-05 11:41:13 -------- d-----w- c:\users\dimitrije\appdata\roaming\Nokia Ovi Suite
2011-06-05 11:38:07 -------- d-----w- c:\programdata\Nokia
2011-06-05 11:36:02 -------- d-----w- c:\users\dimitrije\appdata\local\Nokia
2011-06-05 11:33:55 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-06-05 11:33:42 -------- d-----w- c:\program files\PC Connectivity Solution
2011-06-05 11:32:24 -------- d-----w- c:\programdata\NokiaInstallerCache
2011-06-05 11:32:24 -------- d-----w- c:\program files\Nokia
2011-06-01 13:56:39 -------- d-----w- c:\program files\common files\PX Storage Engine
2011-05-31 20:36:35 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 13:40:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-29 08:09:34 -------- d-----w- c:\programdata\IObit
2011-05-29 07:23:46 -------- d-----w- c:\users\dimitrije\appdata\roaming\FLEXnet
2011-05-29 07:23:32 -------- d-----w- c:\users\dimitrije\appdata\roaming\Zeon
2011-05-29 07:18:37 -------- d-----w- c:\users\dimitrije\appdata\roaming\Nuance
2011-05-29 07:17:18 -------- d-----w- c:\program files\Nuance
2011-05-28 09:24:08 475648 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.scr
2011-05-28 09:24:08 1061888 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.exe
.
==================== Find3M ====================
.
2011-06-15 20:21:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 07:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 07:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-18 19:33:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-11 07:39:53 77004 ----a-w- c:\windows\system32\drivers\AFS.SYS
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 11:59:44 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-08 10:31:56 31744 ----a-w- c:\windows\system32\maplec.dll
2011-05-08 10:31:56 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll
2011-05-08 10:31:56 20480 ----a-w- c:\windows\system32\maplecompat.dll
2011-05-05 07:54:51 284744 ----a-w- c:\windows\system32\guard32.dll
2011-05-05 07:54:49 37592 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-05 07:54:48 238960 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-05 07:54:48 19088 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-04-18 16:01:05 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-18 16:01:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-09 06:13:06 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:13:06 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-04-06 08:44:30 409088 ----a-w- c:\windows\system32\systemcpl.dll
2011-04-06 08:44:30 13824 ----a-w- c:\windows\system32\slwga.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, gmer.net
Windows 6.1.7600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
1 ntkrnlpa!IofCallDriver[0x8325B428] -> \Device\Harddisk0\DR0[0x866639E8]
3 CLASSPNP[0x843AB59E] -> ntkrnlpa!IofCallDriver[0x8325B428] -> [0x865AA918]
5 ACPI[0x83EB03B2] -> ntkrnlpa!IofCallDriver[0x8325B428] -> \Device\Ide\IdeDeviceP2T0L0-2[0x861EF908]
kernel: MBR read successfully
_asm { CLI ; JMP 0xef; }
user != kernel MBR !!!
copy of MBR has been found in sector 22 !
copy of MBR has been found in sector 23 !
.
============= FINISH: 9:13:24,23 ===============


mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png
mycity.rs/must-login.png

Gmer 1 log nije ceo nece da okaci ostatak(posto je ceo log oko 10mb morao sam da ga razbijem na 2) kaze da je maksimalna dozboljena velicina 1mb...

Poslao: 24 Jun 2011 19:37
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

Pozdrav Inovator25 Wink

Arrow Preuzmi aswMBR i sacuvaj ga na Desktop.

Dvoklikom pokreni aswMBR.
Klikni na Scan.
Kada zavrsi skeniranje, klikni Save log.
Sacuvaj aswMBR log na Desktop.
Sadrzaj tog loga iskopiraj u temi.

Arrow Takodje,na Desktop-u ce se pojaviti file MBR.dat. Okaci ga uz poruku koristeci opciju Prikaci fajl.

...............................................................................

Arrow Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix;
u prozoru koji se otvori klikni "I Agree".
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

Poslao: 24 Jun 2011 21:11
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Moram primetiti da ima malware-a Embarassed



ComboFix 11-06-24.02 - Dimitrije 24.06.2011 20:44:56.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.981 [GMT 2:00]
Running from: c:\users\Dimitrije\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\_Setup.dll
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\20110309201536.log
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\_Default.tiz
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\AxInterop.ImageEnXLibrary_1.9000.0.0_L_75236aeec3d51fd0_MSIL.tiz
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\CFToolkit_4.1.0.0_a87e673e9ecb6e8e_MSIL.tiz
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\DROPPED_20100101190241.tiz
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\DROPPED_20100101190244.tiz
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\DROPPED_20100101190312.tiz
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\FreeOCR_2.1.0.8_L_075a6c69191ec1db_x86.tiz
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\Interop.ImageLibrary_1.9000.0.0_L_8cdfa8b955dbb1c7_MSIL.tiz
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Cache\Interop.PDFAX0717_7.17.0.0_L_3d5fa783dbb69c0f_MSIL.tiz
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Setup.dat
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Setup.exe
c:\programdata\Tarma Installer\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}\Setup.ico
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-24 18:52 . 2011-06-24 18:52 -------- d-----w- c:\users\Dimitrije\AppData\Local\temp
2011-06-24 18:52 . 2011-06-24 18:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-24 18:38 . 2011-06-24 18:41 -------- d-----w- C:\32788R22FWJFW
2011-06-23 11:10 . 2011-06-23 11:10 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Microsoft Games
2011-06-18 19:17 . 2011-06-23 14:56 -------- d-----w- c:\users\Dimitrije\AppData\Local\CrashDumps
2011-06-18 09:10 . 2011-06-18 18:44 -------- d-----w- c:\program files\IObit
2011-06-17 12:34 . 2011-06-17 12:34 -------- d-----w- c:\programdata\Norton
2011-06-17 12:34 . 2011-06-17 12:45 -------- d-----w- c:\users\Dimitrije\AppData\Local\NPE
2011-06-16 12:58 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-16 12:58 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-16 12:58 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-15 12:05 . 2011-04-29 02:57 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 12:05 . 2011-04-29 02:57 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 12:05 . 2011-04-29 02:57 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 12:05 . 2011-04-25 04:56 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 12:05 . 2011-04-25 02:35 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 12:05 . 2010-12-18 05:31 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 12:05 . 2011-04-27 02:33 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-15 12:05 . 2011-05-03 04:50 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 12:00 . 2011-05-04 02:43 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 12:00 . 2011-05-04 02:43 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 12:00 . 2011-05-04 02:43 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-12 17:03 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-06-12 17:03 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-06-12 17:02 . 2011-06-12 17:02 -------- d-----w- c:\windows\system32\RsFx
2011-06-12 16:56 . 2011-06-12 17:02 -------- d-----w- c:\program files\Microsoft SQL Server
2011-06-12 16:53 . 2011-06-12 16:53 -------- d-----w- c:\programdata\PreEmptive Solutions
2011-06-12 16:49 . 2011-06-12 16:49 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-06-12 16:49 . 2011-06-12 16:49 -------- d-----w- c:\program files\IIS
2011-06-12 16:47 . 2011-06-16 18:09 2478272 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-06-12 16:37 . 2011-06-12 17:00 -------- d-----w- c:\windows\system32\1033
2011-06-12 16:36 . 2011-06-12 16:36 -------- d-----w- c:\windows\symbols
2011-06-12 16:36 . 2011-06-12 16:55 -------- d-----w- c:\program files\Microsoft SDKs
2011-06-12 16:36 . 2011-06-12 16:41 -------- d-----w- c:\program files\Microsoft F#
2011-06-12 16:36 . 2011-06-12 16:39 -------- d-----w- c:\program files\HTML Help Workshop
2011-06-12 16:36 . 2011-06-15 19:56 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-06-12 16:36 . 2011-06-12 16:36 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-06-12 16:33 . 2011-06-12 16:33 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2011-06-12 13:10 . 2011-06-12 13:10 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\OpenOffice.org
2011-06-09 14:25 . 2011-06-09 14:25 -------- d-----w- C:\Program Files (x86)
2011-06-09 14:23 . 2011-06-09 14:23 -------- d-----w- c:\program files\VirtualDJ
2011-06-08 12:33 . 2011-06-08 12:33 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\com.adobe.dmp.contentviewer
2011-06-05 11:41 . 2011-06-05 11:41 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Nokia Ovi Suite
2011-06-05 11:38 . 2011-06-05 11:38 -------- d-----w- c:\programdata\Nokia
2011-06-05 11:36 . 2011-06-05 11:36 -------- d-----w- c:\users\Dimitrije\AppData\Local\Nokia
2011-06-05 11:33 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-06-05 11:33 . 2011-06-05 11:33 -------- d-----w- c:\program files\PC Connectivity Solution
2011-06-05 11:32 . 2011-06-05 11:33 -------- d-----w- c:\program files\Nokia
2011-06-01 13:56 . 2011-06-01 13:56 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2011-06-01 13:56 . 2011-06-18 09:31 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Winamp
2011-05-31 20:36 . 2011-06-17 12:29 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 13:40 . 2011-05-30 13:40 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-29 08:09 . 2011-06-18 09:43 -------- d-----w- c:\programdata\IObit
2011-05-29 07:23 . 2011-05-29 07:23 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\FLEXnet
2011-05-29 07:23 . 2011-05-29 07:23 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Zeon
2011-05-29 07:23 . 2011-05-29 07:23 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\ScanSoft
2011-05-29 07:18 . 2011-05-29 07:18 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Nuance
2011-05-29 07:18 . 2011-05-29 07:18 -------- d-----w- c:\programdata\ScanSoft
2011-05-29 07:17 . 2011-05-29 07:17 -------- d-----w- c:\programdata\FLEXnet
2011-05-29 07:17 . 2011-05-29 07:17 -------- d-----w- c:\program files\Nuance
2011-05-29 07:15 . 2011-05-29 07:15 -------- d-----w- c:\program files\Common Files\InstallShield
2011-05-28 09:24 . 2010-05-21 10:11 475648 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.scr
2011-05-28 09:24 . 2010-05-21 10:11 1061888 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-15 20:21 . 2011-05-17 20:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 07:11 . 2011-03-07 19:28 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 07:11 . 2011-03-07 19:28 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-18 19:33 . 2011-05-18 19:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-11 07:39 . 2011-05-11 07:39 77004 ----a-w- c:\windows\system32\drivers\AFS.SYS
2011-05-10 12:10 . 2011-03-07 18:33 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-03-07 18:33 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-03-07 18:33 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-03-07 18:34 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-03-07 18:33 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2011-03-07 18:34 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-03-07 18:33 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2011-03-07 18:34 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-10 08:13 . 2011-01-06 16:36 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-05-08 10:31 . 2011-05-08 10:31 31744 ----a-w- c:\windows\system32\maplec.dll
2011-05-08 10:31 . 2011-05-08 10:31 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll
2011-05-08 10:31 . 2011-05-08 10:31 20480 ----a-w- c:\windows\system32\maplecompat.dll
2011-05-05 07:54 . 2010-12-29 00:42 284744 ----a-w- c:\windows\system32\guard32.dll
2011-05-05 07:54 . 2011-01-06 16:36 37592 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-05 07:54 . 2011-01-06 16:36 238960 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-05 07:54 . 2011-01-06 16:36 19088 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-04-22 10:15 . 2011-04-22 10:15 87888 ----a-w- c:\windows\system32\vcomp100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 80720 ----a-w- c:\windows\system32\mfcm100u.dll
2011-04-22 10:15 . 2011-04-22 10:15 80208 ----a-w- c:\windows\system32\mfcm100.dll
2011-04-22 10:15 . 2011-04-22 10:15 768848 ----a-w- c:\windows\system32\msvcr100.dll
2011-04-22 10:15 . 2011-04-22 10:15 743248 ----a-w- c:\windows\system32\msvcp100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 6994256 ----a-w- c:\windows\system32\mfc100ud.dll
2011-04-22 10:15 . 2011-04-22 10:15 6926672 ----a-w- c:\windows\system32\mfc100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 64336 ----a-w- c:\windows\system32\mfc100fra.dll
2011-04-22 10:15 . 2011-04-22 10:15 64336 ----a-w- c:\windows\system32\mfc100deu.dll
2011-04-22 10:15 . 2011-04-22 10:15 63824 ----a-w- c:\windows\system32\mfc100esn.dll
2011-04-22 10:15 . 2011-04-22 10:15 62288 ----a-w- c:\windows\system32\mfc100ita.dll
2011-04-22 10:15 . 2011-04-22 10:15 60752 ----a-w- c:\windows\system32\mfc100rus.dll
2011-04-22 10:15 . 2011-04-22 10:15 55120 ----a-w- c:\windows\system32\mfc100enu.dll
2011-04-22 10:15 . 2011-04-22 10:15 51024 ----a-w- c:\windows\system32\vcomp100.dll
2011-04-22 10:15 . 2011-04-22 10:15 43856 ----a-w- c:\windows\system32\mfc100jpn.dll
2011-04-22 10:15 . 2011-04-22 10:15 4368720 ----a-w- c:\windows\system32\mfc100u.dll
2011-04-22 10:15 . 2011-04-22 10:15 4342600 ----a-w- c:\windows\system32\mfc100.dll
2011-04-22 10:15 . 2011-04-22 10:15 43344 ----a-w- c:\windows\system32\mfc100kor.dll
2011-04-22 10:15 . 2011-04-22 10:15 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-04-22 10:15 . 2011-04-22 10:15 36176 ----a-w- c:\windows\system32\mfc100cht.dll
2011-04-22 10:15 . 2011-04-22 10:15 36176 ----a-w- c:\windows\system32\mfc100chs.dll
2011-04-22 10:15 . 2011-04-22 10:15 1497936 ----a-w- c:\windows\system32\msvcr100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 137544 ----a-w- c:\windows\system32\atl100.dll
2011-04-22 10:15 . 2011-04-22 10:15 104784 ----a-w- c:\windows\system32\mfcm100ud.dll
2011-04-22 10:15 . 2011-04-22 10:15 103248 ----a-w- c:\windows\system32\mfcm100d.dll
2011-04-18 16:01 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-18 16:01 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-09 06:13 . 2011-05-11 07:29 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 07:29 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-23 19:04 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-04-06 08:44 . 2011-04-06 08:44 409088 ----a-w- c:\windows\system32\systemcpl.dll
2011-04-06 08:44 . 2011-03-06 17:22 13824 ----a-w- c:\windows\system32\slwga.dll
2011-04-03 09:55 . 2011-04-03 09:55 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-03 09:55 . 2011-04-03 09:55 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-03 09:55 . 2011-04-03 09:55 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-03 09:55 . 2011-04-03 09:55 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-03 09:55 . 2011-04-03 09:55 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-03 09:55 . 2011-04-03 09:55 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-03 09:55 . 2011-04-03 09:55 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-03 09:55 . 2011-04-03 09:55 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-03 09:55 . 2011-04-03 09:55 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-03 09:55 . 2011-04-03 09:55 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-03 09:55 . 2011-04-03 09:55 367104 ----a-w- c:\windows\system32\html.iec
2011-04-03 09:55 . 2011-04-03 09:55 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-03 09:55 . 2011-04-03 09:55 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-03 09:55 . 2011-04-03 09:55 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-03 09:55 . 2011-04-03 09:55 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-03 09:55 . 2011-04-03 09:55 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-03 09:55 . 2011-04-03 09:55 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-03 09:55 . 2011-04-03 09:55 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-03 09:55 . 2011-04-03 09:55 101888 ----a-w- c:\windows\system32\admparse.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- d:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO_TimeMachine"="d:\program files\COMODO\Time Machine\CTMTRAY.exe" [2010-07-20 4910904]
"avast"="d:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"COMODO Internet Security"="d:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "d:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Watch.lnk]
backup=c:\windows\pss\Watch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Dimitrije^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
backup=c:\windows\pss\Stardock ObjectDock.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\facemoods
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Home
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 15:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 05:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 02:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-01-21 16:22 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-01-20 09:20 1305408 ----a-w- d:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2003-05-21 16:37 229437 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
2007-07-11 14:09 20480 ----a-w- c:\windows\FixCamera.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 17:51 233472 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 09:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-05-29 07:11 1047656 ----a-w- d:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 00:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2011-05-20 14:56 724536 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-12-21 10:53 1483264 ----a-w- d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2010-04-12 08:40 180224 ----a-w- d:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 15:38 421888 ----a-w- d:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2011-03-24 11:24 409320 ----a-w- d:\program files\Sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-06-15 13:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
2007-05-10 14:58 344064 ----a-w- c:\windows\vsnp2std.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 11:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-04-18 16:01 273544 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
2007-05-12 09:19 270336 ----a-w- c:\windows\tsnp2std.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
2010-11-11 12:47 129648 ----a-w- d:\program files\VMware\vmware-tray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RocketDock"="d:\program files\RocketDock\RocketDock.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Nuance OmniPage 17-reminder"="d:\program files\Nuance\OmniPage17\Ereg\Ereg.exe" -r "c:\programdata\ScanSoft\OmniPage 17\Ereg\Ereg.ini"
.
R1 SASDIFSV;SASDIFSV;c:\users\DIMITR~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\DIMITR~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 AdvancedSystemCareService;Advanced SystemCare Service;d:\program files\IObit\Advanced SystemCare 4\ASCService.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AGJQT;AGJQT;c:\users\DIMITR~1\AppData\Local\Temp\AGJQT.exe [x]
R3 Aken;Aken;d:\program files\0 A.D. alpha\binaries\system\aken.sys [x]
R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-03-24 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-03-24 8456]
R3 FUAAQIQC;FUAAQIQC;c:\users\DIMITR~1\AppData\Local\Temp\FUAAQIQC.exe [x]
R3 IBB;IBB;c:\users\DIMITR~1\AppData\Local\Temp\IBB.exe [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-12-02 137600]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-12-02 8576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 VSPerfDrv100;Performance Tools Driver 10.0;d:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [2009-12-08 48128]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-03 1343400]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 136176]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 Secunia PSI Agent;Secunia PSI Agent;d:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
R4 Secunia Update Agent;Secunia Update Agent;d:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
R4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 AFS;AFS; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-05-05 238960]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-05-05 37592]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-03-11 218688]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-11-11 70768]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-01-21 328808]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-24 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities\initialize.exe [2011-03-18 06:25]
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 18:34]
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: + Offline &Explorer: Download the link - file://d:\program files\Offline Explorer\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://d:\program files\Offline Explorer\Add_AllO.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: LastPass - file://d:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass ?????????? ????????? - file://d:\program files\LastPass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: d:\program files\VMware\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{97D69B6F-5FE6-455F-9758-1CE371667471}: NameServer = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\Dimitrije\AppData\Roaming\Mozilla\Firefox\Profiles\ymjltxfa.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=685749&p=
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{a2d8f477-f908-478d-a77a-5d934a922bc0} - (no file)
SharedTaskScheduler-{1984D045-52CF-49cd-DB77-08F378FEA4DB} - (no file)
AddRemove-{108A39BF-4ED1-4293-B11A-06BD521FB8F7} - c:\progra~2\TARMAI~1\{108A3~1\Setup.exe
.
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, gmer.net
Windows 6.1.7600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
copy of MBR has been found in sector 22 !
copy of MBR has been found in sector 23 !
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(608-)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\guard32.dll
.
Completion time: 2011-06-24 20:54:32
ComboFix-quarantined-files.txt 2011-06-24 18:54
.
Pre-Run: 18.331.373.568 bytes free
Post-Run: 18.336.362.496 bytes free
.
- - End Of File - - 0821733AD19C0ABA3FD6566FDC60B173




mycity.rs/must-login.png

Poslao: 24 Jun 2011 22:42
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

Ovako,da ti ukratko objasnim o cemu se radi.

Izmedju ostalog,izvestaji ukazuju na tragove malware-a kojeg mi zovemo MBR Rootkit.
MBR Rootkit je dosta komplekstan i "zivi" izvan Operativnog Sistema.
Zbog toga, zastitni programi i alati imaju problema sa detekcijom ovog malware-a.

................................................................................

Arrow Odradi redom sledece po uputstvu:
Otvoriti Notepad i iskopirati sledeci tekst:


Folder::
c:\programdata\Norton

DirLook::
c:\users\Dimitrije\AppData\Local\NPE
c:\windows\system32\1033

Driver::
AGJQT
FUAAQIQC
IBB

KillAll::

File::
c:\users\DIMITR~1\AppData\Local\Temp\AGJQT.exe
c:\users\DIMITR~1\AppData\Local\Temp\FUAAQIQC.exe
c:\users\DIMITR~1\AppData\Local\Temp\IBB.exe

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000




Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


...............................................................

Arrow Preuzmi Kaspersky Lab-ov TDSSKiller sa sledece adrese na Desktop:


TDSSKiller

Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili slicnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sacuvati file, odaberi Desktop i klikni Save.


Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
preimenuj TDSSKiller.exe u MyCity.exe;
dvoklikom pokreni program MyCity.exe;
klik na dugme Start Scan.

Ukoliko maliciozni (malicious) objekti budu pronadjeni, uveri se da je za njih odabrana akcija "Cure" (primer) i klikni Continue, a zatim klikni Reboot Now.



Okaci mi sadrzaj log-a sa sledece lokacije:
C:\TDSSKiller_verzija programa_DD.MM.GG_HH.MM.SS.txt
(DD-dan, MM-mesec, GG-godina, HH-sat, MM-minut, SS-sekunda; datum i vreme kada je log napravljen)


....................................................

Arrow Ponovo pokreni aswMBR program i okaci mi svez aswMBR.txt log

Poslao: 25 Jun 2011 15:27
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Napisano: 24 Jun 2011 23:44

Hm. Zanimljevo. MBR Rootkit ko zeli da znas vise www2.gmer.net/mbr/ ....
Izgleda da nije uspelo aswMBR opet prijavljuje infekcije. TDSSKiller nista nije nasao.
Evo logova:

ComboFix 11-06-24.02 - Dimitrije 24.06.2011 23:07:55.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1187 [GMT 2:00]
Running from: c:\users\Dimitrije\Desktop\ComboFix.exe
Command switches used :: c:\users\Dimitrije\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\DIMITR~1\AppData\Local\Temp\AGJQT.exe"
"c:\users\DIMITR~1\AppData\Local\Temp\FUAAQIQC.exe"
"c:\users\DIMITR~1\AppData\Local\Temp\IBB.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Norton
c:\programdata\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI
c:\programdata\Norton\NPE\NPEsettings.dat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_AGJQT
-------\Service_FUAAQIQC
-------\Service_IBB
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-23 11:10 . 2011-06-23 11:10 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Microsoft Games
2011-06-18 19:17 . 2011-06-23 14:56 -------- d-----w- c:\users\Dimitrije\AppData\Local\CrashDumps
2011-06-18 09:10 . 2011-06-18 18:44 -------- d-----w- c:\program files\IObit
2011-06-17 12:34 . 2011-06-17 12:45 -------- d-----w- c:\users\Dimitrije\AppData\Local\NPE
2011-06-16 12:58 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-16 12:58 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-16 12:58 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-15 12:05 . 2011-04-29 02:57 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 12:05 . 2011-04-29 02:57 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 12:05 . 2011-04-29 02:57 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 12:05 . 2011-04-25 04:56 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 12:05 . 2011-04-25 02:35 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 12:05 . 2010-12-18 05:31 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 12:05 . 2011-04-27 02:33 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-15 12:05 . 2011-05-03 04:50 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 12:00 . 2011-05-04 02:43 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 12:00 . 2011-05-04 02:43 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 12:00 . 2011-05-04 02:43 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-12 17:03 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-06-12 17:03 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-06-12 17:02 . 2011-06-12 17:02 -------- d-----w- c:\windows\system32\RsFx
2011-06-12 16:56 . 2011-06-12 17:02 -------- d-----w- c:\program files\Microsoft SQL Server
2011-06-12 16:53 . 2011-06-12 16:53 -------- d-----w- c:\programdata\PreEmptive Solutions
2011-06-12 16:49 . 2011-06-12 16:49 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-06-12 16:49 . 2011-06-12 16:49 -------- d-----w- c:\program files\IIS
2011-06-12 16:47 . 2011-06-16 18:09 2478272 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-06-12 16:37 . 2011-06-12 17:00 -------- d-----w- c:\windows\system32\1033
2011-06-12 16:36 . 2011-06-12 16:36 -------- d-----w- c:\windows\symbols
2011-06-12 16:36 . 2011-06-12 16:55 -------- d-----w- c:\program files\Microsoft SDKs
2011-06-12 16:36 . 2011-06-12 16:41 -------- d-----w- c:\program files\Microsoft F#
2011-06-12 16:36 . 2011-06-12 16:39 -------- d-----w- c:\program files\HTML Help Workshop
2011-06-12 16:36 . 2011-06-15 19:56 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-06-12 16:36 . 2011-06-12 16:36 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-06-12 16:33 . 2011-06-12 16:33 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2011-06-12 13:10 . 2011-06-12 13:10 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\OpenOffice.org
2011-06-09 14:25 . 2011-06-09 14:25 -------- d-----w- C:\Program Files (x86)
2011-06-09 14:23 . 2011-06-09 14:23 -------- d-----w- c:\program files\VirtualDJ
2011-06-08 12:33 . 2011-06-08 12:33 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\com.adobe.dmp.contentviewer
2011-06-05 11:41 . 2011-06-05 11:41 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Nokia Ovi Suite
2011-06-05 11:38 . 2011-06-05 11:38 -------- d-----w- c:\programdata\Nokia
2011-06-05 11:36 . 2011-06-05 11:36 -------- d-----w- c:\users\Dimitrije\AppData\Local\Nokia
2011-06-05 11:33 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-06-05 11:33 . 2011-06-05 11:33 -------- d-----w- c:\program files\PC Connectivity Solution
2011-06-05 11:32 . 2011-06-05 11:33 -------- d-----w- c:\program files\Nokia
2011-06-01 13:56 . 2011-06-01 13:56 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2011-06-01 13:56 . 2011-06-18 09:31 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Winamp
2011-05-31 20:36 . 2011-06-17 12:29 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 13:40 . 2011-05-30 13:40 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-29 08:09 . 2011-06-18 09:43 -------- d-----w- c:\programdata\IObit
2011-05-29 07:23 . 2011-05-29 07:23 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\FLEXnet
2011-05-29 07:23 . 2011-05-29 07:23 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Zeon
2011-05-29 07:23 . 2011-05-29 07:23 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\ScanSoft
2011-05-29 07:18 . 2011-05-29 07:18 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Nuance
2011-05-29 07:18 . 2011-05-29 07:18 -------- d-----w- c:\programdata\ScanSoft
2011-05-29 07:17 . 2011-05-29 07:17 -------- d-----w- c:\programdata\FLEXnet
2011-05-29 07:17 . 2011-05-29 07:17 -------- d-----w- c:\program files\Nuance
2011-05-29 07:15 . 2011-05-29 07:15 -------- d-----w- c:\program files\Common Files\InstallShield
2011-05-28 09:24 . 2010-05-21 10:11 475648 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.scr
2011-05-28 09:24 . 2010-05-21 10:11 1061888 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-15 20:21 . 2011-05-17 20:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 07:11 . 2011-03-07 19:28 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 07:11 . 2011-03-07 19:28 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-18 19:33 . 2011-05-18 19:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-11 07:39 . 2011-05-11 07:39 77004 ----a-w- c:\windows\system32\drivers\AFS.SYS
2011-05-10 12:10 . 2011-03-07 18:33 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-03-07 18:33 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-03-07 18:33 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-03-07 18:34 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-03-07 18:33 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2011-03-07 18:34 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-03-07 18:33 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2011-03-07 18:34 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-10 08:13 . 2011-01-06 16:36 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-05-08 10:31 . 2011-05-08 10:31 31744 ----a-w- c:\windows\system32\maplec.dll
2011-05-08 10:31 . 2011-05-08 10:31 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll
2011-05-08 10:31 . 2011-05-08 10:31 20480 ----a-w- c:\windows\system32\maplecompat.dll
2011-05-05 07:54 . 2010-12-29 00:42 284744 ----a-w- c:\windows\system32\guard32.dll
2011-05-05 07:54 . 2011-01-06 16:36 37592 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-05 07:54 . 2011-01-06 16:36 238960 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-05 07:54 . 2011-01-06 16:36 19088 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-04-22 10:15 . 2011-04-22 10:15 87888 ----a-w- c:\windows\system32\vcomp100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 80720 ----a-w- c:\windows\system32\mfcm100u.dll
2011-04-22 10:15 . 2011-04-22 10:15 80208 ----a-w- c:\windows\system32\mfcm100.dll
2011-04-22 10:15 . 2011-04-22 10:15 768848 ----a-w- c:\windows\system32\msvcr100.dll
2011-04-22 10:15 . 2011-04-22 10:15 743248 ----a-w- c:\windows\system32\msvcp100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 6994256 ----a-w- c:\windows\system32\mfc100ud.dll
2011-04-22 10:15 . 2011-04-22 10:15 6926672 ----a-w- c:\windows\system32\mfc100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 64336 ----a-w- c:\windows\system32\mfc100fra.dll
2011-04-22 10:15 . 2011-04-22 10:15 64336 ----a-w- c:\windows\system32\mfc100deu.dll
2011-04-22 10:15 . 2011-04-22 10:15 63824 ----a-w- c:\windows\system32\mfc100esn.dll
2011-04-22 10:15 . 2011-04-22 10:15 62288 ----a-w- c:\windows\system32\mfc100ita.dll
2011-04-22 10:15 . 2011-04-22 10:15 60752 ----a-w- c:\windows\system32\mfc100rus.dll
2011-04-22 10:15 . 2011-04-22 10:15 55120 ----a-w- c:\windows\system32\mfc100enu.dll
2011-04-22 10:15 . 2011-04-22 10:15 51024 ----a-w- c:\windows\system32\vcomp100.dll
2011-04-22 10:15 . 2011-04-22 10:15 43856 ----a-w- c:\windows\system32\mfc100jpn.dll
2011-04-22 10:15 . 2011-04-22 10:15 4368720 ----a-w- c:\windows\system32\mfc100u.dll
2011-04-22 10:15 . 2011-04-22 10:15 4342600 ----a-w- c:\windows\system32\mfc100.dll
2011-04-22 10:15 . 2011-04-22 10:15 43344 ----a-w- c:\windows\system32\mfc100kor.dll
2011-04-22 10:15 . 2011-04-22 10:15 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-04-22 10:15 . 2011-04-22 10:15 36176 ----a-w- c:\windows\system32\mfc100cht.dll
2011-04-22 10:15 . 2011-04-22 10:15 36176 ----a-w- c:\windows\system32\mfc100chs.dll
2011-04-22 10:15 . 2011-04-22 10:15 1497936 ----a-w- c:\windows\system32\msvcr100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 137544 ----a-w- c:\windows\system32\atl100.dll
2011-04-22 10:15 . 2011-04-22 10:15 104784 ----a-w- c:\windows\system32\mfcm100ud.dll
2011-04-22 10:15 . 2011-04-22 10:15 103248 ----a-w- c:\windows\system32\mfcm100d.dll
2011-04-18 16:01 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-18 16:01 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-09 06:13 . 2011-05-11 07:29 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 07:29 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-23 19:04 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-04-06 08:44 . 2011-04-06 08:44 409088 ----a-w- c:\windows\system32\systemcpl.dll
2011-04-06 08:44 . 2011-03-06 17:22 13824 ----a-w- c:\windows\system32\slwga.dll
2011-04-03 09:55 . 2011-04-03 09:55 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-03 09:55 . 2011-04-03 09:55 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-03 09:55 . 2011-04-03 09:55 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-03 09:55 . 2011-04-03 09:55 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-03 09:55 . 2011-04-03 09:55 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-03 09:55 . 2011-04-03 09:55 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-03 09:55 . 2011-04-03 09:55 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-03 09:55 . 2011-04-03 09:55 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-03 09:55 . 2011-04-03 09:55 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-03 09:55 . 2011-04-03 09:55 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-03 09:55 . 2011-04-03 09:55 367104 ----a-w- c:\windows\system32\html.iec
2011-04-03 09:55 . 2011-04-03 09:55 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-03 09:55 . 2011-04-03 09:55 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-03 09:55 . 2011-04-03 09:55 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-03 09:55 . 2011-04-03 09:55 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-03 09:55 . 2011-04-03 09:55 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-03 09:55 . 2011-04-03 09:55 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-03 09:55 . 2011-04-03 09:55 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-03 09:55 . 2011-04-03 09:55 101888 ----a-w- c:\windows\system32\admparse.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Dimitrije\AppData\Local\NPE ----
.
2011-06-17 12:44 . 2011-06-17 12:44 563 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrMgmt\Queue\Incoming\SQ_{BE4ADDF2-560F-4F26-9501-19E6079BB8AC}\SQInfo.DAT
2011-06-17 12:44 . 2011-06-17 12:37 3014656 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrMgmt\Queue\Incoming\SQ_{BE4ADDF2-560F-4F26-9501-19E6079BB8AC}\SQ_{6E2AF515-0F66-4AFE-B749-161A01FBF97F}.etl
2011-06-17 12:44 . 2011-06-17 12:44 31160 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrorInstances\CA84AF9B\5D1D833D-3D34-4115-9892-7122BCA284DF.dat
2011-06-17 12:43 . 2011-06-17 12:43 563 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrMgmt\Queue\Incoming\SQ_{192E3B46-AAAB-4E6F-AA3D-D7EB451DC0FA}\SQInfo.DAT
2011-06-17 12:43 . 2011-06-17 12:37 2097152 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrMgmt\Queue\Incoming\SQ_{192E3B46-AAAB-4E6F-AA3D-D7EB451DC0FA}\SQ_{A3848599-519D-4AFE-B3B0-7529D002DCCC}.etl
2011-06-17 12:43 . 2011-06-17 12:43 30536 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrorInstances\CA84AF9B\8697E5B4-82ED-4D72-8BC1-5042B49B3BAB.dat
2011-06-17 12:42 . 2011-06-17 12:42 563 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrMgmt\Queue\Incoming\SQ_{87A367ED-F2FC-4450-B3E3-3B81C9075EC3}\SQInfo.DAT
2011-06-17 12:42 . 2011-06-17 12:37 1179648 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrMgmt\Queue\Incoming\SQ_{87A367ED-F2FC-4450-B3E3-3B81C9075EC3}\SQ_{DFA0B13F-3855-410A-9134-258A1881AA10}.etl
2011-06-17 12:42 . 2011-06-17 12:42 29894 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrorInstances\CA84AF9B\0126B0C4-3DBB-469B-89A5-8E4EDB071AFD.dat
2011-06-17 12:40 . 2011-06-17 12:40 196608 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\NPETraceSessionBoot.etl
2011-06-17 12:36 . 2011-06-17 12:45 3145728 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\NPETraceSession.etl
2011-06-17 12:36 . 2011-06-17 12:45 6656 ----a-w- c:\users\Dimitrije\AppData\Local\NPE\ErrMgmt\SQCLIENT.dat
.
---- Directory of c:\windows\system32\1033 ----
.
2010-03-18 21:21 . 2010-03-18 21:21 17760 ----a-w- c:\windows\system32\1033\vsjitdebuggerui.dll
2008-07-10 00:38 . 2008-07-10 00:38 229912 ----a-w- c:\windows\system32\1033\sqlnclir10.rll
2008-07-03 19:32 . 2008-07-03 19:32 99118 ----a-w- c:\windows\system32\1033\s10ch_sqlncli.chm
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- d:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO_TimeMachine"="d:\program files\COMODO\Time Machine\CTMTRAY.exe" [2010-07-20 4910904]
"avast"="d:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"COMODO Internet Security"="d:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "d:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Watch.lnk]
backup=c:\windows\pss\Watch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Dimitrije^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
backup=c:\windows\pss\Stardock ObjectDock.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 15:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 05:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 02:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-01-21 16:22 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-01-20 09:20 1305408 ----a-w- d:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2003-05-21 16:37 229437 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
2007-07-11 14:09 20480 ----a-w- c:\windows\FixCamera.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 17:51 233472 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 09:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-05-29 07:11 1047656 ----a-w- d:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 00:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2011-05-20 14:56 724536 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-12-21 10:53 1483264 ----a-w- d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2010-04-12 08:40 180224 ----a-w- d:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 15:38 421888 ----a-w- d:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2011-03-24 11:24 409320 ----a-w- d:\program files\Sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-06-15 13:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
2007-05-10 14:58 344064 ----a-w- c:\windows\vsnp2std.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 11:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-04-18 16:01 273544 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
2007-05-12 09:19 270336 ----a-w- c:\windows\tsnp2std.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
2010-11-11 12:47 129648 ----a-w- d:\program files\VMware\vmware-tray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RocketDock"="d:\program files\RocketDock\RocketDock.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Nuance OmniPage 17-reminder"="d:\program files\Nuance\OmniPage17\Ereg\Ereg.exe" -r "c:\programdata\ScanSoft\OmniPage 17\Ereg\Ereg.ini"
.
R1 SASDIFSV;SASDIFSV;c:\users\DIMITR~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\DIMITR~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 AdvancedSystemCareService;Advanced SystemCare Service;d:\program files\IObit\Advanced SystemCare 4\ASCService.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Aken;Aken;d:\program files\0 A.D. alpha\binaries\system\aken.sys [x]
R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-03-24 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-03-24 8456]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-12-02 137600]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-12-02 8576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 VSPerfDrv100;Performance Tools Driver 10.0;d:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [2009-12-08 48128]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-03 1343400]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 136176]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 Secunia PSI Agent;Secunia PSI Agent;d:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
R4 Secunia Update Agent;Secunia Update Agent;d:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
R4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 AFS;AFS; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-05-05 238960]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-05-05 37592]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-03-11 218688]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-11-11 70768]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-01-21 328808]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-24 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities\initialize.exe [2011-03-18 06:25]
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 18:34]
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: + Offline &Explorer: Download the link - file://d:\program files\Offline Explorer\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://d:\program files\Offline Explorer\Add_AllO.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: LastPass - file://d:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass ?????????? ????????? - file://d:\program files\LastPass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: d:\program files\VMware\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{97D69B6F-5FE6-455F-9758-1CE371667471}: NameServer = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\Dimitrije\AppData\Roaming\Mozilla\Firefox\Profiles\ymjltxfa.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=685749&p=
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(2772)
d:\program files\Stardock\Fences\FencesMenu.dll
d:\program files\stardock\fences\DesktopDock.dll
d:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
d:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
d:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
d:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\nvshext.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
d:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\nvvsvc.exe
d:\program files\Sandboxie\SbieSvc.exe
d:\program files\AVAST Software\Avast\AvastSvc.exe
d:\program files\COMODO\Time Machine\ClientService.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\sppsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
d:\program files\VMware\vmware-authd.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-06-24 23:24:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-24 21:24
ComboFix2.txt 2011-06-24 18:54
.
Pre-Run: 18.370.887.680 bytes free
Post-Run: 18.024.091.648 bytes free
.
- - End Of File - - 8AB0C8803238ADFF8882BA8B17A90DB1


mycity.rs/must-login.png

mycity.rs/must-login.png

Dopuna: 25 Jun 2011 15:27

Imali pomoci?

Poslao: 25 Jun 2011 17:45
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

Kako ti sad radi racunar? Da li ti sad avast AntiVirus nesto prijavljuje?

Poslao: 25 Jun 2011 19:55
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Kompjuter je i pre radio ok. Da Avas i dalje prijavljuje isto. Ali mi je cudno sto ne nalazi nista kad skeniram windows folder. Evo upravo sam to uradio i posle nekih 5 sek izlazi ponovo prozor da ima Rootlit evo i slike:



Moram primetiti i da nije isti fajl upitanju. Koliko se secam bilo je nesto na s.
I kad mu kazem da izbrise on nece, sad sam proverio.

Poslao: 26 Jun 2011 10:31
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

@Inovator25
Ovako stoje stvari:
Postavljeni logovi ne pokazuju tragove malicioznog rootkita vec samo one koje pripadaju samom operativnom sistemu. Ali se kod odredjenih stavki logovi ne podudaraju.
Iz tog razloga idemo to da proverimo mnogo "dublje" i vidimo o cemu se radi.

....................................

Arrow Odradi sledece po uputstvu.

1.

Potrebno je prikazati skrivene fajlove i foldere. Ovde mozes procitati kako to da uradis.
http://www.mycity.rs/Uputstva/Kako-videti-skrivene-fajlove.html

Arrow Potrebno je da pronadjes sledece fajlove i posaljes ih kod nas na proveru.


C:\Windows\System32\drivers\srv.sys
C:\Windows\System32\win32k.sys
C:\Windows\system32\drivers\tcpip.sys
C:\Windows\system32\DRIVERS\mrxsmb.sys

Fajlove upload-uj ih preko sledeceg linka:
http://www.mycity.rs/ambulanta-upload.php



2.

Preuzmi MBRCheck sa sledece adrese na Desktop:

MBRCheck Download Link
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili slicnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sacuvati file, odaberi Desktop i klikni Save.


Kada preuzimanje programa bude završeno:

Deaktiviraj zastitni softver (uputstvo)
Pokreni program dvoklikom
Ukoliko program detektuje neke nepravilnosti u MBR-u: Found non-standard or infected MBR.Enter 'Y' and hit ENTER for more options, or 'N' to exit;u tom slucaju pritisni N pa Enter(dva puta)
Ukoliko nista nije nadjeno (Done!Press ENTER to exit...) pritisni Enter (jednom)
Na Desktop-u bi nakon ovog postupka trebalo da se pojavi txt fajl pod nazivom MBRCheck_mm.dd.yy_hh.mm.ss
(mm.dd.yy.hh.mm.ss < -- oznacavaju datum i vreme pokretanja programa)

Sadrzaj ovog txt fajla iskopirati u sledecoj poruci
Dvoklikom otvoriti MBRCheck_mm.dd.yy_hh.mm.ss.txtklikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Poslao: 26 Jun 2011 11:10
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Fajlovi su poslati. Avas i dalje nastavlja sa prijavom rootkita. Evo loga koji si trazio:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Gigabyte Technology Co., Ltd.
BIOS Manufacturer: Award Software International, Inc.
System Manufacturer: Gigabyte Technology Co., Ltd.
System Product Name: P35-DS3L
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 211):
0x83241000 \SystemRoot\system32\ntkrnlpa.exe
0x8320A000 \SystemRoot\system32\halmacpi.dll
0x80BCD000 \SystemRoot\system32\kdcom.dll
0x83C12000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x83C8A000 \SystemRoot\system32\PSHED.dll
0x83C9B000 \SystemRoot\system32\BOOTVID.dll
0x83CA3000 \SystemRoot\system32\CLFS.SYS
0x83CE5000 \SystemRoot\system32\CI.dll
0x83E03000 \SystemRoot\system32\drivers\Wdf01000.sys
0x83E74000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x83E82000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x83ECA000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x83ED3000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x83EDB000 \SystemRoot\system32\DRIVERS\pci.sys
0x83F05000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x83F10000 \SystemRoot\System32\drivers\partmgr.sys
0x83F21000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x83F29000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x83F34000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x83F44000 \SystemRoot\System32\drivers\volmgrx.sys
0x83F8F000 \SystemRoot\system32\DRIVERS\pciide.sys
0x83F96000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x83FA4000 \SystemRoot\System32\drivers\mountmgr.sys
0x83FBA000 \SystemRoot\system32\DRIVERS\atapi.sys
0x83FC3000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x83FE6000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x83FEF000 \SystemRoot\System32\Drivers\AFS.sys
0x83D90000 \SystemRoot\system32\drivers\fltmgr.sys
0x83DC4000 \SystemRoot\system32\drivers\fileinfo.sys
0x83DD5000 \SystemRoot\System32\Drivers\CTMFLT.sys
0x8403E000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8416D000 \SystemRoot\System32\Drivers\msrpc.sys
0x84198000 \SystemRoot\System32\Drivers\ksecdd.sys
0x84228000 \SystemRoot\System32\Drivers\cng.sys
0x84285000 \SystemRoot\System32\drivers\pcw.sys
0x84293000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8429C000 \SystemRoot\system32\drivers\ndis.sys
0x84353000 \SystemRoot\system32\drivers\NETIO.SYS
0x84391000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x89407000 \SystemRoot\System32\drivers\tcpip.sys
0x89550000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x89581000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8958A000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x895C9000 \SystemRoot\System32\Drivers\spldr.sys
0x895D1000 \SystemRoot\System32\drivers\rdyboost.sys
0x843B6000 \SystemRoot\System32\Drivers\mup.sys
0x843C6000 \SystemRoot\System32\drivers\hwpolicy.sys
0x843CE000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x84200000 \SystemRoot\System32\Drivers\CTMSHD.sys
0x841AB000 \SystemRoot\system32\DRIVERS\disk.sys
0x841BC000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x84000000 \SystemRoot\System32\Drivers\CTMMOUNT.sys
0x841E1000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C627000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x8C697000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0x8C6D5000 \SystemRoot\System32\Drivers\Null.SYS
0x8C6DC000 \SystemRoot\System32\Drivers\Beep.SYS
0x8C6E3000 \SystemRoot\System32\drivers\vga.sys
0x8C6EF000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8C710000 \SystemRoot\System32\drivers\watchdog.sys
0x8C71D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8C725000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8C72D000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8C735000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8C740000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8C74E000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8C765000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8C770000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0x8C77B000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x8C785000 \SystemRoot\system32\drivers\afd.sys
0x8C7DF000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8E203000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8E235000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8E23E000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8E245000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8E264000 \SystemRoot\system32\DRIVERS\inspect.sys
0x8E27A000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8E288000 \SystemRoot\system32\DRIVERS\serial.sys
0x8E2A2000 \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
0x8E2DD000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8E2F0000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8E300000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0x8E30E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8E34F000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8E359000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8E363000 \SystemRoot\System32\drivers\discache.sys
0x8E36F000 \SystemRoot\system32\drivers\csc.sys
0x8E3D3000 \SystemRoot\System32\Drivers\dfsc.sys
0x8E3EB000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8F03E000 \SystemRoot\System32\Drivers\aswSP.SYS
0x8F088000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8F0A9000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x94801000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x951FC000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x8F0BB000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8F172000 \SystemRoot\System32\drivers\dxgmms1.sys
0x8F1AB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x96E04000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x96E4F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x96E5E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x96E7D000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x96ECF000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0x96F07000 \SystemRoot\system32\DRIVERS\ks.sys
0x97230000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0x9732D000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0x973DC000 \SystemRoot\system32\drivers\modem.sys
0x973E9000 \SystemRoot\system32\DRIVERS\serenum.sys
0x97200000 \SystemRoot\system32\DRIVERS\parport.sys
0x97218000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x96F3B000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x96F4D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x97225000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x96F65000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x96F87000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x96F9F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x96FB6000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x973F3000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x96FCD000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x96FDA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x973FD000 \SystemRoot\system32\DRIVERS\swenum.sys
0x96FE7000 \SystemRoot\system32\DRIVERS\umbus.sys
0x96FF5000 \SystemRoot\system32\DRIVERS\vmnetadapter.sys
0x96FF8000 \SystemRoot\system32\DRIVERS\VMNET.SYS
0x8F1B6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8F000000 \SystemRoot\system32\drivers\MODEMCSA.sys
0x8F00A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x82029000 \SystemRoot\system32\drivers\HdAudio.sys
0x82079000 \SystemRoot\system32\drivers\portcls.sys
0x820A8000 \SystemRoot\system32\drivers\drmk.sys
0x97B70000 \SystemRoot\System32\win32k.sys
0x820C1000 \SystemRoot\System32\drivers\Dxapi.sys
0x820D8000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x820E3000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x820E5000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x820FC000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x82107000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8211A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x82121000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8212D000 \??\C:\Windows\system32\drivers\VMkbd.sys
0x82132000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8213D000 \SystemRoot\system32\DRIVERS\monitor.sys
0x97DD0000 \SystemRoot\System32\TSDDD.dll
0x97A00000 \SystemRoot\System32\cdd.dll
0x97A20000 \SystemRoot\System32\ATMFD.DLL
0x82148000 \SystemRoot\system32\drivers\luafv.sys
0x82163000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x8219B000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x8219E000 \SystemRoot\system32\drivers\WudfPf.sys
0x821B8000 \??\D:\Program Files\Sandboxie\SbieDrv.sys
0x821D9000 \SystemRoot\system32\DRIVERS\vmnetbridge.sys
0x821E7000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x82000000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9FE3D000 \SystemRoot\system32\drivers\HTTP.sys
0x9FEC2000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9FEDB000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9FEED000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9FF10000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9FF4B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9FF66000 \??\C:\Windows\system32\drivers\hcmon.sys
0x9FF70000 \SystemRoot\system32\DRIVERS\parvdm.sys
0x9FF77000 \??\C:\Windows\system32\Drivers\vmci.sys
0x9FF87000 \??\C:\Windows\system32\Drivers\VMparport.sys
0xA1213000 \??\C:\Windows\system32\Drivers\vmx86.sys
0xA12E2000 \SystemRoot\system32\drivers\peauth.sys
0xA1379000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA1383000 \SystemRoot\system32\drivers\spsys.sys
0x9FF8C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA13ED000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA13FA000 \??\C:\Windows\system32\drivers\vmnetuserif.sys
0xA1200000 \??\D:\Program Files\VMware\vstor2-ws60.sys
0x9FFAD000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA8E2D000 \SystemRoot\System32\DRIVERS\srv.sys
0x777F0000 \Windows\System32\ntdll.dll
0x47720000 \Windows\System32\smss.exe
0x77A30000 \Windows\System32\apisetschema.dll
0x00790000 \Windows\System32\autochk.exe
0x77650000 \Windows\System32\setupapi.dll
0x77A10000 \Windows\System32\normaliz.dll
0x77960000 \Windows\System32\rpcrt4.dll
0x76A00000 \Windows\System32\shell32.dll
0x76930000 \Windows\System32\msctf.dll
0x76890000 \Windows\System32\advapi32.dll
0x76780000 \Windows\System32\urlmon.dll
0x76660000 \Windows\System32\wininet.dll
0x76580000 \Windows\System32\kernel32.dll
0x76520000 \Windows\System32\shlwapi.dll
0x76450000 \Windows\System32\user32.dll
0x762F0000 \Windows\System32\ole32.dll
0x76250000 \Windows\System32\usp10.dll
0x761C0000 \Windows\System32\oleaut32.dll
0x76110000 \Windows\System32\msvcrt.dll
0x760D0000 \Windows\System32\ws2_32.dll
0x77950000 \Windows\System32\lpk.dll
0x76050000 \Windows\System32\comdlg32.dll
0x77940000 \Windows\System32\nsi.dll
0x77930000 \Windows\System32\psapi.dll
0x75FF0000 \Windows\System32\difxapi.dll
0x75E30000 \Windows\System32\iertutil.dll
0x75DE0000 \Windows\System32\Wldap32.dll
0x75DC0000 \Windows\System32\imm32.dll
0x75DA0000 \Windows\System32\sechost.dll
0x75D50000 \Windows\System32\gdi32.dll
0x75CC0000 \Windows\System32\clbcatq.dll
0x75C90000 \Windows\System32\imagehlp.dll
0x75C40000 \Windows\System32\KernelBase.dll
0x75C20000 \Windows\System32\devobj.dll
0x75BF0000 \Windows\System32\wintrust.dll
0x75AD0000 \Windows\System32\crypt32.dll
0x75A40000 \Windows\System32\comctl32.dll
0x75A10000 \Windows\System32\cfgmgr32.dll
0x75A00000 \Windows\System32\msasn1.dll

Processes (total 55):
0 System Idle Process
4 System
416 C:\Windows\System32\smss.exe
512 csrss.exe
572 C:\Windows\System32\wininit.exe
580 csrss.exe
612 C:\Windows\System32\winlogon.exe
672 C:\Windows\System32\services.exe
684 C:\Windows\System32\lsass.exe
692 C:\Windows\System32\lsm.exe
804 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\nvvsvc.exe
924 C:\Windows\System32\svchost.exe
1032 D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1060 C:\Windows\System32\svchost.exe
1132 C:\Windows\System32\svchost.exe
1172 C:\Windows\System32\svchost.exe
1224 C:\Windows\System32\svchost.exe
1380 C:\Windows\System32\svchost.exe
1452 D:\Program Files\Sandboxie\SbieSvc.exe
1608 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1628 C:\Windows\System32\nvvsvc.exe
1824 D:\Program Files\AVAST Software\Avast\AvastSvc.exe
1220 C:\Windows\System32\spoolsv.exe
1768 C:\Windows\System32\svchost.exe
2028 D:\Program Files\COMODO\Time Machine\ClientService.exe
2116 C:\Windows\System32\svchost.exe
2172 C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
2436 C:\Windows\System32\dwm.exe
2592 C:\Windows\explorer.exe
2644 C:\Windows\System32\sppsvc.exe
2744 C:\Windows\System32\taskhost.exe
2812 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2892 C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
2924 C:\Windows\System32\svchost.exe
3012 C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
3044 C:\Windows\System32\vmnat.exe
3096 D:\Program Files\VMware\vmware-authd.exe
3312 C:\Windows\System32\vmnetdhcp.exe
3356 D:\Program Files\COMODO\Time Machine\CTMTRAY.exe
3368 D:\Program Files\AVAST Software\Avast\AvastUI.exe
3988 C:\Windows\System32\svchost.exe
2136 C:\Windows\System32\SearchIndexer.exe
3676 C:\Program Files\Windows Media Player\wmpnetwk.exe
1292 C:\Windows\System32\svchost.exe
3828 D:\Program Files\Mozilla Firefox\firefox.exe
1420 D:\Program Files\Mozilla Firefox\plugin-container.exe
1880 C:\Windows\System32\audiodg.exe
2228 C:\Windows\System32\SearchProtocolHost.exe
2564 C:\Windows\System32\SearchFilterHost.exe
2888 C:\Windows\System32\svchost.exe
796 C:\Windows\System32\ctfmon.exe
1256 C:\Users\Dimitrije\Desktop\MBRCheck.exe
3496 C:\Windows\System32\conhost.exe
1780 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000b`f3413e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500AAKS-00VYA0, Rev: 12.01B02

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 3312F05D7939BF197D0957FED89EFCD7294CFD9D


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Poslao: 26 Jun 2011 11:27
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

Pre nego sto nastavimo ,odgovori mi da li je ovo obican desktop racunar?
Nije laptop u pitanju ili neki "markirani" racunar?

MyCity » Ambulanta -> Arhiva Ambulante » Rootkit problem

Ko je trenutno na forumu
 

Ukupno su 854 korisnika na forumu :: 48 registrovanih, 5 sakrivenih i 801 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Rade, Boris90, crnitrn, esx66, FileFinder, FOX, GandorCC, Goran 0000, goxin, Karla, Kibice, kihot, kybonacci, ladro, laurusri, mercedesamg, Mercury, mikrimaus, milenko crazy north, milutin134, MiroslavD, nemkea71, NoOneEver Dreams, ostoja, ozzy, Panter, panzerwaffe, pein, raptorsi, Regrut Boskica, Ripanjac, S1Mk3, sasa87, Sirius, slonic_tonic, Smajser, stalja, StepskiVuk, vathra, VJ, vlajkox, xoxxvelja, Zi0mek, zlaya011, Zoca, Šraf, 1107, 79693