Cudan fajl u system32

1

Cudan fajl u system32

offline
  • MilM 
  • Novi MyCity građanin
  • Pridružio: 09 Okt 2009
  • Poruke: 10

Nemam nekih problema sa compom, ali sam uocio preko programa WinPatrol da imam u folderu system32 cudan fajl (??????.LOG). On spada u grupu skrivenih fajlova i mogao sam ga videti tek kada sam odstrihirao opciju Hide extension for known file types (radi se o notepad fajlu). Tada sam uocio da ima jos jedan fajl sa kockicama, ali bez extenzije i nije notepad fajl, vec sistemski. Takodje, ZonaAlarm cesto izbacuje prozorcic kako Generic host process for Win32 zeli da se poveze sa serverom (nize u tom prozoru vidi se da je u pitanju jedan od svchost.exe fajlova). Ako mu zabranim prolaz nista spektakularno se ne desava, nema gubljenja konekcije i sasvim normalno se moze nastaviti raditi. Zato mi je to nesto sumnjivo, jer moguce je da se nesto zamaskiralo u svchost.

Skenirao sam sistem sa spybotom i ad-awareom, ali nikakva napast nije pronadjena. Zamolio bih vas da pogledate da li ima kakav malware, spyware, keylogger ili neka druga posast ovog savremenog informatickog vremena.

Pa da pocemo:

DDS (Ver_09-09-29.01) - NTFSx86
Run by bbb at 21:50:35,43 on pet 10/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.152 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\ASWL2K.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\bbb\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = google.ba
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live pomagac za prijavljivanje: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [WinPatrol] "c:\program files\billp studios\winpatrol\winpatrol.exe" -expressboot
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {0D5314DD-03E3-49BC-BCF7-28A7463A3065} = 87.250.98.250 208.67.222.222
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bbb\applic~1\mozilla\firefox\profiles\cwyea2tj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/
FF - component: c:\documents and settings\bbb\application data\mozilla\firefox\profiles\cwyea2tj.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\documents and settings\bbb\application data\mozilla\firefox\profiles\cwyea2tj.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-23 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-12-12 77312]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-5 353680]
R2 CAPI;CAPI 2.0 Service;c:\windows\system32\drivers\capi.sys [2001-3-21 26064]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-5 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 NDISCAPI;NDIS CAPI Service;c:\windows\system32\drivers\ndiscapi.sys [2001-3-21 27792]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-4-6 603904]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2009-4-5 2831232]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2009-4-4 16269]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2009-4-5 7808]
R3 wdxwmac;PCI ISDN Card NDIS WAN Driver;c:\windows\system32\drivers\wdxwmac.sys [2001-3-21 272016]
S3 fsssvc;Windows Live Porodicna bezbednost;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]

=============== Created Last 30 ================

2009-10-05 01:07 <DIR> --d----- c:\docume~1\bbb\applic~1\RCP 5
2009-10-05 01:07 <DIR> --d----- c:\program files\ReaConverter 5.5 Pro
2009-10-05 00:35 <DIR> --d----- c:\windows\system32\ReaConverter_5.5_Pro
2009-10-02 22:11 3,255 a------- c:\windows\system32\wbem\Outlook_01ca439c9158865c.mof
2009-10-02 22:11 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-10-02 22:11 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-10-02 21:23 53,760 a------- c:\windows\system32\drivers\vfwwdm32.dll
2009-10-02 21:23 28,672 a------- c:\windows\system32\drivers\vidcap.ax
2009-10-02 21:23 91,136 a------- c:\windows\system32\drivers\kswdmcap.ax
2009-10-02 21:23 43,008 a------- c:\windows\system32\drivers\ksxbar.ax
2009-10-02 21:23 61,952 a------- c:\windows\system32\drivers\kstvtune.ax
2009-10-02 21:22 <DIR> --d----- c:\program files\IVT Corporation
2009-09-26 22:29 <DIR> --d----- c:\program files\MSSOAP
2009-09-26 22:28 <DIR> --d----- c:\program files\Webroot
2009-09-12 13:29 <DIR> --d----- c:\docume~1\bbb\applic~1\WinPatrol
2009-09-12 13:29 <DIR> --d----- c:\program files\BillP Studios
2009-09-12 01:20 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-07 18:48 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-18 05:23 14,336 a------- c:\windows\system32\svchost.exe
2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-05-10 20:53 81,920 a------- c:\docume~1\bbb\applic~1\ezpinst.exe
2009-05-10 20:53 47,360 a------- c:\docume~1\bbb\applic~1\pcouffin.sys

============= FINISH: 21:51:22,14 ===============



mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...



Arrow Pokreni program Gmer i pređi na Files karticu.

U levom prozoru (klikćući na +) odaberi sledeći folder:

C:\WINDOWS\system32\drivers

a u desnom obeleži file atapi.sys. Zatim klikni taster Copy i sačuvaj kopiju tog file-a.


Upload-uj tu sačuvanu kopiju file-a preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

offline
  • MilM 
  • Novi MyCity građanin
  • Pridružio: 09 Okt 2009
  • Poruke: 10

Uploadovao sam trazeni fajl, dr_Boro. Cekam daljnje instrukcije.

Izvini na cekanju, uzivao sam u fudbalu veceras, Smile)))

Pozdrav.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • MilM 
  • Novi MyCity građanin
  • Pridružio: 09 Okt 2009
  • Poruke: 10

ComboFix 09-10-10.01 - bbb 10/10/2009 23:39.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.634 [GMT 2:00]
Running from: c:\documents and settings\bbb\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\bbb\My Documents\backup.reg
c:\windows\Installer\4e7966.msi
c:\windows\Installer\78d10.msi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-04 23:07 . 2009-10-10 06:01 -------- d-----w- c:\documents and settings\bbb\Application Data\RCP 5
2009-10-04 23:07 . 2009-10-04 23:08 -------- d-----w- c:\program files\ReaConverter 5.5 Pro
2009-10-04 22:35 . 2009-10-04 22:35 -------- d-----w- c:\windows\system32\ReaConverter_5.5_Pro
2009-10-02 20:11 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-10-02 20:11 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-10-02 19:30 . 2009-10-02 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth
2009-10-02 19:23 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\drivers\vfwwdm32.dll
2009-09-26 20:29 . 2009-09-26 20:29 -------- d-----w- c:\program files\MSSOAP
2009-09-26 20:28 . 2009-09-26 20:28 -------- d-----w- c:\program files\Webroot
2009-09-12 11:29 . 2009-09-12 11:29 -------- d-----w- c:\documents and settings\bbb\Application Data\WinPatrol
2009-09-12 11:29 . 2009-09-12 11:29 -------- d-----w- c:\program files\BillP Studios
2009-09-11 23:20 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-11 19:12 . 2009-09-11 19:12 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 16:48 . 2009-04-04 22:18 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-04 17:56 . 2009-04-18 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-02 19:22 . 2009-10-02 19:22 -------- d-----w- c:\program files\IVT Corporation
2009-10-02 19:22 . 2009-04-04 21:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-26 20:02 . 2009-04-19 15:20 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-09-20 02:01 . 2009-04-25 05:15 -------- d-----w- c:\documents and settings\bbb\Application Data\Skype
2009-09-19 22:06 . 2009-04-25 05:29 -------- d-----w- c:\documents and settings\bbb\Application Data\skypePM
2009-09-12 11:03 . 2009-08-20 09:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 19:14 . 2009-04-05 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-06 17:11 . 2009-06-13 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NFS Underground
2009-08-30 22:40 . 2009-04-18 20:34 -------- d-----w- c:\documents and settings\bbb\Application Data\SUPERAntiSpyware.com
2009-08-23 09:11 . 2009-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-23 09:08 . 2009-08-23 09:08 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-23 09:08 . 2009-08-23 09:08 -------- d-----w- c:\program files\Lavasoft
2009-08-18 03:23 . 2004-08-03 23:56 14336 ----a-w- c:\windows\system32\svchost.exe
2009-08-13 08:10 . 2009-04-18 17:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 09:01 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-27 341312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-10-2 1044480]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/23/2009 11:11 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 17:49 77312]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 14:24 93336]
R2 CAPI;CAPI 2.0 Service;c:\windows\system32\drivers\capi.sys [3/21/2001 12:21 26064]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 14:23 727720]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/5/2009 02:10 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 16:49 1028432]
R2 NDISCAPI;NDIS CAPI Service;c:\windows\system32\drivers\ndiscapi.sys [3/21/2001 12:21 27792]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [4/6/2009 23:40 603904]
R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [4/5/2009 21:54 2831232]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [4/4/2009 23:53 16269]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [4/5/2009 21:56 7808]
R3 wdxwmac;PCI ISDN Card NDIS WAN Driver;c:\windows\system32\drivers\wdxwmac.sys [3/21/2001 12:21 272016]
S3 fsssvc;Windows Live Porodicna bezbednost;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 18:08 533360]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 01:56 14336]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [11/30/2007 11:27 558592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 14:28]

2009-09-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 09:12]
.
.
------- Supplementary Scan -------
.
uStart Page = google.ba
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {0D5314DD-03E3-49BC-BCF7-28A7463A3065} = 87.250.98.250 208.67.222.222
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/
FF - component: c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-10-10 23:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 266 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-162531612-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1488C924-EE36-9560-84E8-5F441643D60F}*]
"hapljofgdfkaakhg"=hex:6b,61,6f,6a,65,6d,65,6d,70,69,69,69,6c,67,6a,64,6c,61,
66,65,67,6a,00,00
"iabnhmofnmcmmkpeod"=hex:6a,61,68,6b,6c,6e,61,63,6b,6d,6f,6e,61,63,70,6f,63,6c,
6b,68,00,e0
"eajhnfhnej"=hex:66,61,68,6f,61,61,62,66,62,66,6a,6e,00,31
"daiheema"=hex:64,62,66,6e,6e,61,67,6c,63,70,69,6d,64,6c,67,61,6f,70,6e,66,6c,
6f,69,69,70,70,70,6a,69,68,69,6c,64,6c,6a,64,67,69,6a,6d,00,00

[HKEY_USERS\S-1-5-21-2052111302-162531612-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F71C53F3-AB48-E415-BBB0-1B4F92F00B25}*]
"iaokodbppalljddfom"=hex:6a,61,62,62,6f,6b,62,64,6e,6d,70,6b,61,67,70,6b,6f,70,
6e,6b,00,01
"haikajeggdfhdlcj"=hex:6b,61,66,62,61,65,6f,6b,64,6e,6b,66,68,67,63,68,61,66,
63,6b,6f,6f,00,7f
"eaglophfem"=hex:69,61,61,6c,61,63,68,64,68,70,6a,67,65,64,6c,6c,62,61,00,ff
"dalmnamk"=hex:64,62,6f,6b,66,65,68,62,67,6c,6a,6c,6e,6d,6c,68,69,63,66,6e,6d,
6d,64,6a,6d,65,6d,65,69,66,64,63,64,6f,6b,6d,62,63,61,63,00,3d

[HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.22.02]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F71C53F3-AB48-E415-BBB0-1B4F92F00B25}\InProcServer32*]
"faekfebejkln"=hex:69,61,61,6c,61,63,68,64,68,70,6a,67,65,64,6c,6c,62,61,00,ff
"eaekkeidmc"=hex:64,62,6f,6b,66,65,68,62,67,6c,6a,6c,6e,6d,6c,68,69,63,66,6e,
6d,6d,64,6a,6d,65,6d,65,69,66,64,63,64,6f,6b,6d,62,63,61,63,00,3d
"gaekfebejklncp"=hex:69,61,61,6c,61,63,68,64,68,70,6a,67,65,64,6c,6c,62,61,00,
ff
"faekkeidmcej"=hex:64,62,6f,6b,66,65,68,62,67,6c,6a,6c,6e,6d,6c,68,69,63,66,6e,
6d,6d,64,6a,6d,65,6d,65,69,66,64,63,64,6f,6b,6d,62,63,61,63,00,3d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3812)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-10-10 23:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-10 21:55

Pre-Run: 6.304.063.488 bytes free
Post-Run: 6.168.870.912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
232 --- E O F --- 2009-09-11 23:38

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:


RegLock::
[HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.22.02]

RegNull::
[HKEY_USERS\S-1-5-21-2052111302-162531612-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1488C924-EE36-9560-84E8-5F441643D60F}*]
[HKEY_USERS\S-1-5-21-2052111302-162531612-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F71C53F3-AB48-E415-BBB0-1B4F92F00B25}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F71C53F3-AB48-E415-BBB0-1B4F92F00B25}\InProcServer32*]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • MilM 
  • Novi MyCity građanin
  • Pridružio: 09 Okt 2009
  • Poruke: 10

ComboFix 09-10-10.01 - bbb 10/11/2009 1:04.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.635 [GMT 2:00]
Running from: c:\documents and settings\bbb\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bbb\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-04 23:07 . 2009-10-10 06:01 -------- d-----w- c:\documents and settings\bbb\Application Data\RCP 5
2009-10-04 23:07 . 2009-10-04 23:08 -------- d-----w- c:\program files\ReaConverter 5.5 Pro
2009-10-04 22:35 . 2009-10-04 22:35 -------- d-----w- c:\windows\system32\ReaConverter_5.5_Pro
2009-10-02 20:11 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-10-02 20:11 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-10-02 19:30 . 2009-10-02 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth
2009-10-02 19:23 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\drivers\vfwwdm32.dll
2009-09-26 20:29 . 2009-09-26 20:29 -------- d-----w- c:\program files\MSSOAP
2009-09-26 20:28 . 2009-09-26 20:28 -------- d-----w- c:\program files\Webroot
2009-09-12 11:29 . 2009-09-12 11:29 -------- d-----w- c:\documents and settings\bbb\Application Data\WinPatrol
2009-09-12 11:29 . 2009-09-12 11:29 -------- d-----w- c:\program files\BillP Studios
2009-09-11 23:20 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-11 19:12 . 2009-09-11 19:12 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 16:48 . 2009-04-04 22:18 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-04 17:56 . 2009-04-18 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-02 19:22 . 2009-10-02 19:22 -------- d-----w- c:\program files\IVT Corporation
2009-10-02 19:22 . 2009-04-04 21:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-26 20:02 . 2009-04-19 15:20 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-09-20 02:01 . 2009-04-25 05:15 -------- d-----w- c:\documents and settings\bbb\Application Data\Skype
2009-09-19 22:06 . 2009-04-25 05:29 -------- d-----w- c:\documents and settings\bbb\Application Data\skypePM
2009-09-12 11:03 . 2009-08-20 09:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 19:14 . 2009-04-05 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-06 17:11 . 2009-06-13 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NFS Underground
2009-08-30 22:40 . 2009-04-18 20:34 -------- d-----w- c:\documents and settings\bbb\Application Data\SUPERAntiSpyware.com
2009-08-23 09:11 . 2009-08-23 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-23 09:08 . 2009-08-23 09:08 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-23 09:08 . 2009-08-23 09:08 -------- d-----w- c:\program files\Lavasoft
2009-08-18 03:23 . 2004-08-03 23:56 14336 ------w- c:\windows\system32\svchost.exe
2009-08-13 08:10 . 2009-04-18 17:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 09:01 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-27 341312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2009-10-2 1044480]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/23/2009 11:11 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 17:49 77312]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 14:24 93336]
R2 CAPI;CAPI 2.0 Service;c:\windows\system32\drivers\capi.sys [3/21/2001 12:21 26064]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 14:23 727720]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [4/5/2009 02:10 55152]
R2 NDISCAPI;NDIS CAPI Service;c:\windows\system32\drivers\ndiscapi.sys [3/21/2001 12:21 27792]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [4/6/2009 23:40 603904]
R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [4/5/2009 21:54 2831232]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [4/4/2009 23:53 16269]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [4/5/2009 21:56 7808]
R3 wdxwmac;PCI ISDN Card NDIS WAN Driver;c:\windows\system32\drivers\wdxwmac.sys [3/21/2001 12:21 272016]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 16:49 1028432]
S3 fsssvc;Windows Live Porodicna bezbednost;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 18:08 533360]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 01:56 14336]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [11/30/2007 11:27 558592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 14:28]

2009-09-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 09:12]
.
.
------- Supplementary Scan -------
.
uStart Page = google.ba
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/
FF - component: c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\bbb\Application Data\Mozilla\Firefox\Profiles\cwyea2tj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-10-11 01:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 266 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2060)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-10-10 1:09
ComboFix-quarantined-files.txt 2009-10-10 23:09
ComboFix2.txt 2009-10-10 21:55

Pre-Run: 6.164.815.872 bytes free
Post-Run: 6.147.579.904 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
173 --- E O F --- 2009-09-11 23:38

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:


DeQuarantine::
C:\Qoobox\Quarantine\C\documents and settings\bbb\My Documents\backup.reg.vir
Quit::



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • MilM 
  • Novi MyCity građanin
  • Pridružio: 09 Okt 2009
  • Poruke: 10

Napisano: 11 Okt 2009 10:14

Odmah cu ovo uraditi Boro, ali moram ti reci da sam sada dobio informaciju od spybota da je otkriven i zaustavljen proces koji je izlistan kao posledica zlonamernog softvera. Prikacicu PrtScn da vidis o cemu se radi. Da li ovo znaci da je winlogon keylogger u stvari?



Dopuna: 11 Okt 2009 10:26

U vezi prethodnog, samo da napomenem da se iskakanje prozora od spybota desilo nakon azuriranja ad-awarea. Ne znam da li ima to neke vaznosti, ali ipak da ja to tebi napomenem.

Evo loga od combofixa:

C:\Qoobox\Quarantine\C\documents and settings\bbb\My Documents\backup.reg.vir -> C:\documents and settings\bbb\My Documents\backup.reg ( 0 bytes )

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvori: C:\WINDOWS\system32

Upload-uj file-ove:

winlogon.exe

winIogon.exe (ako postoji, primeti da je razlika u jednom slovu od onog prethodnog)


Upload link: http://www.mycity.rs/ambulanta-upload.php

Ko je trenutno na forumu
 

Ukupno su 699 korisnika na forumu :: 30 registrovanih, 8 sakrivenih i 661 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., amaterSRB, babaroga, cenejac111, Cirkon, dac, dankisha, darkstar101, dragon986, ekser222, Georgius, Kristian_KG, kybonacci, Milan A. Nikolic, milimoj, Miskohd, moonshine, mushroom, nebkv, Panter, royst33, S-lash, Sale.S, shone34, Skywhaler, Snorks, vasa.93, Vatreni Zmaj, VJ, zixmix