MyCity » Ambulanta -> Arhiva Ambulante » Win32/Adware.Virtumonde.FP

Win32/Adware.Virtumonde.FP

Napisano na dan: 12.2.2008
1

Win32/Adware.Virtumonde.FP
Sledeća strana Pagination

Idi na vrh

Poslao: 12 Feb 2008 19:04
Idi na vrh
offline
  • Pridružio: 12 Feb 2008
  • Poruke: 9

Pozz, vidim da na ovom forumu vec ima ovakvih problema pa se nadam da cete i meni pomoci da ih rijesim. NOD32 mi na pocetku skeniranja odmah javlja:
"Provjeravam CRC datoteke NOD 32.EXE: Status OK
vjerojatna varijanta Win32/Adware.Virtumonde.FP aplikacija pronađen u radnoj memoriji. Zaraza sistemske memorija potječe od datoteke C:\WINDOWS\system32\jkhff.dll."
To ne mogu nikako obrisat, svaki put kad obrisem nakon restartiranja kompjutera ono se ponovno vrati. Mad

Logfile of HijackThis v1.99.1
Scan saved at 18:51:49, on 12.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Power ISO 3.8\PowerISO\PWRISOVM.EXE
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Desktop\New Folder\TR3.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [Link mogu videti samo ulogovani korisnici]
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16C4CC4D-559A-40CA-927A-F59BD019E904} - C:\WINDOWS\system32\cvjxpcyx.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: (no name) - {4FB3E0F7-41FC-4A37-97EC-64F4F63AA583} - C:\WINDOWS\system32\jkhff.dll
O2 - BHO: {f0e6e515-2d43-c06a-1c84-46352b458bd5} - {5db854b2-5364-48c1-a60c-34d2515e6e0f} - C:\WINDOWS\system32\namejiug.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\wvuvtrq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Gif Animator Toolbar Helper - {96372AB6-15EB-4316-B497-71C741BC548C} - C:\Program Files\Easy Gif Animator Extension\v3.3.0.0\EasyGifAnimator_Toolbar.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: Easy Gif Animator Toolbar - {35065594-9169-4A34-B167-FC4865038E53} - C:\Program Files\Easy Gif Animator Extension\v3.3.0.0\EasyGifAnimator_Toolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\Power ISO 3.8\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Application Process] rndsvc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [d4902b0a] rundll32.exe "C:\WINDOWS\system32\dtycwsfg.dll",b
O4 - HKLM\..\Run: [BMd7a31896] Rundll32.exe "C:\WINDOWS\system32\lqrdjlqg.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen 4.0] D:\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [Pile Pop] C:\DOCUME~1\KORISN~1.ALI\APPLIC~1\PHONEW~1\five one.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\Mozilla\Firefox\Profiles\ng641r0p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\Mozilla\Firefox\Profiles/ng641r0p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Registration Prince of Persia Warrior Within.LNK = C:\Program Files\Ubisoft\Prince of Persia Warrior Within\Support\Register\RegistrationReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [Link mogu videti samo ulogovani korisnici]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvuvtrq - wvuvtrq.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001670 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Hvala unaprijed.



Poslao: 12 Feb 2008 19:25
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8643
  • Gde živiš: Novi Beograd

Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.



Poslao: 12 Feb 2008 19:52
Idi na vrh
offline
  • Pridružio: 12 Feb 2008
  • Poruke: 9

Napravio Very Happy

ComboFix 08-02-13.1 - Korisnik 2008-02-12 19:32:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.104 [GMT 1:00]
Running from: C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkhff.dll
C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\FunWebProducts
C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\FunWebProducts\Data\Korisnik\avatar.dat
C:\Program Files\Common Files\{34902~1
C:\Program Files\Common Files\{34902~1\Bar888.dll
C:\Program Files\Common Files\{34902~1\UnInstall.exe
C:\Program Files\Common Files\{D4902~1
C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\WINDOWS\system32\ahidaecc.dll
C:\WINDOWS\system32\ajvayvdy.ini
C:\WINDOWS\system32\alwqhonc.dll
C:\WINDOWS\system32\bjhurfna.dll
C:\WINDOWS\system32\bkrabdmh.dll
C:\WINDOWS\system32\btwmavei.ini
C:\WINDOWS\system32\ciavvmsx.dll
C:\WINDOWS\system32\ddnqcagh.dll
C:\WINDOWS\system32\devwhlso.dll
C:\WINDOWS\system32\dtycwsfg.dll
C:\WINDOWS\system32\Dvbpws.dll
C:\WINDOWS\system32\eoxkmigc.ini
C:\WINDOWS\system32\erijlmrm.dll
C:\WINDOWS\system32\etjrhkkd.dll
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\ftebgvma.dll
C:\WINDOWS\system32\gdpshoiy.dll
C:\WINDOWS\system32\gfswcytd.ini
C:\WINDOWS\system32\hlaewsxr.dll
C:\WINDOWS\system32\ievamwtb.dll
C:\WINDOWS\system32\ilasdgmq.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jpwuvows.dll
C:\WINDOWS\system32\kyvjnvbg.dll
C:\WINDOWS\system32\lqrdjlqg.dll
C:\WINDOWS\system32\lwycgehm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mklouqus.dll
C:\WINDOWS\system32\namejiug.dll
C:\WINDOWS\system32\nbvqnijm.dll
C:\WINDOWS\system32\nekykahu.ini
C:\WINDOWS\system32\owphildy.dll
C:\WINDOWS\system32\owxivbmw.ini
C:\WINDOWS\system32\picaqnbq.ini
C:\WINDOWS\system32\rsobbkbd.dll
C:\WINDOWS\system32\rxgjxruq.dll
C:\WINDOWS\system32\ugedceic.ini
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\uwdmoucr.dll
C:\WINDOWS\system32\ydvyavja.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_COM+_MESSAGES
-------\COM+ Messages


((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 16:08 . 2008-02-12 16:08 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-12 16:08 . 2008-02-12 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-12 16:07 . 2008-02-12 16:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 21:34 . 2005-06-24 16:24 438,272 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-02-09 21:34 . 2004-12-10 09:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax
2008-02-07 13:44 . 2008-02-08 16:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-07 13:44 . 2008-02-07 13:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 12:31 . 2008-02-07 12:31 <DIR> d-------- C:\Program Files\Rockstar Games
2008-02-04 13:12 . 2008-02-04 13:12 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-01 16:06 . 2008-02-01 16:06 125 --a--c--- C:\ioSpecial.ini
2008-01-31 18:15 . 2008-01-31 18:15 <DIR> d-------- C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\Oberon Games
2008-01-31 18:15 . 2008-01-31 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Oberon Games
2008-01-28 22:35 . 2008-01-28 22:35 26,688 --a------ C:\WINDOWS\system32\cvjxpcyx.dll
2008-01-22 10:21 . 2008-01-24 10:58 114 --a------ C:\WINDOWS\BMd7a31896.xml
2008-01-16 19:47 . 2008-02-13 19:32 22 --a------ C:\WINDOWS\pskt.ini
2008-01-13 18:37 . 2008-01-13 18:59 <DIR> d-------- C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 14:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-09 20:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 20:36 --------- d-----w C:\Program Files\Electronic Arts
2008-02-08 22:10 --------- d-----w C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\LimeWire
2008-02-08 12:13 --------- d-----w C:\Program Files\ESET
2008-02-06 18:06 --------- d-----w C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\uTorrent
2008-02-06 14:33 --------- d-----w C:\Program Files\Valve
2008-02-06 14:30 --------- d-----w C:\Program Files\Sports Interactive
2008-02-01 15:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-27 22:38 --------- d-----w C:\Program Files\MSN Messenger
2008-01-27 22:38 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-01-01 17:07 7,780 ----a-w C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\FMCodec.dat
2007-12-18 11:41 --------- d-----w C:\Program Files\LHM2006
2007-12-14 15:00 --------- d-----w C:\Program Files\Dexter
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16C4CC4D-559A-40CA-927A-F59BD019E904}]
2008-01-28 22:35 26688 --a------ C:\WINDOWS\system32\cvjxpcyx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="~C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Gadwin PrintScreen 4.0"="D:\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-04-20 15:40 507904]
"Pile Pop"="C:\DOCUME~1\KORISN~1.ALI\APPLIC~1\PHONEW~1\five one.exe" [ ]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-08-12 10:02 103712]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\Mozilla\Firefox\Profiles\ng641r0p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12 90112]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-08-23 06:50 917504]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"PWRISOVM.EXE"="C:\Program Files\Power ISO 3.8\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"WinFastDTV"="C:\Program Files\WinFast\WFDTV\DTVSchdl.exe" [2006-12-06 15:57 69632]
"WinFast Schedule"="C:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2006-12-04 11:01 372736]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"Application Process"="rndsvc.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvtrq]
wvuvtrq.dll

R1 wfcxacap;WinFast TV PCI Audio Capture Driver;C:\WINDOWS\system32\DRIVERS\wfcxacap.sys [2006-08-07 09:50]
R2 wfcxatun;WinFast TV Analog Tuner Driver;C:\WINDOWS\system32\drivers\wfcxatun.sys [2006-08-07 09:53]
R2 WFCXVCAP;WinFast TV Video Capture Driver;C:\WINDOWS\system32\drivers\wfcxvcap.sys [2006-08-07 13:10]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;C:\WINDOWS\system32\drivers\wfcxdtun.sys [2006-08-07 09:56]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;C:\WINDOWS\system32\drivers\wfcxtcap.sys [2006-08-07 09:54]
R3 wfcxxbar;WinFast TV Crossbar Driver;C:\WINDOWS\system32\drivers\wfcxxbar.sys [2006-08-07 14:04]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 15:55]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 18:00:02 C:\WINDOWS\Tasks\A992A89991E95FB9.job"
- c:\docume~1\korisn~1.ali\applic~1\phonew~1\Amen Bib Seek.exe
"2008-02-08 11:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-02-13 19:43:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2008-02-13 19:48:30 - machine was rebooted [Korisnik]
ComboFix-quarantined-files.txt 2008-02-13 18:48:23
.
2008-01-10 11:09:56 --- E O F ---

Poslao: 12 Feb 2008 20:45
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8643
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\cvjxpcyx.dll
C:\WINDOWS\Tasks\A992A89991E95FB9.job


Folder::
c:\docume~1\korisn~1.ali\applic~1\phonew~1


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16C4CC4D-559A-40CA-927A-F59BD019E904}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pile Pop"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Application Process"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvtrq]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 12 Feb 2008 21:16
Idi na vrh
offline
  • Pridružio: 12 Feb 2008
  • Poruke: 9

Evo

ComboFix 08-02-13.1 - Korisnik 2008-02-13 21:09:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.137 [GMT 1:00]
Running from: C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\cvjxpcyx.dll
C:\WINDOWS\Tasks\A992A89991E95FB9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\korisn~1.ali\applic~1\phonew~1
c:\docume~1\korisn~1.ali\applic~1\phonew~1\A19B8F74
C:\WINDOWS\system32\cvjxpcyx.dll
C:\WINDOWS\Tasks\A992A89991E95FB9.job

.
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 19:29 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-12 16:08 . 2008-02-12 16:08 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-12 16:08 . 2008-02-12 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-12 16:07 . 2008-02-12 16:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 21:34 . 2005-06-24 16:24 438,272 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-02-09 21:34 . 2004-12-10 09:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax
2008-02-07 13:44 . 2008-02-08 16:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-07 13:44 . 2008-02-07 13:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 12:31 . 2008-02-07 12:31 <DIR> d-------- C:\Program Files\Rockstar Games
2008-02-04 13:12 . 2008-02-04 13:12 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-01 16:06 . 2008-02-01 16:06 125 --a--c--- C:\ioSpecial.ini
2008-01-31 18:15 . 2008-01-31 18:15 <DIR> d-------- C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\Oberon Games
2008-01-31 18:15 . 2008-01-31 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Oberon Games
2008-01-22 10:21 . 2008-01-24 10:58 114 --a------ C:\WINDOWS\BMd7a31896.xml
2008-01-16 19:47 . 2008-02-13 19:32 22 --a------ C:\WINDOWS\pskt.ini
2008-01-13 18:37 . 2008-01-13 18:59 <DIR> d-------- C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 14:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-09 20:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 20:36 --------- d-----w C:\Program Files\Electronic Arts
2008-02-08 22:10 --------- d-----w C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\LimeWire
2008-02-08 12:13 --------- d-----w C:\Program Files\ESET
2008-02-06 18:06 --------- d-----w C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\uTorrent
2008-02-06 14:33 --------- d-----w C:\Program Files\Valve
2008-02-06 14:30 --------- d-----w C:\Program Files\Sports Interactive
2008-02-01 15:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-27 22:38 --------- d-----w C:\Program Files\MSN Messenger
2008-01-27 22:38 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-01-01 17:07 7,780 ----a-w C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\FMCodec.dat
2008-01-01 08:16 74,540 ----a-w C:\WINDOWS\system32\shrbdnit.dll
2007-12-19 09:00 74,540 ----a-w C:\WINDOWS\system32\yqkquobs.dll
2007-12-18 11:41 --------- d-----w C:\Program Files\LHM2006
2007-12-14 16:46 127,040 ----a-w C:\WINDOWS\system32\tkronmxp.dll
2007-12-14 15:00 --------- d-----w C:\Program Files\Dexter
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="~C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Gadwin PrintScreen 4.0"="D:\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-04-20 15:40 507904]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-08-12 10:02 103712]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\Mozilla\Firefox\Profiles\ng641r0p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12 90112]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-08-23 06:50 917504]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"PWRISOVM.EXE"="C:\Program Files\Power ISO 3.8\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"WinFastDTV"="C:\Program Files\WinFast\WFDTV\DTVSchdl.exe" [2006-12-06 15:57 69632]
"WinFast Schedule"="C:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2006-12-04 11:01 372736]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

R1 wfcxacap;WinFast TV PCI Audio Capture Driver;C:\WINDOWS\system32\DRIVERS\wfcxacap.sys [2006-08-07 09:50]
R2 wfcxatun;WinFast TV Analog Tuner Driver;C:\WINDOWS\system32\drivers\wfcxatun.sys [2006-08-07 09:53]
R2 WFCXVCAP;WinFast TV Video Capture Driver;C:\WINDOWS\system32\drivers\wfcxvcap.sys [2006-08-07 13:10]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;C:\WINDOWS\system32\drivers\wfcxdtun.sys [2006-08-07 09:56]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;C:\WINDOWS\system32\drivers\wfcxtcap.sys [2006-08-07 09:54]
R3 wfcxxbar;WinFast TV Crossbar Driver;C:\WINDOWS\system32\drivers\wfcxxbar.sys [2006-08-07 14:04]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 15:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-08 11:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-02-13 21:12:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-02-13 21:12:53
ComboFix-quarantined-files.txt 2008-02-13 20:12:38
ComboFix2.txt 2008-02-13 18:48:31
.
2008-01-10 11:09:56 --- E O F ---

Poslao: 12 Feb 2008 21:52
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8643
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\shrbdnit.dll
C:\WINDOWS\system32\yqkquobs.dll
C:\WINDOWS\system32\tkronmxp.dll



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 12 Feb 2008 21:59
Idi na vrh
offline
  • Pridružio: 12 Feb 2008
  • Poruke: 9

ComboFix 08-02-13.1 - Korisnik 2008-02-13 21:53:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.111 [GMT 1:00]
Running from: C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\shrbdnit.dll
C:\WINDOWS\system32\tkronmxp.dll
C:\WINDOWS\system32\yqkquobs.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\shrbdnit.dll
C:\WINDOWS\system32\tkronmxp.dll
C:\WINDOWS\system32\yqkquobs.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 19:29 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-12 16:08 . 2008-02-12 16:08 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-12 16:08 . 2008-02-12 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-12 16:07 . 2008-02-12 16:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 21:34 . 2005-06-24 16:24 438,272 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-02-09 21:34 . 2004-12-10 09:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax
2008-02-07 13:44 . 2008-02-08 16:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-07 13:44 . 2008-02-07 13:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-07 12:31 . 2008-02-07 12:31 <DIR> d-------- C:\Program Files\Rockstar Games
2008-02-04 13:12 . 2008-02-04 13:12 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-01 16:06 . 2008-02-01 16:06 125 --a--c--- C:\ioSpecial.ini
2008-01-31 18:15 . 2008-01-31 18:15 <DIR> d-------- C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\Oberon Games
2008-01-31 18:15 . 2008-01-31 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Oberon Games
2008-01-22 10:21 . 2008-01-24 10:58 114 --a------ C:\WINDOWS\BMd7a31896.xml
2008-01-16 19:47 . 2008-02-13 19:32 22 --a------ C:\WINDOWS\pskt.ini
2008-01-13 18:37 . 2008-01-13 18:59 <DIR> d-------- C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 14:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-09 20:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 20:36 --------- d-----w C:\Program Files\Electronic Arts
2008-02-08 22:10 --------- d-----w C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\LimeWire
2008-02-08 12:13 --------- d-----w C:\Program Files\ESET
2008-02-06 18:06 --------- d-----w C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\uTorrent
2008-02-06 14:33 --------- d-----w C:\Program Files\Valve
2008-02-06 14:30 --------- d-----w C:\Program Files\Sports Interactive
2008-02-01 15:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-27 22:38 --------- d-----w C:\Program Files\MSN Messenger
2008-01-27 22:38 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-01-01 17:07 7,780 ----a-w C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\FMCodec.dat
2007-12-18 11:41 --------- d-----w C:\Program Files\LHM2006
2007-12-14 15:00 --------- d-----w C:\Program Files\Dexter
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="~C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Gadwin PrintScreen 4.0"="D:\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-04-20 15:40 507904]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-08-12 10:02 103712]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Korisnik.ALIEN-A7BFB5A78\Application Data\Mozilla\Firefox\Profiles\ng641r0p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12 90112]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-08-23 06:50 917504]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"PWRISOVM.EXE"="C:\Program Files\Power ISO 3.8\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"WinFastDTV"="C:\Program Files\WinFast\WFDTV\DTVSchdl.exe" [2006-12-06 15:57 69632]
"WinFast Schedule"="C:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2006-12-04 11:01 372736]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

R1 wfcxacap;WinFast TV PCI Audio Capture Driver;C:\WINDOWS\system32\DRIVERS\wfcxacap.sys [2006-08-07 09:50]
R2 wfcxatun;WinFast TV Analog Tuner Driver;C:\WINDOWS\system32\drivers\wfcxatun.sys [2006-08-07 09:53]
R2 WFCXVCAP;WinFast TV Video Capture Driver;C:\WINDOWS\system32\drivers\wfcxvcap.sys [2006-08-07 13:10]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;C:\WINDOWS\system32\drivers\wfcxdtun.sys [2006-08-07 09:56]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;C:\WINDOWS\system32\drivers\wfcxtcap.sys [2006-08-07 09:54]
R3 wfcxxbar;WinFast TV Crossbar Driver;C:\WINDOWS\system32\drivers\wfcxxbar.sys [2006-08-07 14:04]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 15:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-08 11:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-02-13 21:55:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-02-13 21:56:29
ComboFix-quarantined-files.txt 2008-02-13 20:56:13
ComboFix2.txt 2008-02-13 20:12:54
ComboFix3.txt 2008-02-13 18:48:31
.
2008-01-10 11:09:56 --- E O F ---

Poslao: 12 Feb 2008 22:08
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8643
  • Gde živiš: Novi Beograd

Uploaduj nam na proveru sledeci fajl:
C:\kmd.exe

preko ovog linka:
[Link mogu videti samo ulogovani korisnici]

Poslao: 12 Feb 2008 22:15
Idi na vrh
offline
  • Pridružio: 12 Feb 2008
  • Poruke: 9

Uploadao sam.

Poslao: 12 Feb 2008 22:42
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8643
  • Gde živiš: Novi Beograd

Obrisi fajl:
C:\kmd.exe

MyCity » Ambulanta -> Arhiva Ambulante » Win32/Adware.Virtumonde.FP

Ko je trenutno na forumu
 

Ukupno su 1018 korisnika na forumu :: 89 registrovanih, 9 sakrivenih i 920 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 15694 - dana 01 Feb 2026 12:23

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, 8u47, A.R.Chafee.Jr., bbogdan, Ben Roj, blue, bojcistv, Botovac, BraneS, Bubimir, bufanje, CCCP, Cicumile, cifra, dane007, darcaud, dejno, Djokkinen, Dogma21, Dorcolac, Draganeli, Drugard72, Dzoni2412, ElGenius, famoso, FOX, Giskard, gobrad, Gosha101980, goxin, HogarStrashni, ILGromovnik, Insan, Jaksa loznica, jon istvan, K a s p e r, Kajzer Soze, Kenanjoz, Krin, kybonacci, lima, littlebunny, LUDI, Malahit, maxim_von_burdengate, mercedesamg, Mercury, Mexaleroo, Mi lao shu, MiGac, mikrimaus, milanpb, milenko crazy north, monomah, MrG, mustangkg, nebkv, nelezele, nenorodjo, nightwish, nikolapetkovic, Nole, Orc, Oscar, Pale2025, Pekman, Pero, PITT, RAKITNICA, Ripanjac, ruma, sajorg, Siti2, styg, Tastatura ratnik, travisrise, tubular, umaric7, vaci, vargas, Vaske8990, vensla, vladaa012, Voice1, vojnik švejk, vrlenija, XBMC, zzapNDjuric99, šumar bk2