Gomila virusa, msile.exe i slicno...

1

Gomila virusa, msile.exe i slicno...

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

ComboFix 09-04-17.01 - xxx 16.04.2009 23:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.511.228 [GMT 2:00]
Running from: d:\program files\Programi\ComboFix.exe
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\drivers\sysdrv32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 20:36 . 2009-04-16 20:36 -------- d-----w c:\program files\Trend Micro
2009-04-12 17:25 . 2009-04-12 17:24 42499 --sh--r c:\windows\system\msile.exe
2009-04-11 07:45 . 2009-04-11 07:45 262144 ----a-w c:\documents and settings\NEBOJA~2
2009-04-11 07:43 . 2009-04-11 07:44 8192 ----a-w c:\documents and settings\NEBOJA~1
2009-04-10 22:19 . 2009-04-10 22:18 108296 ----a-w c:\windows\system32\drivers\pwipf6.sys
2009-04-10 22:19 . 2009-04-06 11:32 1563008 ----a-w c:\windows\WRSetup.dll
2009-04-10 22:19 . 2009-04-11 07:48 -------- d-----w c:\documents and settings\xxx\Application Data\Webroot
2009-04-10 22:19 . 2009-04-10 22:25 -------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-04-10 17:06 . 2009-04-10 17:06 -------- d-----w c:\program files\MSSOAP
2009-04-10 17:05 . 2009-04-10 17:05 -------- d-----w c:\program files\Webroot
2009-04-09 09:14 . 2008-04-14 03:42 10752 ------w c:\windows\system32\smtpapi.dll
2009-04-09 09:14 . 2008-04-14 03:42 9728 ------w c:\windows\system32\rwnh.dll
2009-04-09 09:13 . 2006-12-28 22:31 19569 ----a-w c:\windows\000001_.tmp
2009-04-09 08:35 . 2009-04-09 08:35 47755 --sh--r c:\windows\system\netmon.exe
2009-04-09 08:35 . 2009-04-09 08:38 47755 ----a-w c:\windows\system32\82.scr
2009-04-04 18:25 . 2009-04-04 18:25 268 ---ha-w C:\sqmdata00.sqm
2009-04-04 18:25 . 2009-04-04 18:25 244 ---ha-w C:\sqmnoopt00.sqm
2009-04-02 12:30 . 2009-04-02 12:30 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 12:30 . 2009-04-02 12:30 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 12:30 . 2009-04-02 12:30 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 21:06 . 2007-05-20 12:30 -------- d-----w c:\documents and settings\xxx\Application Data\uTorrent
2009-04-16 20:39 . 2009-04-16 20:39 10819 ----a-w c:\program files\hijackthis.log
2009-04-16 20:07 . 2009-03-07 17:55 -------- d-----w c:\program files\Flock
2009-04-14 19:06 . 2006-11-16 17:00 -------- d-----w c:\program files\Winamp
2009-04-13 19:22 . 2008-10-08 17:01 -------- d-----w c:\program files\Any Video Converter
2009-04-13 19:22 . 2008-10-08 17:01 -------- d--h--w c:\documents and settings\xxx\Application Data\Any Video Converter
2009-04-11 13:09 . 2009-03-04 19:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 07:45 . 2008-10-10 05:36 -------- d--h--w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 07:42 . 2006-12-06 01:38 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 02:05 . 2009-03-11 02:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 01:59 . 2009-03-11 01:56 -------- d-----w c:\documents and settings\xxx\Application Data\vlc
2009-03-11 01:55 . 2009-03-11 01:53 -------- d-----w c:\documents and settings\xxx\Application Data\MozillaControl
2009-03-11 01:54 . 2009-03-11 01:54 -------- d-----w c:\documents and settings\All Users\Application Data\Graboid Inc
2009-03-11 01:37 . 2009-03-11 01:37 -------- d-----w c:\program files\VideoLAN
2009-03-09 12:11 . 2007-11-29 19:01 -------- d-----w c:\program files\Windows Vista Icons
2009-03-08 23:04 . 2007-06-20 20:59 -------- d-----w c:\program files\MSN Messenger
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-07 18:46 . 2009-03-07 18:46 -------- d--h--w c:\documents and settings\xxx\Application Data\GRETECH
2009-03-07 18:45 . 2009-03-07 18:45 -------- d-----w c:\program files\GRETECH
2009-03-07 17:59 . 2009-03-07 17:59 -------- d--h--w c:\documents and settings\xxx\Application Data\Flock
2009-03-05 12:28 . 2009-03-05 12:28 102411 ----a-w c:\windows\system32\msvcrt2.dll
2009-03-04 10:47 . 2009-03-04 10:47 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-03-04 10:46 . 2009-03-04 10:46 -------- d-----w c:\program files\Common Files\iS3
2009-03-02 18:20 . 2006-11-16 16:24 108744 ----a-w c:\documents and settings\xxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 18:12 . 2006-11-16 16:17 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-02 18:00 . 2004-08-03 20:59 250048 --sha-r C:\ntldr
2009-02-26 19:17 . 2006-11-16 16:29 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 22:09 . 2009-02-08 22:09 318904 ----a-w c:\program files\wmpfirefoxplugin.exe
2008-06-02 17:22 . 2007-07-24 23:07 654 ----a-w c:\program files\u Torrent.lnk
2008-03-31 22:22 . 2008-03-31 22:22 32 ---ha-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-16 18:24 . 2006-11-16 18:24 126 -c--a-w c:\documents and settings\xxx\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 11:26 238968 ----a-w c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-09 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-13 144792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"netmon"="c:\windows\system\netmon.exe" [2009-04-09 47755]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-04-06 6345840]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\xxx\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe [2007-6-1 720896]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msile]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" -nogui
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Programi\\uTorrent.exe"=
"c:\\Documents and Settings\\xxx\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flock\\flock.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system\\netmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 msile;microsoft install le;c:\windows\system\msile.exe [2009-04-12 42499]
R2 setup_7.0.0.180_30.04.2008_14-26;setup_7.0.0.180_30.04.2008_14-26; [x]
R3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-02 29808]
S1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2009-04-10 108296]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-04-10 1181040]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - SYSDRV32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2f36de-c739-11dc-a0c4-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f01d09f5-0ef4-11de-9b22-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc2e8ed7-4e76-11dd-8568-cddd8ebd83de}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\wrSpySweeper_L2CB7798EC8AB402895DA00E67D8C427C.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-10 11:32]

2009-04-10 c:\windows\Tasks\wrSpySweeper_L2CB7798EC8AB402895DA00E67D8C427C.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-10 11:32]

2009-04-16 c:\windows\Tasks\wrSpySweeper_LFF32611FF1EE40A08D1B05FB7AE8E207.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-10 11:32]

2009-04-16 c:\windows\Tasks\wrSpySweeper_LFF32611FF1EE40A08D1B05FB7AE8E207.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-10 11:32]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
HKCU-Run-BestPopUpKiller - c:\program files\BestPopUpKiller\BestPopupKiller.exe
HKCU-Run-AMP Agent - c:\program files\Common Files\ARS Company\Agent\Agent.exe
HKLM-Run-kav - c:\program files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
HKLM-Run-TWCU - c:\program files\TP-LINK\TWCU\TWCU.exe
HKLM-Run-NeroCheck - c:\windows\system32\NeroCheck.exe
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
HKLM-Run-Microsoft(R) System Manager - c:\windows\system32\sysmgr.exe
HKLM-Run-SMSERIAL - sm56hlpr.exe
SafeBoot-netmon


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
TCP: {332F18D5-1A81-48F3-9570-CBCEC72E7980} = 195.252.122.154
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-16 23:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\system\netmon.exe [2076] 0x81E36858

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SMSERIAL = sm56hlpr.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-562591055-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:01,d7,9d,16,d1,ed,9d,a9,ab,00,d0,51,f7,2a,44,df,fb,39,a5,ee,29,
cd,49,15,d5,8d,0b,c6,d8,08,f7,a6,5b,a3,56,7e,9a,52,54,19,dc,28,ee,e3,81,91,\
"rkeysecu"=hex:87,dd,bc,25,c7,7c,00,40,07,4a,2b,38,f2,54,ed,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ff,b7,d0,40,c1,3c,33,74,7d,79,2d,9e,74,cb,41,d6,70,fe,75,10,e4,
46,c9,8e,5f,64,74,99,b6,75,e8,e5,29,b2,4d,cc,1d,8a,33,f3,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):9f,e5,68,a8,99,c4,fc,97,2b,b5,31,c6,59,f4,42,0c,ff,62,6f,cb,a2,
29,f7,dd,8d,66,42,77,21,53,8e,77,4e,23,5c,8c,b2,72,5e,28,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{89d8de28-60b7-4d33-9965-269e32426821}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b1
"Therad"=dword:00000020
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,30,e2,5c,65,1b,80,a4,1f,d1,e5,bd,4d,4b,50,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eed6e8dd-528e-4142-9f0d-b7f2d6e075fc}]
@Denied: (Full) (Everyone)
"Model"=dword:00000127
"Therad"=dword:00000015
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1620)
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ATKKBService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Webroot\WebrootSecurity\SSU.exe
.
**************************************************************************
.
Completion time: 2009-04-16 23:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 21:19

Pre-Run: 3.435.560.960 bytes free
Post-Run: 3.329.830.912 bytes free

266 --- E O F --- 2007-08-11 01:12

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Treba li ti još uvek pomoć?

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

Treba! Nikako ne mogu da uklonim msile!
Hvala Smile

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Obriši trenutnu verziju ComboFix-a a zatim preuzmi najnoviju.


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

ComboFix 09-04-17.03 - xxx 21.04.2009 11:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.511.243 [GMT 2:00]
Running from: d:\program files\Programi\ComboFix.exe
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32


((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-21 06:48 . 2009-04-21 06:48 23392 ----a-w c:\windows\system32\nscompat.tlb
2009-04-21 06:48 . 2009-04-21 06:48 16832 ----a-w c:\windows\system32\amcompat.tlb
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\documents and settings\xxx\Application Data\Malwarebytes
2009-04-20 16:39 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-20 16:39 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 20:36 . 2009-04-16 20:36 -------- d-----w c:\program files\Trend Micro
2009-04-11 07:45 . 2009-04-11 07:45 262144 ----a-w c:\documents and settings\NEBOJA~2
2009-04-11 07:43 . 2009-04-11 07:44 8192 ----a-w c:\documents and settings\NEBOJA~1
2009-04-10 17:06 . 2009-04-10 17:06 -------- d-----w c:\program files\MSSOAP
2009-04-10 17:05 . 2009-04-10 17:05 -------- d-----w c:\program files\Webroot
2009-04-09 09:14 . 2008-04-14 03:42 10752 ------w c:\windows\system32\smtpapi.dll
2009-04-09 09:14 . 2008-04-14 03:42 9728 ------w c:\windows\system32\rwnh.dll
2009-04-09 09:13 . 2006-12-28 22:31 19569 ----a-w c:\windows\000001_.tmp
2009-04-04 18:25 . 2009-04-04 18:25 268 ---ha-w C:\sqmdata00.sqm
2009-04-04 18:25 . 2009-04-04 18:25 244 ---ha-w C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 08:20 . 2007-05-20 12:30 -------- d-----w c:\documents and settings\xxx\Application Data\uTorrent
2009-04-21 06:54 . 2009-03-07 17:55 -------- d-----w c:\program files\Flock
2009-04-20 23:36 . 2006-11-16 17:00 -------- d-----w c:\program files\Winamp
2009-04-20 18:12 . 2006-12-26 01:00 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-16 20:39 . 2009-04-16 20:39 10819 ----a-w c:\program files\hijackthis.log
2009-04-13 19:22 . 2008-10-08 17:01 -------- d-----w c:\program files\Any Video Converter
2009-04-13 19:22 . 2008-10-08 17:01 -------- d--h--w c:\documents and settings\xxx\Application Data\Any Video Converter
2009-04-11 13:09 . 2009-03-04 19:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 07:45 . 2008-10-10 05:36 -------- d--h--w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 07:42 . 2006-12-06 01:38 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 02:05 . 2009-03-11 02:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 01:59 . 2009-03-11 01:56 -------- d-----w c:\documents and settings\xxx\Application Data\vlc
2009-03-11 01:55 . 2009-03-11 01:53 -------- d-----w c:\documents and settings\xxx\Application Data\MozillaControl
2009-03-11 01:37 . 2009-03-11 01:37 -------- d-----w c:\program files\VideoLAN
2009-03-09 12:11 . 2007-11-29 19:01 -------- d-----w c:\program files\Windows Vista Icons
2009-03-08 23:04 . 2007-06-20 20:59 -------- d-----w c:\program files\MSN Messenger
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-07 18:46 . 2009-03-07 18:46 -------- d--h--w c:\documents and settings\xxx\Application Data\GRETECH
2009-03-07 18:45 . 2009-03-07 18:45 -------- d-----w c:\program files\GRETECH
2009-03-07 17:59 . 2009-03-07 17:59 -------- d--h--w c:\documents and settings\xxx\Application Data\Flock
2009-03-05 12:28 . 2009-03-05 12:28 102411 ----a-w c:\windows\system32\msvcrt2.dll
2009-03-04 10:47 . 2009-03-04 10:47 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-03-04 10:46 . 2009-03-04 10:46 -------- d-----w c:\program files\Common Files\iS3
2009-03-02 18:20 . 2006-11-16 16:24 108744 ----a-w c:\documents and settings\xxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 18:12 . 2006-11-16 16:17 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-02 18:00 . 2004-08-03 20:59 250048 --sha-r C:\ntldr
2009-02-26 19:17 . 2006-11-16 16:29 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 22:09 . 2009-02-08 22:09 318904 ----a-w c:\program files\wmpfirefoxplugin.exe
2008-06-02 17:22 . 2007-07-24 23:07 654 ----a-w c:\program files\u Torrent.lnk
2008-03-31 22:22 . 2008-03-31 22:22 32 ---ha-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-16 18:24 . 2006-11-16 18:24 126 -c--a-w c:\documents and settings\xxx\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_21.14.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 09:34 . 2009-04-21 09:34 16384 c:\windows\Temp\Perflib_Perfdata_538.dat
+ 2006-10-18 20:47 . 2006-10-18 19:47 38400 c:\windows\system32\wpdshextres.dll
- 2006-10-18 20:47 . 2006-10-18 20:47 38400 c:\windows\system32\wpdshextres.dll
+ 2009-04-20 18:03 . 2006-09-25 15:58 14640 c:\windows\system32\spmsg.dll
+ 2006-11-16 16:16 . 2004-08-03 22:56 73728 c:\windows\system32\dllcache\wmplayer.exe
+ 2006-11-16 16:16 . 2004-08-03 22:56 98304 c:\windows\system32\dllcache\wmpband.dll
+ 2006-11-16 16:22 . 2009-04-20 08:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-16 16:22 . 2009-04-16 21:13 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-16 16:22 . 2009-04-20 08:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-11-16 16:22 . 2009-04-16 21:13 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-11-16 16:22 . 2009-04-20 08:41 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-11-16 16:22 . 2009-04-16 21:13 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-03 22:56 . 2004-08-03 22:56 8192 c:\windows\system32\dllcache\asferror.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 8192 c:\windows\system32\asferror.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 102400 c:\windows\system32\wmpshell.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 233472 c:\windows\system32\wmpdxm.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 114688 c:\windows\system32\wmpasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 168448 c:\windows\system32\wmerror.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 102400 c:\windows\system32\dllcache\wmpshell.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 233472 c:\windows\system32\dllcache\wmpdxm.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 114688 c:\windows\system32\dllcache\wmpasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 168448 c:\windows\system32\dllcache\wmerror.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 208896 c:\windows\system32\dllcache\unregmp2.exe
+ 2006-11-16 16:16 . 2004-08-03 22:56 774144 c:\windows\system32\dllcache\setup_wm.exe
+ 2006-11-16 16:16 . 2004-08-03 22:56 368640 c:\windows\system32\dllcache\mpvis.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 208896 c:\windows\inf\unregmp2.exe
+ 2004-08-03 22:56 . 2004-08-03 22:56 2940928 c:\windows\system32\wmploc.dll
+ 2004-08-03 22:56 . 2006-04-24 14:40 4730880 c:\windows\system32\wmp.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 2940928 c:\windows\system32\dllcache\wmploc.dll
+ 2004-08-03 22:56 . 2006-04-24 14:40 4730880 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-09 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-13 144792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\xxx\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe [2007-6-1 720896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" -nogui
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Programi\\uTorrent.exe"=
"c:\\Documents and Settings\\xxx\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flock\\flock.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 setup_7.0.0.180_30.04.2008_14-26;setup_7.0.0.180_30.04.2008_14-26; [x]
R2 WRConsumerService;Webroot Client Service; [x]
R3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d414f3e-2d87-11de-9b6e-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d414f43-2d87-11de-9b6e-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2f36de-c739-11dc-a0c4-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87d34b6b-5ef7-11dd-aa6e-906721c14bdf}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f01d09f5-0ef4-11de-9b22-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc2e8ed7-4e76-11dd-8568-cddd8ebd83de}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\Malwarebytes' Scheduled Scan for xxx.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-20 13:32]

2009-04-20 c:\windows\Tasks\Malwarebytes' Scheduled Update for xxx.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-20 13:32]
.
.
------- Supplementary Scan -------
.
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-21 11:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-562591055-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:01,d7,9d,16,d1,ed,9d,a9,ab,00,d0,51,f7,2a,44,df,fb,39,a5,ee,29,
cd,49,15,d5,8d,0b,c6,d8,08,f7,a6,5b,a3,56,7e,9a,52,54,19,dc,28,ee,e3,81,91,\
"rkeysecu"=hex:87,dd,bc,25,c7,7c,00,40,07,4a,2b,38,f2,54,ed,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ff,b7,d0,40,c1,3c,33,74,7d,79,2d,9e,74,cb,41,d6,70,fe,75,10,e4,
46,c9,8e,5f,64,74,99,b6,75,e8,e5,29,b2,4d,cc,1d,8a,33,f3,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):9f,e5,68,a8,99,c4,fc,97,2b,b5,31,c6,59,f4,42,0c,ff,62,6f,cb,a2,
29,f7,dd,8d,66,42,77,21,53,8e,77,4e,23,5c,8c,b2,72,5e,28,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{89d8de28-60b7-4d33-9965-269e32426821}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b1
"Therad"=dword:00000020
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,30,e2,5c,65,1b,80,a4,1f,d1,e5,bd,4d,4b,50,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eed6e8dd-528e-4142-9f0d-b7f2d6e075fc}]
@Denied: (Full) (Everyone)
"Model"=dword:00000127
"Therad"=dword:00000015
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3928-)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ATKKBService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-21 11:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 09:38
ComboFix2.txt 2009-04-16 21:19

Pre-Run: 3.049.054.208 bytes free
Post-Run: 3.036.098.560 bytes free

262 --- E O F --- 2007-08-11 01:12

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

Driver::
setup_7.0.0.180_30.04.2008_14-26

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d414f3e-2d87-11de-9b6e-0016e6380b62}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d414f43-2d87-11de-9b6e-0016e6380b62}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2f36de-c739-11dc-a0c4-0016e6380b62}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87d34b6b-5ef7-11dd-aa6e-906721c14bdf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f01d09f5-0ef4-11de-9b22-0016e6380b62}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc2e8ed7-4e76-11dd-8568-cddd8ebd83de}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

Napisano: 22 Apr 2009 9:15

kako da napravim CFScript?

Dopuna: 22 Apr 2009 9:26

Jel' treba da skinem Adobe Coldfusion?
Instalirao sam Malwarebytes program i malo mi se smirio komp...

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriš Notepad i u njega iskopiraš sve što se nalazi unutar kod polja.

Klikneš File > Save; snimiš file pod nazivom CFScript.

Kasnije taj file prevučeš na ikonicu ComboFix-a.


Citat:Jel' treba da skinem Adobe Coldfusion?

Ovo ne razumem.

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

ComboFix 09-04-17.03 - xxx 28.04.2009 14:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.511.224 [GMT 2:00]
Running from: d:\program files\Programi\ComboFix.exe
Command switches used :: d:\program files\Programi\CFScript.txt
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-28 )))))))))))))))))))))))))))))))
.

2009-04-22 07:06 . 2009-04-22 07:06 -------- d-----w c:\program files\Common Files\SWF Studio
2009-04-22 07:05 . 2009-04-28 12:09 -------- d-----w c:\documents and settings\xxx\Application Data\Dealio
2009-04-22 07:05 . 2009-04-22 07:05 -------- d-----w c:\program files\Dealio
2009-04-22 06:59 . 2009-04-22 06:59 -------- d-----w c:\program files\The Weather Channel FW
2009-04-22 06:59 . 2009-04-22 06:59 -------- d-----w c:\documents and settings\xxx\Local Settings\Application Data\The Weather Channel
2009-04-21 20:19 . 2009-04-21 20:19 23392 ----a-w c:\windows\system32\nscompat.tlb
2009-04-21 20:19 . 2009-04-21 20:19 16832 ----a-w c:\windows\system32\amcompat.tlb
2009-04-21 14:08 . 2009-04-21 14:11 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-21 14:03 . 2009-04-21 14:07 1374 ----a-w c:\windows\imsins.BAK
2009-04-21 13:44 . 2009-02-11 23:00 36352 ------w C:\WGASetup.exe
2009-04-21 13:07 . 2009-04-21 13:07 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-21 13:07 . 2009-04-21 13:07 -------- d-----w c:\program files\Java
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\documents and settings\xxx\Application Data\Malwarebytes
2009-04-20 16:39 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-20 16:39 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 20:36 . 2009-04-16 20:36 -------- d-----w c:\program files\Trend Micro
2009-04-11 07:45 . 2009-04-11 07:45 262144 ----a-w c:\documents and settings\NEBOJA~2
2009-04-11 07:43 . 2009-04-11 07:44 8192 ----a-w c:\documents and settings\NEBOJA~1
2009-04-10 17:06 . 2009-04-10 17:06 -------- d-----w c:\program files\MSSOAP
2009-04-09 09:14 . 2008-04-14 03:42 10752 ------w c:\windows\system32\smtpapi.dll
2009-04-09 09:14 . 2008-04-14 03:42 9728 ------w c:\windows\system32\rwnh.dll
2009-04-09 09:13 . 2006-12-28 22:31 19569 ----a-w c:\windows\000001_.tmp
2009-04-04 18:25 . 2009-04-04 18:25 268 ---ha-w C:\sqmdata00.sqm
2009-04-04 18:25 . 2009-04-04 18:25 244 ---ha-w C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 12:11 . 2007-05-20 12:30 -------- d-----w c:\documents and settings\xxx\Application Data\uTorrent
2009-04-28 11:17 . 2009-03-07 17:55 -------- d-----w c:\program files\Flock
2009-04-21 13:07 . 2008-10-13 18:36 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-20 23:36 . 2006-11-16 17:00 -------- d-----w c:\program files\Winamp
2009-04-16 20:39 . 2009-04-16 20:39 10819 ----a-w c:\program files\hijackthis.log
2009-04-13 19:22 . 2008-10-08 17:01 -------- d-----w c:\program files\Any Video Converter
2009-04-13 19:22 . 2008-10-08 17:01 -------- d--h--w c:\documents and settings\xxx\Application Data\Any Video Converter
2009-04-11 13:09 . 2009-03-04 19:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 07:45 . 2008-10-10 05:36 -------- d--h--w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 07:42 . 2006-12-06 01:38 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 02:05 . 2009-03-11 02:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 01:59 . 2009-03-11 01:56 -------- d-----w c:\documents and settings\xxx\Application Data\vlc
2009-03-11 01:55 . 2009-03-11 01:53 -------- d-----w c:\documents and settings\xxx\Application Data\MozillaControl
2009-03-11 01:37 . 2009-03-11 01:37 -------- d-----w c:\program files\VideoLAN
2009-03-09 12:11 . 2007-11-29 19:01 -------- d-----w c:\program files\Windows Vista Icons
2009-03-08 23:04 . 2007-06-20 20:59 -------- d-----w c:\program files\MSN Messenger
2009-03-07 18:46 . 2009-03-07 18:46 -------- d--h--w c:\documents and settings\xxx\Application Data\GRETECH
2009-03-07 18:45 . 2009-03-07 18:45 -------- d-----w c:\program files\GRETECH
2009-03-07 17:59 . 2009-03-07 17:59 -------- d--h--w c:\documents and settings\xxx\Application Data\Flock
2009-03-05 12:28 . 2009-03-05 12:28 102411 ----a-w c:\windows\system32\msvcrt2.dll
2009-03-04 10:47 . 2009-03-04 10:47 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-03-04 10:46 . 2009-03-04 10:46 -------- d-----w c:\program files\Common Files\iS3
2009-03-02 18:20 . 2006-11-16 16:24 108744 ----a-w c:\documents and settings\xxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 18:12 . 2006-11-16 16:17 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-02 18:00 . 2004-08-03 20:59 250048 --sha-r C:\ntldr
2009-02-08 22:09 . 2009-02-08 22:09 318904 ----a-w c:\program files\wmpfirefoxplugin.exe
2008-06-02 17:22 . 2007-07-24 23:07 654 ----a-w c:\program files\u Torrent.lnk
2008-03-31 22:22 . 2008-03-31 22:22 32 ---ha-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-16 18:24 . 2006-11-16 18:24 126 -c--a-w c:\documents and settings\xxx\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-04-21_09.34.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 10:43 . 2009-04-28 10:43 16384 c:\windows\Temp\Perflib_Perfdata_540.dat
+ 2004-08-03 22:56 . 2004-08-03 22:56 23552 c:\windows\system32\wmdmps.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 27136 c:\windows\system32\wmdmlog.dll
- 2009-04-20 18:03 . 2006-09-25 15:58 14640 c:\windows\system32\spmsg.dll
+ 2009-04-21 14:09 . 2006-09-25 15:58 14640 c:\windows\system32\spmsg.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 52224 c:\windows\system32\mspmsnsv.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 23552 c:\windows\system32\dllcache\wmdmps.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 27136 c:\windows\system32\dllcache\wmdmlog.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 52224 c:\windows\system32\dllcache\mspmsnsv.dll
+ 2009-04-22 07:05 . 2009-04-22 07:05 65536 c:\windows\Installer\{F38E1EF1-BBD6-4743-AF84-021E26B0481C}\ARPPRODUCTICON.exe
+ 2004-08-03 22:56 . 2004-08-03 22:56 6656 c:\windows\system32\laprxy.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 6656 c:\windows\system32\dllcache\laprxy.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 809984 c:\windows\system32\wmvdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 896512 c:\windows\system32\wmspdmoe.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 484864 c:\windows\system32\wmspdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 759296 c:\windows\system32\wmsdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 151552 c:\windows\system32\wmidx.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 230400 c:\windows\system32\wmasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 670720 c:\windows\system32\wmadmoe.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 408064 c:\windows\system32\wmadmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 237568 c:\windows\system32\qasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 245760 c:\windows\system32\mswmdm.dll
+ 2004-08-03 22:57 . 2004-08-03 22:57 356352 c:\windows\system32\msscp.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 201728 c:\windows\system32\mspmsp.dll
+ 2004-08-03 22:57 . 2004-08-03 22:57 259072 c:\windows\system32\msnetobj.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 240640 c:\windows\system32\mpg4dmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 384512 c:\windows\system32\mp4sdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 310272 c:\windows\system32\mp43dmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 103936 c:\windows\system32\logagent.exe
+ 2009-04-21 13:07 . 2009-04-21 13:07 148888 c:\windows\system32\javaws.exe
+ 2009-04-21 13:07 . 2009-04-21 13:07 144792 c:\windows\system32\javaw.exe
+ 2009-04-21 13:07 . 2009-04-21 13:07 144792 c:\windows\system32\java.exe
+ 2004-08-03 22:57 . 2004-08-03 22:57 695296 c:\windows\system32\drmv2clt.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 809984 c:\windows\system32\dllcache\wmvdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 896512 c:\windows\system32\dllcache\wmspdmoe.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 484864 c:\windows\system32\dllcache\wmspdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 759296 c:\windows\system32\dllcache\wmsdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 151552 c:\windows\system32\dllcache\wmidx.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 230400 c:\windows\system32\dllcache\wmasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 670720 c:\windows\system32\dllcache\wmadmoe.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 408064 c:\windows\system32\dllcache\wmadmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 237568 c:\windows\system32\dllcache\qasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 245760 c:\windows\system32\dllcache\mswmdm.dll
+ 2004-08-03 22:57 . 2004-08-03 22:57 356352 c:\windows\system32\dllcache\msscp.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 201728 c:\windows\system32\dllcache\mspmsp.dll
+ 2004-08-03 22:57 . 2004-08-03 22:57 259072 c:\windows\system32\dllcache\msnetobj.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 240640 c:\windows\system32\dllcache\mpg4dmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 384512 c:\windows\system32\dllcache\mp4sdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 310272 c:\windows\system32\dllcache\mp43dmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 103936 c:\windows\system32\dllcache\logagent.exe
+ 2004-08-03 22:57 . 2004-08-03 22:57 695296 c:\windows\system32\dllcache\drmv2clt.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 159232 c:\windows\system32\dllcache\cewmdm.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 286208 c:\windows\system32\dllcache\blackbox.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 159232 c:\windows\system32\cewmdm.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 286208 c:\windows\system32\blackbox.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1001472 c:\windows\system32\wmvdmoe2.dll
+ 2004-08-03 22:57 . 2006-12-07 16:02 2174976 c:\windows\system32\wmvcore.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1119744 c:\windows\system32\wmsdmoe2.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1050624 c:\windows\system32\wmnetmgr.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1001472 c:\windows\system32\dllcache\wmvdmoe2.dll
+ 2004-08-03 22:57 . 2006-12-07 16:02 2174976 c:\windows\system32\dllcache\wmvcore.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1119744 c:\windows\system32\dllcache\wmsdmoe2.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1050624 c:\windows\system32\dllcache\wmnetmgr.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-09 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 185896]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-21 148888]
"au"="c:\program files\Dealio\DealioAU.exe" [2007-10-09 492896]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\xxx\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe [2007-6-1 720896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" -nogui
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Programi\\uTorrent.exe"=
"c:\\Documents and Settings\\xxx\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flock\\flock.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 setup_7.0.0.180_30.04.2008_14-26;setup_7.0.0.180_30.04.2008_14-26; [x]
R2 WRConsumerService;Webroot Client Service; [x]
R3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\Malwarebytes' Scheduled Scan for xxx.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-20 13:32]

2009-04-24 c:\windows\Tasks\Malwarebytes' Scheduled Update for xxx.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-20 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Compare Prices with &Dealio - c:\documents and settings\xxx\Application Data\Dealio\kb124\res\DealioSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-28 14:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-562591055-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:01,d7,9d,16,d1,ed,9d,a9,ab,00,d0,51,f7,2a,44,df,fb,39,a5,ee,29,
cd,49,15,d5,8d,0b,c6,d8,08,f7,a6,5b,a3,56,7e,9a,52,54,19,dc,28,ee,e3,81,91,\
"rkeysecu"=hex:87,dd,bc,25,c7,7c,00,40,07,4a,2b,38,f2,54,ed,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ff,b7,d0,40,c1,3c,33,74,7d,79,2d,9e,74,cb,41,d6,70,fe,75,10,e4,
46,c9,8e,5f,64,74,99,b6,75,e8,e5,29,b2,4d,cc,1d,8a,33,f3,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):9f,e5,68,a8,99,c4,fc,97,2b,b5,31,c6,59,f4,42,0c,ff,62,6f,cb,a2,
29,f7,dd,8d,66,42,77,21,53,8e,77,4e,23,5c,8c,b2,72,5e,28,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{89d8de28-60b7-4d33-9965-269e32426821}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b1
"Therad"=dword:00000020
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,30,e2,5c,65,1b,80,a4,1f,d1,e5,bd,4d,4b,50,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eed6e8dd-528e-4142-9f0d-b7f2d6e075fc}]
@Denied: (Full) (Everyone)
"Model"=dword:00000127
"Therad"=dword:00000015
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3248-)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-04-28 14:16
ComboFix-quarantined-files.txt 2009-04-28 12:15
ComboFix2.txt 2009-04-21 09:38
ComboFix3.txt 2009-04-16 21:19

Pre-Run: 3.775.156.224 bytes free
Post-Run: 3.782.356.992 bytes free

272 --- E O F --- 2007-08-11 01:12

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini novu verziju ComboFix-a sa ranije datih linkova.


Otvoriti Notepad i iskopirati sledeci tekst:


Driver::
setup_7.0.0.180_30.04.2008_14-26



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 1267 korisnika na forumu :: 41 registrovanih, 7 sakrivenih i 1219 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Areal84, Asparagus, bladesu, BORUTUS, Dimitrije Paunovic, Dorcolac, DPera, draganl, dushan, GandorCC, Georgius, Hexe, hyla, ikan, jackreacher011011, Karla, kihot, kovinacc, krkalon, kuntalo, ljuba, markF, mgolub, Mi lao shu, milenko crazy north, Milometer, Milos ZA, MilosKop, Miroljub1979, Mixelotti, nemkea71, nextyamb, procesor, raptorsi, sasa87, shone34, Srle993, vathra, W123, zlaya011