izgleda da sam pokupio nesto opasno

1

izgleda da sam pokupio nesto opasno

offline
  • Pridružio: 19 Dec 2008
  • Poruke: 89

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:39 AM, on 3/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ekhwp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\SERVIS\Desktop\New Folder\TR3.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: TDI Toolbar - {964ed5ed-9595-43a1-bd83-9f831b5dbe7f} - C:\Program Files\TDI\tbTDI.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: TDI Toolbar - {964ed5ed-9595-43a1-bd83-9f831b5dbe7f} - C:\Program Files\TDI\tbTDI.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: TDI Toolbar - {964ed5ed-9595-43a1-bd83-9f831b5dbe7f} - C:\Program Files\TDI\tbTDI.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ekhwp] C:\WINDOWS\system32\ekhwp.exe \u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [32NFG94-H61-2SF-N1P-5M1ERH6L6] C:\RECYCLER\S-1-5-21-2264224754-0585302854-501895927-3940\winIgn.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N55P] C:\RECYCLER\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - Gopher Prefix:
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6603 bytes

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Da si pokupio gamad-jesi... a dal je opasno.. uskoro cemo saznati Mr. Green

Uradi sledece :

* Klikni desnim tasterom na McAfee Antivirus ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Exit.
* Kada se pojavi upit o isključivanju, klikni Yes.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 19 Dec 2008
  • Poruke: 89

evo izvestaja od comba

ComboFix 09-03-25.03 - SERVIS 2009-03-26 10:42:57.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1006 [GMT 1:00]
Running from: c:\documents and settings\SERVIS\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\olhrwef.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-25 13:20 . 2009-03-25 13:44 23,052 -rahs---- c:\windows\system32\olhrwef.exe588736431
2009-03-25 13:20 . 2009-03-25 14:58 23,052 --a------ c:\windows\system32\olhrwef.exe2958778741
2009-03-25 13:20 . 2009-03-25 13:20 23,052 -rahs---- c:\windows\system32\olhrwef.exe1428382195
2009-03-25 10:28 . 2008-04-24 13:33 512,000 --a------ c:\windows\system32\zinlogon.tmp
2009-03-25 10:25 . 2009-03-25 10:25 30,464 --a------ c:\windows\system32\drivers\acpi32.sys
2009-03-25 10:24 . 2009-03-25 10:23 32,256 --a------ c:\windows\system32\ekhwp.exe
2009-03-25 10:24 . 2009-03-25 10:23 32,256 ---h----- c:\documents and settings\SERVIS\tprrnd.exe
2009-03-25 10:23 . 2009-03-25 10:23 163,840 --a------ c:\windows\system32\nvtpm32.dll
2009-03-25 10:23 . 2009-03-25 10:23 97,280 --a------ c:\windows\system32\azton.mt
2009-03-25 10:23 . 2009-03-26 09:27 64,512 --a------ c:\windows\system32\ewf3.pxf
2009-03-25 10:23 . 2009-03-25 10:23 32,768 --a------ c:\windows\system32\fe3.wa
2009-03-25 09:54 . 2009-03-25 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
2009-03-24 13:21 . 2009-03-24 13:22 42 --a------ c:\documents and settings\SERVIS\Application Data\svighost.dll
2009-03-24 13:20 . 2009-03-24 13:20 <DIR> d-------- c:\program files\USBScan
2009-03-21 12:17 . 2009-03-26 10:20 <DIR> d-------- C:\QUARANTINE
2009-03-20 14:46 . 2009-03-20 14:46 69 --a------ c:\windows\NeroDigital.ini
2009-03-20 11:04 . 2009-03-20 11:05 <DIR> d-------- c:\program files\SopCast
2009-03-19 13:57 . 2009-03-19 15:44 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\vlc
2009-03-19 13:52 . 2009-03-19 13:53 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\MozillaControl
2009-03-19 13:52 . 2009-03-19 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Launcher
2009-03-19 13:52 . 2009-03-19 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2009-03-19 13:51 . 2009-03-19 13:51 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-03-19 13:50 . 2009-03-19 13:50 <DIR> d-------- c:\program files\VideoLAN
2009-03-19 13:50 . 2009-03-19 13:51 <DIR> d-------- c:\program files\Graboid
2009-03-19 10:11 . 2009-03-19 10:15 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\Ahead
2009-03-19 10:07 . 2009-03-19 10:07 <DIR> d-------- c:\program files\Nero
2009-03-19 10:07 . 2009-03-19 10:13 <DIR> d-------- c:\program files\Common Files\Ahead
2009-03-19 09:08 . 2009-03-19 09:07 110,053 -r-hs---- C:\q0dhfjf.exe
2009-03-18 12:50 . 2009-03-18 12:50 <DIR> d-------- c:\program files\TDI
2009-03-18 12:50 . 2009-03-18 12:50 <DIR> d-------- c:\program files\Conduit
2009-03-18 11:43 . 2009-03-20 14:26 <DIR> d-------- c:\program files\nLite
2009-03-17 16:25 . 2009-03-21 14:35 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\BSplayer Pro
2009-03-17 16:24 . 2009-03-17 16:24 <DIR> d-------- c:\program files\Webteh
2009-03-17 16:23 . 2009-03-17 16:23 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\Media Player Classic
2009-03-16 09:06 . 2009-03-17 09:04 111,435 -r-hs---- C:\luk1ylq.com
2009-03-14 14:07 . 2009-03-24 09:08 109,692 -rahs---- c:\windows\system32\olhrwef .exe
2009-03-14 14:07 . 2009-03-25 10:24 23,052 --a------ c:\windows\system32\olhrwef.exe2628598895
2009-03-14 09:42 . 2009-03-14 09:42 <DIR> d-------- c:\program files\Java
2009-03-14 09:42 . 2009-03-14 09:42 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 09:42 . 2009-03-14 09:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-13 22:56 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2009-03-13 22:56 . 2009-03-13 22:56 376 --a------ c:\windows\ODBC.INI
2009-03-13 22:54 . 2009-03-13 22:54 <DIR> d-------- c:\program files\Common Files\L&H
2009-03-13 22:53 . 2009-03-13 22:53 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-13 22:53 . 2009-03-13 22:53 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-03-13 22:52 . 2009-03-13 22:52 <DIR> d-------- c:\program files\Microsoft Works
2009-03-13 22:51 . 2009-03-13 22:53 <DIR> d-------- c:\windows\SHELLNEW
2009-03-13 22:48 . 2009-03-13 22:48 <DIR> dr-h----- C:\MSOCache
2009-03-13 22:44 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-03-13 22:43 . 2009-03-13 22:43 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-03-13 22:43 . 2008-03-21 21:30 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2009-03-13 22:43 . 2008-01-10 13:15 755,027 --a------ c:\windows\system32\xvidcore.dll
2009-03-13 22:43 . 2008-03-31 22:25 682,496 --a------ c:\windows\system32\divx.dll
2009-03-13 22:43 . 2006-09-24 16:11 389,120 --a------ c:\windows\system32\lameACM.acm
2009-03-13 22:43 . 2004-01-25 17:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2009-03-13 22:43 . 2007-09-04 17:56 164,352 --a------ c:\windows\system32\unrar.dll
2009-03-13 22:43 . 2008-01-10 13:16 159,839 --a------ c:\windows\system32\xvidvfw.dll
2009-03-13 22:43 . 2007-09-21 01:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2009-03-13 22:43 . 2008-03-21 21:28 81,920 --a------ c:\windows\system32\dpl100.dll
2009-03-13 22:43 . 2008-03-28 18:41 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-03-13 22:43 . 2007-07-10 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-03-13 22:43 . 2007-10-03 16:03 414 --a------ c:\windows\system32\lame_acm.xml
2009-03-13 22:42 . 2009-03-13 22:44 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-13 11:14 . 2009-03-13 11:14 603,904 --a------ c:\windows\system32\TUProgSt.exe
2009-03-13 11:14 . 2009-03-13 11:14 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2009-03-13 11:14 . 2008-12-11 13:31 27,904 --a------ c:\windows\system32\uxtuneup.dll
2009-03-13 11:12 . 2009-03-23 09:38 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2009-03-13 11:12 . 2009-03-13 11:12 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\TuneUp Software
2009-03-13 11:12 . 2009-03-13 11:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-13 11:11 . 2009-03-13 11:11 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-13 11:07 . 2009-03-13 11:07 <DIR> d-------- c:\program files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 09:23 578,560 ----a-w c:\windows\system32\user32.DLL
2009-01-16 07:19 1,614,848 ----a-w c:\windows\system32\sfcfiles.dll
2009-01-10 07:58 990,208 ----a-w c:\windows\system32\syssetup.dll
2002-01-03 21:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012002010320020104\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}"= "c:\program files\TDI\tbTDI.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]
2009-03-10 11:47 2079256 --a------ c:\program files\TDI\tbTDI.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}"= "c:\program files\TDI\tbTDI.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{964ED5ED-9595-43A1-BD83-9F831B5DBE7F}"= "c:\program files\TDI\tbTDI.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2009-03-26 23052]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2009-03-26 23052]
"ekhwp"="c:\windows\system32\ekhwp.exe" [2009-03-25 32256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Documents and Settings\\SERVIS\\tprrnd.exe"=
"c:\\WINDOWS\\system32\\ekhwp.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2002-01-03 67904]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-03-13 603904]
S2 acpi32;acpi32;c:\windows\system32\drivers\acpi32.sys [2009-03-25 30464]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2002-01-03 64432]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59509d7b-0093-11d6-aee6-806d6172696f}]
\Shell\AutoRun\command - E:\SETUP.EXE /AUTORUN
\Shell\configure\command - E:\SETUP.EXE
\Shell\install\command - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a194e63-1536-11de-a6d5-001731315163}]
\Shell\AutoRun\command - G:\xsia.bat
\Shell\open\Command - G:\xsia.bat
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]

2009-03-25 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe
HKCU-Run-32NFG94-H61-2SF-N1P-5M1ERH6L6 - c:\recycler\S-1-5-21-2264224754-0585302854-501895927-3940\winIgn.exe
HKCU-Run-12CFG515-K641-55SF-N55P - c:\recycler\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe
HKCU-Run-12CFG515-K641-55SF-N66P - c:\recycler\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-26 10:45:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-26 10:47:50
ComboFix-quarantined-files.txt 2009-03-26 09:47:46
ComboFix2.txt 2009-03-26 09:00:12

Pre-Run: 20,898,287,616 bytes free
Post-Run: 20,888,854,528 bytes free

190

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Simpaticnu kolekciju ti ovde imas Razz

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\olhrwef.exe588736431
c:\windows\system32\olhrwef.exe2958778741
c:\windows\system32\olhrwef.exe1428382195
c:\windows\system32\zinlogon.tmp
c:\windows\system32\drivers\acpi32.sys
c:\windows\system32\ekhwp.exe
c:\documents and settings\SERVIS\tprrnd.exe
c:\windows\system32\nvtpm32.dll
c:\windows\system32\azton.mt
c:\windows\system32\ewf3.pxf
c:\documents and settings\SERVIS\Application Data\svighost.dll
C:\q0dhfjf.exe
C:\luk1ylq.com
c:\windows\system32\olhrwef.exe2628598895

Driver::
acpi32

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ekhwp"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\ekhwp.exe"=-
"c:\\Documents and Settings\\SERVIS\\tprrnd.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a194e63-1536-11de-a6d5-001731315163}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 19 Dec 2008
  • Poruke: 89

ComboFix 09-03-25.03 - SERVIS 2009-03-26 12:11:23.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.987 [GMT 1:00]
Running from: c:\documents and settings\SERVIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\SERVIS\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\documents and settings\SERVIS\Application Data\svighost.dll
c:\documents and settings\SERVIS\tprrnd.exe
C:\luk1ylq.com
C:\q0dhfjf.exe
c:\windows\system32\azton.mt
c:\windows\system32\drivers\acpi32.sys
c:\windows\system32\ekhwp.exe
c:\windows\system32\ewf3.pxf
c:\windows\system32\nvtpm32.dll
c:\windows\system32\olhrwef.exe1428382195
c:\windows\system32\olhrwef.exe2628598895
c:\windows\system32\olhrwef.exe2958778741
c:\windows\system32\olhrwef.exe588736431
c:\windows\system32\zinlogon.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\SERVIS\Application Data\svighost.dll
c:\documents and settings\SERVIS\tprrnd.exe
C:\luk1ylq.com
C:\q0dhfjf.exe
c:\windows\system32\azton.mt
c:\windows\system32\drivers\acpi32.sys
c:\windows\system32\ekhwp.exe
c:\windows\system32\ewf3.pxf
c:\windows\system32\nvtpm32.dll
c:\windows\system32\olhrwef.exe1428382195
c:\windows\system32\olhrwef.exe2628598895
c:\windows\system32\olhrwef.exe2958778741
c:\windows\system32\olhrwef.exe588736431
c:\windows\system32\zinlogon.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPI32
-------\Service_acpi32


((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-26 11:25 . 2009-03-26 11:33 <DIR> d-------- c:\program files\DriverGuide Toolkit
2009-03-25 10:23 . 2009-03-25 10:23 32,768 --a------ c:\windows\system32\fe3.wa
2009-03-25 09:54 . 2009-03-25 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
2009-03-24 13:20 . 2009-03-24 13:20 <DIR> d-------- c:\program files\USBScan
2009-03-21 12:17 . 2009-03-26 10:20 <DIR> d-------- C:\QUARANTINE
2009-03-20 14:46 . 2009-03-20 14:46 69 --a------ c:\windows\NeroDigital.ini
2009-03-20 11:04 . 2009-03-20 11:05 <DIR> d-------- c:\program files\SopCast
2009-03-19 13:57 . 2009-03-19 15:44 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\vlc
2009-03-19 13:52 . 2009-03-19 13:53 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\MozillaControl
2009-03-19 13:52 . 2009-03-19 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Launcher
2009-03-19 13:52 . 2009-03-19 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2009-03-19 13:51 . 2009-03-19 13:51 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-03-19 13:50 . 2009-03-19 13:50 <DIR> d-------- c:\program files\VideoLAN
2009-03-19 13:50 . 2009-03-19 13:51 <DIR> d-------- c:\program files\Graboid
2009-03-19 10:11 . 2009-03-19 10:15 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\Ahead
2009-03-19 10:07 . 2009-03-19 10:07 <DIR> d-------- c:\program files\Nero
2009-03-19 10:07 . 2009-03-19 10:13 <DIR> d-------- c:\program files\Common Files\Ahead
2009-03-18 12:50 . 2009-03-18 12:50 <DIR> d-------- c:\program files\TDI
2009-03-18 12:50 . 2009-03-18 12:50 <DIR> d-------- c:\program files\Conduit
2009-03-18 11:43 . 2009-03-20 14:26 <DIR> d-------- c:\program files\nLite
2009-03-17 16:25 . 2009-03-21 14:35 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\BSplayer Pro
2009-03-17 16:24 . 2009-03-17 16:24 <DIR> d-------- c:\program files\Webteh
2009-03-17 16:23 . 2009-03-17 16:23 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\Media Player Classic
2009-03-14 14:07 . 2009-03-24 09:08 109,692 -rahs---- c:\windows\system32\olhrwef .exe
2009-03-14 09:42 . 2009-03-14 09:42 <DIR> d-------- c:\program files\Java
2009-03-14 09:42 . 2009-03-14 09:42 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 09:42 . 2009-03-14 09:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-13 22:56 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2009-03-13 22:56 . 2009-03-13 22:56 376 --a------ c:\windows\ODBC.INI
2009-03-13 22:54 . 2009-03-13 22:54 <DIR> d-------- c:\program files\Common Files\L&H
2009-03-13 22:53 . 2009-03-13 22:53 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-13 22:53 . 2009-03-13 22:53 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-03-13 22:52 . 2009-03-13 22:52 <DIR> d-------- c:\program files\Microsoft Works
2009-03-13 22:51 . 2009-03-13 22:53 <DIR> d-------- c:\windows\SHELLNEW
2009-03-13 22:48 . 2009-03-13 22:48 <DIR> dr-h----- C:\MSOCache
2009-03-13 22:44 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-03-13 22:43 . 2009-03-13 22:43 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-03-13 22:43 . 2008-03-21 21:30 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2009-03-13 22:43 . 2008-01-10 13:15 755,027 --a------ c:\windows\system32\xvidcore.dll
2009-03-13 22:43 . 2008-03-31 22:25 682,496 --a------ c:\windows\system32\divx.dll
2009-03-13 22:43 . 2006-09-24 16:11 389,120 --a------ c:\windows\system32\lameACM.acm
2009-03-13 22:43 . 2004-01-25 17:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2009-03-13 22:43 . 2007-09-04 17:56 164,352 --a------ c:\windows\system32\unrar.dll
2009-03-13 22:43 . 2008-01-10 13:16 159,839 --a------ c:\windows\system32\xvidvfw.dll
2009-03-13 22:43 . 2007-09-21 01:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2009-03-13 22:43 . 2008-03-21 21:28 81,920 --a------ c:\windows\system32\dpl100.dll
2009-03-13 22:43 . 2008-03-28 18:41 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-03-13 22:43 . 2007-07-10 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-03-13 22:43 . 2007-10-03 16:03 414 --a------ c:\windows\system32\lame_acm.xml
2009-03-13 22:42 . 2009-03-13 22:44 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-13 11:14 . 2009-03-13 11:14 603,904 --a------ c:\windows\system32\TUProgSt.exe
2009-03-13 11:14 . 2009-03-13 11:14 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2009-03-13 11:14 . 2008-12-11 13:31 27,904 --a------ c:\windows\system32\uxtuneup.dll
2009-03-13 11:12 . 2009-03-23 09:38 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2009-03-13 11:12 . 2009-03-13 11:12 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\TuneUp Software
2009-03-13 11:12 . 2009-03-13 11:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-13 11:11 . 2009-03-13 11:11 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-13 11:07 . 2009-03-13 11:07 <DIR> d-------- c:\program files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 09:23 578,560 ----a-w c:\windows\system32\user32.DLL
2009-01-16 07:19 1,614,848 ----a-w c:\windows\system32\sfcfiles.dll
2009-01-10 07:58 990,208 ----a-w c:\windows\system32\syssetup.dll
2002-01-03 21:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012002010320020104\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-26_ 9.58.48.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-04-14 11:00:00 1,384,479 ----a-w c:\windows\system32\msvbvm60.dll
+ 2004-02-23 08:00:00 1,386,496 ----a-w c:\windows\system32\msvbvm60.dll
+ 2009-03-26 11:15:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_238.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}"= "c:\program files\TDI\tbTDI.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]
2009-03-10 11:47 2079256 --a------ c:\program files\TDI\tbTDI.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}"= "c:\program files\TDI\tbTDI.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{964ED5ED-9595-43A1-BD83-9F831B5DBE7F}"= "c:\program files\TDI\tbTDI.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2009-03-26 23052]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2009-03-26 23052]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2002-01-03 67904]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-03-13 603904]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2002-01-03 64432]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59509d7b-0093-11d6-aee6-806d6172696f}]
\Shell\AutoRun\command - E:\SETUP.EXE /AUTORUN
\Shell\configure\command - E:\SETUP.EXE
\Shell\install\command - E:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]

2009-03-25 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-26 12:16:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\ctfmon.exe2811881968 15360 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\ctfmon.exe2811881968NEROCHECK.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Analog Devices\SoundMAX\smax4pnp .exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2009-03-26 12:19:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-26 11:19:12
ComboFix2.txt 2009-03-26 09:47:52
ComboFix3.txt 2009-03-26 09:00:12

Pre-Run: 20,846,649,344 bytes free
Post-Run: 20,783,452,160 bytes free

226

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

offline
  • Pridružio: 19 Dec 2008
  • Poruke: 89

mycity.rs/must-login.png

mycity.rs/must-login.png

Dopuna: 26 Mar 2009 14:04

mycity.rs/must-login.png
mycity.rs/must-login.png

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\olhrwef .exe
c:\windows\system32\fe3.wa


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 19 Dec 2008
  • Poruke: 89

ComboFix 09-03-26.03 - SERVIS 2009-03-27 9:05:49.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1075 [GMT 1:00]
Running from: c:\documents and settings\SERVIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\SERVIS\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\system32\fe3.wa
c:\windows\system32\olhrwef .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fe3.wa
c:\windows\system32\olhrwef .exe

.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-26 11:25 . 2009-03-26 11:33 <DIR> d-------- c:\program files\DriverGuide Toolkit
2009-03-25 09:54 . 2009-03-25 09:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
2009-03-24 13:20 . 2009-03-24 13:20 <DIR> d-------- c:\program files\USBScan
2009-03-21 12:17 . 2009-03-26 10:20 <DIR> d-------- C:\QUARANTINE
2009-03-20 14:46 . 2009-03-20 14:46 69 --a------ c:\windows\NeroDigital.ini
2009-03-20 11:04 . 2009-03-20 11:05 <DIR> d-------- c:\program files\SopCast
2009-03-19 13:57 . 2009-03-19 15:44 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\vlc
2009-03-19 13:52 . 2009-03-19 13:53 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\MozillaControl
2009-03-19 13:52 . 2009-03-19 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Launcher
2009-03-19 13:52 . 2009-03-19 13:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2009-03-19 13:51 . 2009-03-19 13:51 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-03-19 13:50 . 2009-03-19 13:50 <DIR> d-------- c:\program files\VideoLAN
2009-03-19 13:50 . 2009-03-19 13:51 <DIR> d-------- c:\program files\Graboid
2009-03-19 10:11 . 2009-03-19 10:15 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\Ahead
2009-03-19 10:07 . 2009-03-19 10:07 <DIR> d-------- c:\program files\Nero
2009-03-19 10:07 . 2009-03-19 10:13 <DIR> d-------- c:\program files\Common Files\Ahead
2009-03-18 12:50 . 2009-03-18 12:50 <DIR> d-------- c:\program files\TDI
2009-03-18 12:50 . 2009-03-18 12:50 <DIR> d-------- c:\program files\Conduit
2009-03-18 11:43 . 2009-03-20 14:26 <DIR> d-------- c:\program files\nLite
2009-03-17 16:25 . 2009-03-21 14:35 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\BSplayer Pro
2009-03-17 16:24 . 2009-03-17 16:24 <DIR> d-------- c:\program files\Webteh
2009-03-17 16:23 . 2009-03-17 16:23 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\Media Player Classic
2009-03-14 09:42 . 2009-03-14 09:42 <DIR> d-------- c:\program files\Java
2009-03-14 09:42 . 2009-03-14 09:42 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 09:42 . 2009-03-14 09:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-13 22:56 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2009-03-13 22:56 . 2009-03-13 22:56 376 --a------ c:\windows\ODBC.INI
2009-03-13 22:54 . 2009-03-13 22:54 <DIR> d-------- c:\program files\Common Files\L&H
2009-03-13 22:53 . 2009-03-13 22:53 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-13 22:53 . 2009-03-13 22:53 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-03-13 22:52 . 2009-03-13 22:52 <DIR> d-------- c:\program files\Microsoft Works
2009-03-13 22:51 . 2009-03-13 22:53 <DIR> d-------- c:\windows\SHELLNEW
2009-03-13 22:48 . 2009-03-13 22:48 <DIR> dr-h----- C:\MSOCache
2009-03-13 22:44 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-03-13 22:43 . 2009-03-13 22:43 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-03-13 22:43 . 2008-03-21 21:30 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2009-03-13 22:43 . 2008-01-10 13:15 755,027 --a------ c:\windows\system32\xvidcore.dll
2009-03-13 22:43 . 2008-03-31 22:25 682,496 --a------ c:\windows\system32\divx.dll
2009-03-13 22:43 . 2006-09-24 16:11 389,120 --a------ c:\windows\system32\lameACM.acm
2009-03-13 22:43 . 2004-01-25 17:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2009-03-13 22:43 . 2007-09-04 17:56 164,352 --a------ c:\windows\system32\unrar.dll
2009-03-13 22:43 . 2008-01-10 13:16 159,839 --a------ c:\windows\system32\xvidvfw.dll
2009-03-13 22:43 . 2007-09-21 01:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2009-03-13 22:43 . 2008-03-21 21:28 81,920 --a------ c:\windows\system32\dpl100.dll
2009-03-13 22:43 . 2008-03-28 18:41 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-03-13 22:43 . 2007-07-10 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-03-13 22:43 . 2007-10-03 16:03 414 --a------ c:\windows\system32\lame_acm.xml
2009-03-13 22:42 . 2009-03-13 22:44 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-13 11:14 . 2009-03-13 11:14 603,904 --a------ c:\windows\system32\TUProgSt.exe
2009-03-13 11:14 . 2009-03-13 11:14 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2009-03-13 11:14 . 2008-12-11 13:31 27,904 --a------ c:\windows\system32\uxtuneup.dll
2009-03-13 11:12 . 2009-03-23 09:38 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2009-03-13 11:12 . 2009-03-13 11:12 <DIR> d-------- c:\documents and settings\SERVIS\Application Data\TuneUp Software
2009-03-13 11:12 . 2009-03-13 11:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-13 11:11 . 2009-03-13 11:11 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-13 11:07 . 2009-03-13 11:07 <DIR> d-------- c:\program files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 09:23 578,560 ----a-w c:\windows\system32\user32.DLL
2009-01-16 07:19 1,614,848 ----a-w c:\windows\system32\sfcfiles.dll
2009-01-10 07:58 990,208 ----a-w c:\windows\system32\syssetup.dll
2002-01-03 21:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012002010320020104\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-26_ 9.58.48.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-04-14 11:00:00 1,384,479 ----a-w c:\windows\system32\msvbvm60.dll
+ 2004-02-23 08:00:00 1,386,496 ----a-w c:\windows\system32\msvbvm60.dll
+ 2009-03-27 07:59:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}"= "c:\program files\TDI\tbTDI.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]
2009-03-10 11:47 2079256 --a------ c:\program files\TDI\tbTDI.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}"= "c:\program files\TDI\tbTDI.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{964ED5ED-9595-43A1-BD83-9F831B5DBE7F}"= "c:\program files\TDI\tbTDI.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2009-03-26 23052]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2009-03-27 23052]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2002-01-03 67904]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-03-13 603904]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2002-01-03 64432]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59509d7b-0093-11d6-aee6-806d6172696f}]
\Shell\AutoRun\command - E:\SETUP.EXE /AUTORUN
\Shell\configure\command - E:\SETUP.EXE
\Shell\install\command - E:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]

2009-03-25 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-27 09:08:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-27 9:10:51
ComboFix-quarantined-files.txt 2009-03-27 08:10:46
ComboFix2.txt 2009-03-26 11:19:20
ComboFix3.txt 2009-03-26 09:47:52
ComboFix4.txt 2009-03-26 09:00:12

Pre-Run: 20,960,714,752 bytes free
Post-Run: 21,000,200,192 bytes free

177

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Odlicno.. kakvo je sad stanje?

Ko je trenutno na forumu
 

Ukupno su 1439 korisnika na forumu :: 50 registrovanih, 9 sakrivenih i 1380 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: -[CoA]-, 357magnum, 39mm, A.R.Chafee.Jr., amaterSRB, Apok, Atomski čoban, Bane san, bankulen, Boris90, Brana01, cemix, cvrle312, darkangel, DeerHunter, Dežurni pod palubom, Dimitrise93, Djokislav, Dorcolac, dule10savic, Georgius, HogarStrashni, ikan, Ilija Cvorovic, Ivan001, kinez88, Klecaviks, kokodakalo, Krvava Devetka, Kubovac, kunktator, Kure126-7, Litostroton, Lubica, Lukaaa, milenko crazy north, Miškić, nemkea71, oganj123, oldtimer, opt1, robert1979, slonic_tonic, Srki94, Srle993, stegonosa, suton, Tragač, Tvrtko I, virked