Combofix log

1

Combofix log

offline
  • Pridružio: 02 Mar 2009
  • Poruke: 14

Imao sam isti problem kao u topicu mycity.rs/Arhiva-Ambulante/Desktop-ikone-mi-nestaju.html i koji je zahvaljujući Demianu uspešno rešen. Ja sam prateći ista uputstva, (čini mi se) uspeo da otklonim problem ali ne znam da li je nephodno napraviti CFScrpt jer imam utisak da je sad sve OK. Evo loga pa ako neko može da pogleda:

ComboFix 09-03-01.01 - Lazar 2009-03-02 7:01:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.2151 [GMT 1:00]
Running from: c:\documents and settings\Lazar\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090301-0] *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Lazar\Application Data\.#
c:\windows\system32\geBsrSIY.dll
c:\windows\system32\sysproc64
c:\windows\system32\sysproc64\sysproc32.sys.cla
c:\windows\system32\YISrsBeg.ini
c:\windows\system32\YISrsBeg.ini2

----- BITS: Possible infected sites -----

hxxp://www.fileden.com
.
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.

2009-03-02 06:39 . 2009-03-02 06:39 2,877 --a------ c:\windows\is169084.exe
2009-03-02 06:33 . 2009-03-02 06:39 <DIR> d-------- c:\program files\AVG
2009-03-02 05:44 . 2009-03-02 05:44 550 --a------ c:\windows\wininit.ini
2009-03-02 05:30 . 2009-03-02 05:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-02 05:30 . 2009-03-02 07:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 17:19 . 2009-02-26 17:19 <DIR> d-------- c:\program files\blackmagic
2009-02-26 02:27 . 2009-02-26 02:27 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-26 02:27 . 2009-02-26 02:27 1,409 --a------ c:\windows\QTFont.for
2009-02-04 00:36 . 2009-02-04 00:36 <DIR> d-------- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 01:09 --------- d-----w c:\documents and settings\Lazar\Application Data\uTorrent
2009-02-12 02:01 --------- d-----w c:\documents and settings\Lazar\Application Data\Thinstall
2009-01-25 15:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-25 03:56 --------- d-----w c:\program files\URUSoft
2009-01-23 18:24 --------- d-----w c:\program files\Google
2009-01-23 01:44 --------- d-----w c:\program files\Xilisoft
2009-01-22 20:16 --------- d-----w c:\documents and settings\Lazar\Application Data\Any Video Converter
2009-01-22 15:17 --------- d-----w c:\program files\Yamb
2009-01-19 15:36 --------- d-----w c:\program files\Dream Aquarium
2009-01-19 03:19 --------- d-----w c:\documents and settings\Lazar\Application Data\IDMComp
2009-01-18 15:21 --------- d-----w c:\program files\Easy Video Joiner
2009-01-18 15:04 --------- d-----w c:\program files\VideoJoiner
2009-01-18 14:59 --------- d-----w c:\program files\Boilsoft MOV Converter
2009-01-13 16:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 16:44 --------- d-----w c:\program files\ektron
2009-01-10 16:17 --------- d-----w c:\program files\MOJOSOFT
2009-01-10 16:17 --------- d-----w c:\documents and settings\Lazar\Application Data\mojosoft
2009-01-09 19:10 --------- d-----w c:\program files\VikarPls
2009-01-08 03:38 --------- d-----w c:\program files\Common Files\Adobe
2009-01-07 03:07 --------- d-----w c:\program files\Flash Menu Labs Pro v2
2009-01-06 20:29 --------- d-----w c:\program files\Foxit Software
2009-01-06 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-06 17:24 --------- d-----w c:\program files\Effective Studios
2009-01-06 17:17 --------- d-----w c:\documents and settings\Lazar\Application Data\Aurora Web Editor
2009-01-06 17:16 --------- d-----w c:\program files\Multimedia Australia
2009-01-06 16:42 --------- d-----w c:\program files\Northcode
2009-01-05 18:06 --------- d-----w c:\documents and settings\Lazar\Application Data\HDRsoft
2009-01-05 17:18 --------- d-----w c:\program files\PhotomatixPro3
2008-12-16 01:47 72,192 ----a-w c:\windows\cadkasdeinst01e.exe
.
Files Infected - Patched
c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe ... hex repaired
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-04-07 1470488]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2008-04-07 02:33 1470488 --a------ c:\program files\Freecorder\tbFre1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-04-07 1470488]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-04-07 1470488]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Google Update"="c:\documents and settings\Lazar\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-06 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2009-03-02 483328]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-05-30 542208]
"SNCT511"="c:\windows\vsnct511.exe" [2003-07-24 32768]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Lazar\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Lazar\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-07 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-07 20560]
R3 SNCT511;VideoCAM Trek;c:\windows\system32\drivers\snct511.sys [2007-04-01 229376]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
.
Contents of the 'Scheduled Tasks' folder

2009-03-01 c:\windows\Tasks\At1.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-23 c:\windows\Tasks\At10.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-23 c:\windows\Tasks\At11.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-27 c:\windows\Tasks\At12.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-23 c:\windows\Tasks\At13.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-23 c:\windows\Tasks\At14.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-28 c:\windows\Tasks\At15.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-01 c:\windows\Tasks\At16.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-01 c:\windows\Tasks\At17.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-01 c:\windows\Tasks\At18.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-01 c:\windows\Tasks\At19.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-02 c:\windows\Tasks\At2.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-01 c:\windows\Tasks\At20.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-28 c:\windows\Tasks\At21.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-28 c:\windows\Tasks\At22.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-27 c:\windows\Tasks\At23.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-01 c:\windows\Tasks\At24.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-02 c:\windows\Tasks\At3.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-02 c:\windows\Tasks\At4.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-02 c:\windows\Tasks\At5.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-02 c:\windows\Tasks\At6.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-02 c:\windows\Tasks\At7.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-23 c:\windows\Tasks\At8.job
- c:\windows\system32\PBbRGybI.exe []

2009-02-23 c:\windows\Tasks\At9.job
- c:\windows\system32\PBbRGybI.exe []

2009-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1897051121-839522115-1003.job
- c:\documents and settings\Lazar\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 15:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{06BE787A-B912-487C-A4A4-2E64224F0DC5} - (no file)
BHO-{8D0746A0-FB6A-42EE-ADD7-D40AB45E161C} - c:\windows\system32\geBsrSIY.dll
HKCU-Run-RoboForm - c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
HKCU-Run-Octoshape Streaming Services - c:\program files\Octoshape Streaming Services\Lazar\OctoshapeClient.exe
HKCU-Run-DLD.EXE - c:\program files\Download Direct\DLD.exe
Notify-wvUmkjkj - wvUmkjkj.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Webshots Photo Search
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Ispuni obrasce - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Iz&vezi u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Prilagodi izbornik - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: RF Alatna traka - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Spremi obrasce - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-02 07:05:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\ASTSRV.EXE
c:\windows\ATKKBService.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\Webshots\Webshots.scr
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-02 7:10:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-02 06:08:42

Pre-Run: 17.340.936.192 bytes free
Post-Run: 17,278,382,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

251

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Ko ti je rekao da pustis Combofix ????

Jel to pise ovde :

http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

Odakle ja sad da krenem sa ciscenjem....

Kazi mi jel si jutros instalirao neki AVG-ov proizvod??

offline
  • Pridružio: 02 Mar 2009
  • Poruke: 14

Problem je potpuno identičan kao onaj koji ste već rešili pa nisam hteo da otvaram isti topic. Izvinjavam se što sam se zaleteo ali bar mi desktop više ne blinkuje Smile Već sam pomišljao na format C:
Celu noć sam pokušavao sa raznim av programima kao što su avast i search&destroy a hteo sam da instaliram i AVG ali prijavljivao je grešku na početku instalacije. Onda sam naišao na vaš forum i probao sa Combofix-om koji je, čini mi se, rešio problem.
Nisam 100% siguran da li sam uspeo prethodno da isključim avast jer nisam mogao da vidim system tray. Mislim da sam uspeo.
Hvala Vama i izvinjavam se na brzopletosti.

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Sumnjivo mi je ovde nesto... Ja cu biti u mogucnosti da dodjem na forum veceras posle 8... Tada cu ti dati dalje instrukcije...

offline
  • Pridružio: 02 Mar 2009
  • Poruke: 14

OK. Hvala puno.
Ja, za svaki slučaj, ne gasim komp Smile i nisam kucao Combofix/u u slučaju da je potrebno iskopirati CFScript.
Ovaj Acrotray.exe mi je već duže vreme pravio problem a kad isključim neke IE prozore blokirao mi se desktop (a ikonice nestanu) pa sam morao svaki put da obrišem proces drwtsn.exe da bih mogao normalno da radim. Juče je počeo da "smrzava" na svakih 15-20 sekundi i tada nisam imao rešenje...

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Planovi su se prmenili tako da sam sad tu

Uradi sledece :

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\PBbRGybI.exe

AtJob::


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 02 Mar 2009
  • Poruke: 14

ComboFix 09-03-01.01 - Lazar 2009-03-02 19:01:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.2024 [GMT 1:00]
Running from: c:\documents and settings\Lazar\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lazar\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090301-0] *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\PBbRGybI.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\byXNhhIA.dll
c:\windows\system32\ijjPAJlm.ini
c:\windows\system32\ijjPAJlm.ini2
c:\windows\system32\mlJAPjji.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.

2009-03-02 18:39 . 2009-03-02 18:40 512 --a------ C:\drmHeader.bin
2009-03-02 06:39 . 2009-03-02 06:39 2,877 --a------ c:\windows\is169084.exe
2009-03-02 06:33 . 2009-03-02 06:39 <DIR> d-------- c:\program files\AVG
2009-03-02 05:44 . 2009-03-02 05:44 550 --a------ c:\windows\wininit.ini
2009-03-02 05:30 . 2009-03-02 05:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-02 05:30 . 2009-03-02 07:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 17:19 . 2009-02-26 17:19 <DIR> d-------- c:\program files\blackmagic
2009-02-04 00:36 . 2009-02-04 00:36 <DIR> d-------- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 17:34 --------- d-----w c:\documents and settings\Lazar\Application Data\uTorrent
2009-02-12 02:01 --------- d-----w c:\documents and settings\Lazar\Application Data\Thinstall
2009-01-25 15:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-25 03:56 --------- d-----w c:\program files\URUSoft
2009-01-23 18:24 --------- d-----w c:\program files\Google
2009-01-23 01:44 --------- d-----w c:\program files\Xilisoft
2009-01-22 20:16 --------- d-----w c:\documents and settings\Lazar\Application Data\Any Video Converter
2009-01-22 15:17 --------- d-----w c:\program files\Yamb
2009-01-19 15:36 --------- d-----w c:\program files\Dream Aquarium
2009-01-19 03:19 --------- d-----w c:\documents and settings\Lazar\Application Data\IDMComp
2009-01-18 15:21 --------- d-----w c:\program files\Easy Video Joiner
2009-01-18 15:04 --------- d-----w c:\program files\VideoJoiner
2009-01-18 14:59 --------- d-----w c:\program files\Boilsoft MOV Converter
2009-01-13 16:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 16:44 --------- d-----w c:\program files\ektron
2009-01-10 16:17 --------- d-----w c:\program files\MOJOSOFT
2009-01-10 16:17 --------- d-----w c:\documents and settings\Lazar\Application Data\mojosoft
2009-01-09 19:10 --------- d-----w c:\program files\VikarPls
2009-01-08 03:38 --------- d-----w c:\program files\Common Files\Adobe
2009-01-07 03:07 --------- d-----w c:\program files\Flash Menu Labs Pro v2
2009-01-06 20:29 --------- d-----w c:\program files\Foxit Software
2009-01-06 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-06 17:24 --------- d-----w c:\program files\Effective Studios
2009-01-06 17:17 --------- d-----w c:\documents and settings\Lazar\Application Data\Aurora Web Editor
2009-01-06 17:16 --------- d-----w c:\program files\Multimedia Australia
2009-01-06 16:42 --------- d-----w c:\program files\Northcode
2009-01-05 18:06 --------- d-----w c:\documents and settings\Lazar\Application Data\HDRsoft
2009-01-05 17:18 --------- d-----w c:\program files\PhotomatixPro3
2008-12-16 01:47 72,192 ----a-w c:\windows\cadkasdeinst01e.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-02_ 7.07.52.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-02 18:05:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_670.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-04-07 1470488]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2008-04-07 02:33 1470488 --a------ c:\program files\Freecorder\tbFre1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-04-07 1470488]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-04-07 1470488]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Google Update"="c:\documents and settings\Lazar\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-06 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2009-03-02 483328]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-05-30 542208]
"SNCT511"="c:\windows\vsnct511.exe" [2003-07-24 32768]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Lazar\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Lazar\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-07 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-07 20560]
R3 SNCT511;VideoCAM Trek;c:\windows\system32\drivers\snct511.sys [2007-04-01 229376]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
.
Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-1897051121-839522115-1003.job
- c:\documents and settings\Lazar\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 15:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1D5CFE8F-4D6A-4A90-82FC-3E8E50A9D232} - c:\windows\system32\mlJAPjji.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Webshots Photo Search
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Ispuni obrasce - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Iz&vezi u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Prilagodi izbornik - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: RF Alatna traka - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Spremi obrasce - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-02 19:05:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\ASTSRV.EXE
c:\windows\ATKKBService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\progra~1\Webshots\Webshots.scr
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-02 19:10:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-02 18:08:46
ComboFix2.txt 2009-03-02 06:10:01

Pre-Run: 17.336.799.232 bytes free
Post-Run: 17,348,460,544 bytes free

218

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Kakvo je sad stanje... ?
Uradicemo jos jednu proveru jer mi nesto bode oci, mada je moguce da baguje CF-ova komponenta :


Preuzmi program RootRepeal na Desktop.

Raspakuj RootRepeal.zip u neki folder.
Dvoklikom pokreni RootRepeal.exe.
Pređi na Report karticu (klikom na Report taster, dole, desno).
Klikni Scan taster.
U prozoru koji se otvori (Select Scan), obeleži kućice ispred svih stavki i klikni OK.
U narednom prozoru (Select Drives) obeleži kućicu ispred sistemskog diska (obično C:\) i klikni OK.
Po završetku procesa, klikni Save Report i sačuvaj izveštaj o skeniranju.


Iskopiraj sadržaj tog izveštaja u iduću poruku.

offline
  • Pridružio: 02 Mar 2009
  • Poruke: 14

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/03/02 19:26
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xBA3D0000 Size: 30592 File Visible: No
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xBA108000 Size: 60416 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xACBD8000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA644000 Size: 8192 File Visible: No
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xBA5CC000 Size: 6464 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA4B2000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\config\software.LOG
Status: Size mismatch (API: 20480, Raw: 1024)

Path: C:\Documents and Settings\Lazar\Local Settings\Application Data\Freecorder\rss\http___xs3_b92_net_7999_radio-b92_mp3.xml
Status: Size mismatch (API: 5025792, Raw: 4984832)

Path: C:\Documents and Settings\Lazar\Local Settings\Temporary Internet Files\Content.IE5\Q9SBCM5O\radio-b92[1].mp3
Status: Size mismatch (API: 5027349, Raw: 4976154)

Path: C:\Documents and Settings\Lazar\Local Settings\Apps\2.0\8TOPW5MW.QK1\H26N6XJY.W66\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Lazar\Local Settings\Apps\2.0\8TOPW5MW.QK1\H26N6XJY.W66\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc58576

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc58432

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc58910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc5800a

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc5850c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc57f4a

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc57fae

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc5862c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc585ec

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacc5876c

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

kakvo je sad stanje?

Ko je trenutno na forumu
 

Ukupno su 607 korisnika na forumu :: 10 registrovanih, 4 sakrivenih i 593 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: bato, Battlehammer, Buzdovan, darios, DM1994, dragoljub11987, mane123, oddsock, Tas011, vrlenija