Gomila virusa, msile.exe i slicno...

1

Gomila virusa, msile.exe i slicno...

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

ComboFix 09-04-17.01 - xxx 16.04.2009 23:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.511.228 [GMT 2:00]
Running from: d:\program files\Programi\ComboFix.exe
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\drivers\sysdrv32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 20:36 . 2009-04-16 20:36 -------- d-----w c:\program files\Trend Micro
2009-04-12 17:25 . 2009-04-12 17:24 42499 --sh--r c:\windows\system\msile.exe
2009-04-11 07:45 . 2009-04-11 07:45 262144 ----a-w c:\documents and settings\NEBOJA~2
2009-04-11 07:43 . 2009-04-11 07:44 8192 ----a-w c:\documents and settings\NEBOJA~1
2009-04-10 22:19 . 2009-04-10 22:18 108296 ----a-w c:\windows\system32\drivers\pwipf6.sys
2009-04-10 22:19 . 2009-04-06 11:32 1563008 ----a-w c:\windows\WRSetup.dll
2009-04-10 22:19 . 2009-04-11 07:48 -------- d-----w c:\documents and settings\xxx\Application Data\Webroot
2009-04-10 22:19 . 2009-04-10 22:25 -------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-04-10 17:06 . 2009-04-10 17:06 -------- d-----w c:\program files\MSSOAP
2009-04-10 17:05 . 2009-04-10 17:05 -------- d-----w c:\program files\Webroot
2009-04-09 09:14 . 2008-04-14 03:42 10752 ------w c:\windows\system32\smtpapi.dll
2009-04-09 09:14 . 2008-04-14 03:42 9728 ------w c:\windows\system32\rwnh.dll
2009-04-09 09:13 . 2006-12-28 22:31 19569 ----a-w c:\windows\000001_.tmp
2009-04-09 08:35 . 2009-04-09 08:35 47755 --sh--r c:\windows\system\netmon.exe
2009-04-09 08:35 . 2009-04-09 08:38 47755 ----a-w c:\windows\system32\82.scr
2009-04-04 18:25 . 2009-04-04 18:25 268 ---ha-w C:\sqmdata00.sqm
2009-04-04 18:25 . 2009-04-04 18:25 244 ---ha-w C:\sqmnoopt00.sqm
2009-04-02 12:30 . 2009-04-02 12:30 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 12:30 . 2009-04-02 12:30 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 12:30 . 2009-04-02 12:30 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 21:06 . 2007-05-20 12:30 -------- d-----w c:\documents and settings\xxx\Application Data\uTorrent
2009-04-16 20:39 . 2009-04-16 20:39 10819 ----a-w c:\program files\hijackthis.log
2009-04-16 20:07 . 2009-03-07 17:55 -------- d-----w c:\program files\Flock
2009-04-14 19:06 . 2006-11-16 17:00 -------- d-----w c:\program files\Winamp
2009-04-13 19:22 . 2008-10-08 17:01 -------- d-----w c:\program files\Any Video Converter
2009-04-13 19:22 . 2008-10-08 17:01 -------- d--h--w c:\documents and settings\xxx\Application Data\Any Video Converter
2009-04-11 13:09 . 2009-03-04 19:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 07:45 . 2008-10-10 05:36 -------- d--h--w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 07:42 . 2006-12-06 01:38 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 02:05 . 2009-03-11 02:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 01:59 . 2009-03-11 01:56 -------- d-----w c:\documents and settings\xxx\Application Data\vlc
2009-03-11 01:55 . 2009-03-11 01:53 -------- d-----w c:\documents and settings\xxx\Application Data\MozillaControl
2009-03-11 01:54 . 2009-03-11 01:54 -------- d-----w c:\documents and settings\All Users\Application Data\Graboid Inc
2009-03-11 01:37 . 2009-03-11 01:37 -------- d-----w c:\program files\VideoLAN
2009-03-09 12:11 . 2007-11-29 19:01 -------- d-----w c:\program files\Windows Vista Icons
2009-03-08 23:04 . 2007-06-20 20:59 -------- d-----w c:\program files\MSN Messenger
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-07 18:46 . 2009-03-07 18:46 -------- d--h--w c:\documents and settings\xxx\Application Data\GRETECH
2009-03-07 18:45 . 2009-03-07 18:45 -------- d-----w c:\program files\GRETECH
2009-03-07 17:59 . 2009-03-07 17:59 -------- d--h--w c:\documents and settings\xxx\Application Data\Flock
2009-03-05 12:28 . 2009-03-05 12:28 102411 ----a-w c:\windows\system32\msvcrt2.dll
2009-03-04 10:47 . 2009-03-04 10:47 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-03-04 10:46 . 2009-03-04 10:46 -------- d-----w c:\program files\Common Files\iS3
2009-03-02 18:20 . 2006-11-16 16:24 108744 ----a-w c:\documents and settings\xxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 18:12 . 2006-11-16 16:17 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-02 18:00 . 2004-08-03 20:59 250048 --sha-r C:\ntldr
2009-02-26 19:17 . 2006-11-16 16:29 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 22:09 . 2009-02-08 22:09 318904 ----a-w c:\program files\wmpfirefoxplugin.exe
2008-06-02 17:22 . 2007-07-24 23:07 654 ----a-w c:\program files\u Torrent.lnk
2008-03-31 22:22 . 2008-03-31 22:22 32 ---ha-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-16 18:24 . 2006-11-16 18:24 126 -c--a-w c:\documents and settings\xxx\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 11:26 238968 ----a-w c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-09 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-13 144792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"netmon"="c:\windows\system\netmon.exe" [2009-04-09 47755]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-04-06 6345840]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\xxx\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe [2007-6-1 720896]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msile]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" -nogui
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Programi\\uTorrent.exe"=
"c:\\Documents and Settings\\xxx\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flock\\flock.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system\\netmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 msile;microsoft install le;c:\windows\system\msile.exe [2009-04-12 42499]
R2 setup_7.0.0.180_30.04.2008_14-26;setup_7.0.0.180_30.04.2008_14-26; [x]
R3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-02 29808]
S1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2009-04-10 108296]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-04-10 1181040]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - SYSDRV32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2f36de-c739-11dc-a0c4-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f01d09f5-0ef4-11de-9b22-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc2e8ed7-4e76-11dd-8568-cddd8ebd83de}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\wrSpySweeper_L2CB7798EC8AB402895DA00E67D8C427C.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-10 11:32]

2009-04-10 c:\windows\Tasks\wrSpySweeper_L2CB7798EC8AB402895DA00E67D8C427C.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-10 11:32]

2009-04-16 c:\windows\Tasks\wrSpySweeper_LFF32611FF1EE40A08D1B05FB7AE8E207.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-10 11:32]

2009-04-16 c:\windows\Tasks\wrSpySweeper_LFF32611FF1EE40A08D1B05FB7AE8E207.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-10 11:32]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
HKCU-Run-BestPopUpKiller - c:\program files\BestPopUpKiller\BestPopupKiller.exe
HKCU-Run-AMP Agent - c:\program files\Common Files\ARS Company\Agent\Agent.exe
HKLM-Run-kav - c:\program files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
HKLM-Run-TWCU - c:\program files\TP-LINK\TWCU\TWCU.exe
HKLM-Run-NeroCheck - c:\windows\system32\NeroCheck.exe
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
HKLM-Run-Microsoft(R) System Manager - c:\windows\system32\sysmgr.exe
HKLM-Run-SMSERIAL - sm56hlpr.exe
SafeBoot-netmon


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
TCP: {332F18D5-1A81-48F3-9570-CBCEC72E7980} = 195.252.122.154
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-16 23:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\system\netmon.exe [2076] 0x81E36858

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SMSERIAL = sm56hlpr.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-562591055-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:01,d7,9d,16,d1,ed,9d,a9,ab,00,d0,51,f7,2a,44,df,fb,39,a5,ee,29,
cd,49,15,d5,8d,0b,c6,d8,08,f7,a6,5b,a3,56,7e,9a,52,54,19,dc,28,ee,e3,81,91,\
"rkeysecu"=hex:87,dd,bc,25,c7,7c,00,40,07,4a,2b,38,f2,54,ed,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ff,b7,d0,40,c1,3c,33,74,7d,79,2d,9e,74,cb,41,d6,70,fe,75,10,e4,
46,c9,8e,5f,64,74,99,b6,75,e8,e5,29,b2,4d,cc,1d,8a,33,f3,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):9f,e5,68,a8,99,c4,fc,97,2b,b5,31,c6,59,f4,42,0c,ff,62,6f,cb,a2,
29,f7,dd,8d,66,42,77,21,53,8e,77,4e,23,5c,8c,b2,72,5e,28,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{89d8de28-60b7-4d33-9965-269e32426821}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b1
"Therad"=dword:00000020
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,30,e2,5c,65,1b,80,a4,1f,d1,e5,bd,4d,4b,50,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eed6e8dd-528e-4142-9f0d-b7f2d6e075fc}]
@Denied: (Full) (Everyone)
"Model"=dword:00000127
"Therad"=dword:00000015
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1620)
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ATKKBService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Webroot\WebrootSecurity\SSU.exe
.
**************************************************************************
.
Completion time: 2009-04-16 23:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 21:19

Pre-Run: 3.435.560.960 bytes free
Post-Run: 3.329.830.912 bytes free

266 --- E O F --- 2007-08-11 01:12

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Treba li ti još uvek pomoć?

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

Treba! Nikako ne mogu da uklonim msile!
Hvala Smile

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Obriši trenutnu verziju ComboFix-a a zatim preuzmi najnoviju.


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

ComboFix 09-04-17.03 - xxx 21.04.2009 11:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.511.243 [GMT 2:00]
Running from: d:\program files\Programi\ComboFix.exe
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32


((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-21 06:48 . 2009-04-21 06:48 23392 ----a-w c:\windows\system32\nscompat.tlb
2009-04-21 06:48 . 2009-04-21 06:48 16832 ----a-w c:\windows\system32\amcompat.tlb
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\documents and settings\xxx\Application Data\Malwarebytes
2009-04-20 16:39 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-20 16:39 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 20:36 . 2009-04-16 20:36 -------- d-----w c:\program files\Trend Micro
2009-04-11 07:45 . 2009-04-11 07:45 262144 ----a-w c:\documents and settings\NEBOJA~2
2009-04-11 07:43 . 2009-04-11 07:44 8192 ----a-w c:\documents and settings\NEBOJA~1
2009-04-10 17:06 . 2009-04-10 17:06 -------- d-----w c:\program files\MSSOAP
2009-04-10 17:05 . 2009-04-10 17:05 -------- d-----w c:\program files\Webroot
2009-04-09 09:14 . 2008-04-14 03:42 10752 ------w c:\windows\system32\smtpapi.dll
2009-04-09 09:14 . 2008-04-14 03:42 9728 ------w c:\windows\system32\rwnh.dll
2009-04-09 09:13 . 2006-12-28 22:31 19569 ----a-w c:\windows\000001_.tmp
2009-04-04 18:25 . 2009-04-04 18:25 268 ---ha-w C:\sqmdata00.sqm
2009-04-04 18:25 . 2009-04-04 18:25 244 ---ha-w C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 08:20 . 2007-05-20 12:30 -------- d-----w c:\documents and settings\xxx\Application Data\uTorrent
2009-04-21 06:54 . 2009-03-07 17:55 -------- d-----w c:\program files\Flock
2009-04-20 23:36 . 2006-11-16 17:00 -------- d-----w c:\program files\Winamp
2009-04-20 18:12 . 2006-12-26 01:00 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-16 20:39 . 2009-04-16 20:39 10819 ----a-w c:\program files\hijackthis.log
2009-04-13 19:22 . 2008-10-08 17:01 -------- d-----w c:\program files\Any Video Converter
2009-04-13 19:22 . 2008-10-08 17:01 -------- d--h--w c:\documents and settings\xxx\Application Data\Any Video Converter
2009-04-11 13:09 . 2009-03-04 19:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 07:45 . 2008-10-10 05:36 -------- d--h--w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 07:42 . 2006-12-06 01:38 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 02:05 . 2009-03-11 02:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 01:59 . 2009-03-11 01:56 -------- d-----w c:\documents and settings\xxx\Application Data\vlc
2009-03-11 01:55 . 2009-03-11 01:53 -------- d-----w c:\documents and settings\xxx\Application Data\MozillaControl
2009-03-11 01:37 . 2009-03-11 01:37 -------- d-----w c:\program files\VideoLAN
2009-03-09 12:11 . 2007-11-29 19:01 -------- d-----w c:\program files\Windows Vista Icons
2009-03-08 23:04 . 2007-06-20 20:59 -------- d-----w c:\program files\MSN Messenger
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-08 16:33 . 2009-03-08 16:33 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-07 18:46 . 2009-03-07 18:46 -------- d--h--w c:\documents and settings\xxx\Application Data\GRETECH
2009-03-07 18:45 . 2009-03-07 18:45 -------- d-----w c:\program files\GRETECH
2009-03-07 17:59 . 2009-03-07 17:59 -------- d--h--w c:\documents and settings\xxx\Application Data\Flock
2009-03-05 12:28 . 2009-03-05 12:28 102411 ----a-w c:\windows\system32\msvcrt2.dll
2009-03-04 10:47 . 2009-03-04 10:47 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-03-04 10:46 . 2009-03-04 10:46 -------- d-----w c:\program files\Common Files\iS3
2009-03-02 18:20 . 2006-11-16 16:24 108744 ----a-w c:\documents and settings\xxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 18:12 . 2006-11-16 16:17 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-02 18:00 . 2004-08-03 20:59 250048 --sha-r C:\ntldr
2009-02-26 19:17 . 2006-11-16 16:29 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 22:09 . 2009-02-08 22:09 318904 ----a-w c:\program files\wmpfirefoxplugin.exe
2008-06-02 17:22 . 2007-07-24 23:07 654 ----a-w c:\program files\u Torrent.lnk
2008-03-31 22:22 . 2008-03-31 22:22 32 ---ha-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-16 18:24 . 2006-11-16 18:24 126 -c--a-w c:\documents and settings\xxx\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_21.14.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 09:34 . 2009-04-21 09:34 16384 c:\windows\Temp\Perflib_Perfdata_538.dat
+ 2006-10-18 20:47 . 2006-10-18 19:47 38400 c:\windows\system32\wpdshextres.dll
- 2006-10-18 20:47 . 2006-10-18 20:47 38400 c:\windows\system32\wpdshextres.dll
+ 2009-04-20 18:03 . 2006-09-25 15:58 14640 c:\windows\system32\spmsg.dll
+ 2006-11-16 16:16 . 2004-08-03 22:56 73728 c:\windows\system32\dllcache\wmplayer.exe
+ 2006-11-16 16:16 . 2004-08-03 22:56 98304 c:\windows\system32\dllcache\wmpband.dll
+ 2006-11-16 16:22 . 2009-04-20 08:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-16 16:22 . 2009-04-16 21:13 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-16 16:22 . 2009-04-20 08:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-11-16 16:22 . 2009-04-16 21:13 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-11-16 16:22 . 2009-04-20 08:41 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-11-16 16:22 . 2009-04-16 21:13 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-03 22:56 . 2004-08-03 22:56 8192 c:\windows\system32\dllcache\asferror.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 8192 c:\windows\system32\asferror.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 102400 c:\windows\system32\wmpshell.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 233472 c:\windows\system32\wmpdxm.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 114688 c:\windows\system32\wmpasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 168448 c:\windows\system32\wmerror.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 102400 c:\windows\system32\dllcache\wmpshell.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 233472 c:\windows\system32\dllcache\wmpdxm.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 114688 c:\windows\system32\dllcache\wmpasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 168448 c:\windows\system32\dllcache\wmerror.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 208896 c:\windows\system32\dllcache\unregmp2.exe
+ 2006-11-16 16:16 . 2004-08-03 22:56 774144 c:\windows\system32\dllcache\setup_wm.exe
+ 2006-11-16 16:16 . 2004-08-03 22:56 368640 c:\windows\system32\dllcache\mpvis.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 208896 c:\windows\inf\unregmp2.exe
+ 2004-08-03 22:56 . 2004-08-03 22:56 2940928 c:\windows\system32\wmploc.dll
+ 2004-08-03 22:56 . 2006-04-24 14:40 4730880 c:\windows\system32\wmp.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 2940928 c:\windows\system32\dllcache\wmploc.dll
+ 2004-08-03 22:56 . 2006-04-24 14:40 4730880 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-09 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-13 144792]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\xxx\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe [2007-6-1 720896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" -nogui
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Programi\\uTorrent.exe"=
"c:\\Documents and Settings\\xxx\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flock\\flock.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 setup_7.0.0.180_30.04.2008_14-26;setup_7.0.0.180_30.04.2008_14-26; [x]
R2 WRConsumerService;Webroot Client Service; [x]
R3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d414f3e-2d87-11de-9b6e-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d414f43-2d87-11de-9b6e-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2f36de-c739-11dc-a0c4-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87d34b6b-5ef7-11dd-aa6e-906721c14bdf}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f01d09f5-0ef4-11de-9b22-0016e6380b62}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL strongkey-rc1.3-build-208.exe
\Shell\default\command - F:\strongkey-rc1.3-build-208.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc2e8ed7-4e76-11dd-8568-cddd8ebd83de}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\Malwarebytes' Scheduled Scan for xxx.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-20 13:32]

2009-04-20 c:\windows\Tasks\Malwarebytes' Scheduled Update for xxx.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-20 13:32]
.
.
------- Supplementary Scan -------
.
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-21 11:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-562591055-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:01,d7,9d,16,d1,ed,9d,a9,ab,00,d0,51,f7,2a,44,df,fb,39,a5,ee,29,
cd,49,15,d5,8d,0b,c6,d8,08,f7,a6,5b,a3,56,7e,9a,52,54,19,dc,28,ee,e3,81,91,\
"rkeysecu"=hex:87,dd,bc,25,c7,7c,00,40,07,4a,2b,38,f2,54,ed,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ff,b7,d0,40,c1,3c,33,74,7d,79,2d,9e,74,cb,41,d6,70,fe,75,10,e4,
46,c9,8e,5f,64,74,99,b6,75,e8,e5,29,b2,4d,cc,1d,8a,33,f3,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):9f,e5,68,a8,99,c4,fc,97,2b,b5,31,c6,59,f4,42,0c,ff,62,6f,cb,a2,
29,f7,dd,8d,66,42,77,21,53,8e,77,4e,23,5c,8c,b2,72,5e,28,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{89d8de28-60b7-4d33-9965-269e32426821}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b1
"Therad"=dword:00000020
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,30,e2,5c,65,1b,80,a4,1f,d1,e5,bd,4d,4b,50,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eed6e8dd-528e-4142-9f0d-b7f2d6e075fc}]
@Denied: (Full) (Everyone)
"Model"=dword:00000127
"Therad"=dword:00000015
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3928-)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ATKKBService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-21 11:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 09:38
ComboFix2.txt 2009-04-16 21:19

Pre-Run: 3.049.054.208 bytes free
Post-Run: 3.036.098.560 bytes free

262 --- E O F --- 2007-08-11 01:12

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

Driver::
setup_7.0.0.180_30.04.2008_14-26

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d414f3e-2d87-11de-9b6e-0016e6380b62}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d414f43-2d87-11de-9b6e-0016e6380b62}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2f36de-c739-11dc-a0c4-0016e6380b62}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87d34b6b-5ef7-11dd-aa6e-906721c14bdf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f01d09f5-0ef4-11de-9b22-0016e6380b62}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc2e8ed7-4e76-11dd-8568-cddd8ebd83de}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

Napisano: 22 Apr 2009 9:15

kako da napravim CFScript?

Dopuna: 22 Apr 2009 9:26

Jel' treba da skinem Adobe Coldfusion?
Instalirao sam Malwarebytes program i malo mi se smirio komp...

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriš Notepad i u njega iskopiraš sve što se nalazi unutar kod polja.

Klikneš File > Save; snimiš file pod nazivom CFScript.

Kasnije taj file prevučeš na ikonicu ComboFix-a.


Citat:Jel' treba da skinem Adobe Coldfusion?

Ovo ne razumem.

offline
  • Pridružio: 16 Apr 2009
  • Poruke: 7

ComboFix 09-04-17.03 - xxx 28.04.2009 14:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.511.224 [GMT 2:00]
Running from: d:\program files\Programi\ComboFix.exe
Command switches used :: d:\program files\Programi\CFScript.txt
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-28 )))))))))))))))))))))))))))))))
.

2009-04-22 07:06 . 2009-04-22 07:06 -------- d-----w c:\program files\Common Files\SWF Studio
2009-04-22 07:05 . 2009-04-28 12:09 -------- d-----w c:\documents and settings\xxx\Application Data\Dealio
2009-04-22 07:05 . 2009-04-22 07:05 -------- d-----w c:\program files\Dealio
2009-04-22 06:59 . 2009-04-22 06:59 -------- d-----w c:\program files\The Weather Channel FW
2009-04-22 06:59 . 2009-04-22 06:59 -------- d-----w c:\documents and settings\xxx\Local Settings\Application Data\The Weather Channel
2009-04-21 20:19 . 2009-04-21 20:19 23392 ----a-w c:\windows\system32\nscompat.tlb
2009-04-21 20:19 . 2009-04-21 20:19 16832 ----a-w c:\windows\system32\amcompat.tlb
2009-04-21 14:08 . 2009-04-21 14:11 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-21 14:03 . 2009-04-21 14:07 1374 ----a-w c:\windows\imsins.BAK
2009-04-21 13:44 . 2009-02-11 23:00 36352 ------w C:\WGASetup.exe
2009-04-21 13:07 . 2009-04-21 13:07 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-21 13:07 . 2009-04-21 13:07 -------- d-----w c:\program files\Java
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\documents and settings\xxx\Application Data\Malwarebytes
2009-04-20 16:39 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-20 16:39 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 16:39 . 2009-04-20 16:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 20:36 . 2009-04-16 20:36 -------- d-----w c:\program files\Trend Micro
2009-04-11 07:45 . 2009-04-11 07:45 262144 ----a-w c:\documents and settings\NEBOJA~2
2009-04-11 07:43 . 2009-04-11 07:44 8192 ----a-w c:\documents and settings\NEBOJA~1
2009-04-10 17:06 . 2009-04-10 17:06 -------- d-----w c:\program files\MSSOAP
2009-04-09 09:14 . 2008-04-14 03:42 10752 ------w c:\windows\system32\smtpapi.dll
2009-04-09 09:14 . 2008-04-14 03:42 9728 ------w c:\windows\system32\rwnh.dll
2009-04-09 09:13 . 2006-12-28 22:31 19569 ----a-w c:\windows\000001_.tmp
2009-04-04 18:25 . 2009-04-04 18:25 268 ---ha-w C:\sqmdata00.sqm
2009-04-04 18:25 . 2009-04-04 18:25 244 ---ha-w C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 12:11 . 2007-05-20 12:30 -------- d-----w c:\documents and settings\xxx\Application Data\uTorrent
2009-04-28 11:17 . 2009-03-07 17:55 -------- d-----w c:\program files\Flock
2009-04-21 13:07 . 2008-10-13 18:36 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-20 23:36 . 2006-11-16 17:00 -------- d-----w c:\program files\Winamp
2009-04-16 20:39 . 2009-04-16 20:39 10819 ----a-w c:\program files\hijackthis.log
2009-04-13 19:22 . 2008-10-08 17:01 -------- d-----w c:\program files\Any Video Converter
2009-04-13 19:22 . 2008-10-08 17:01 -------- d--h--w c:\documents and settings\xxx\Application Data\Any Video Converter
2009-04-11 13:09 . 2009-03-04 19:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 07:45 . 2008-10-10 05:36 -------- d--h--w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 07:42 . 2006-12-06 01:38 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-11 02:05 . 2009-03-11 02:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 01:59 . 2009-03-11 01:56 -------- d-----w c:\documents and settings\xxx\Application Data\vlc
2009-03-11 01:55 . 2009-03-11 01:53 -------- d-----w c:\documents and settings\xxx\Application Data\MozillaControl
2009-03-11 01:37 . 2009-03-11 01:37 -------- d-----w c:\program files\VideoLAN
2009-03-09 12:11 . 2007-11-29 19:01 -------- d-----w c:\program files\Windows Vista Icons
2009-03-08 23:04 . 2007-06-20 20:59 -------- d-----w c:\program files\MSN Messenger
2009-03-07 18:46 . 2009-03-07 18:46 -------- d--h--w c:\documents and settings\xxx\Application Data\GRETECH
2009-03-07 18:45 . 2009-03-07 18:45 -------- d-----w c:\program files\GRETECH
2009-03-07 17:59 . 2009-03-07 17:59 -------- d--h--w c:\documents and settings\xxx\Application Data\Flock
2009-03-05 12:28 . 2009-03-05 12:28 102411 ----a-w c:\windows\system32\msvcrt2.dll
2009-03-04 10:47 . 2009-03-04 10:47 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-03-04 10:46 . 2009-03-04 10:46 -------- d-----w c:\program files\Common Files\iS3
2009-03-02 18:20 . 2006-11-16 16:24 108744 ----a-w c:\documents and settings\xxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 18:12 . 2006-11-16 16:17 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-02 18:00 . 2004-08-03 20:59 250048 --sha-r C:\ntldr
2009-02-08 22:09 . 2009-02-08 22:09 318904 ----a-w c:\program files\wmpfirefoxplugin.exe
2008-06-02 17:22 . 2007-07-24 23:07 654 ----a-w c:\program files\u Torrent.lnk
2008-03-31 22:22 . 2008-03-31 22:22 32 ---ha-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-16 18:24 . 2006-11-16 18:24 126 -c--a-w c:\documents and settings\xxx\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-04-21_09.34.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 10:43 . 2009-04-28 10:43 16384 c:\windows\Temp\Perflib_Perfdata_540.dat
+ 2004-08-03 22:56 . 2004-08-03 22:56 23552 c:\windows\system32\wmdmps.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 27136 c:\windows\system32\wmdmlog.dll
- 2009-04-20 18:03 . 2006-09-25 15:58 14640 c:\windows\system32\spmsg.dll
+ 2009-04-21 14:09 . 2006-09-25 15:58 14640 c:\windows\system32\spmsg.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 52224 c:\windows\system32\mspmsnsv.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 23552 c:\windows\system32\dllcache\wmdmps.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 27136 c:\windows\system32\dllcache\wmdmlog.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 52224 c:\windows\system32\dllcache\mspmsnsv.dll
+ 2009-04-22 07:05 . 2009-04-22 07:05 65536 c:\windows\Installer\{F38E1EF1-BBD6-4743-AF84-021E26B0481C}\ARPPRODUCTICON.exe
+ 2004-08-03 22:56 . 2004-08-03 22:56 6656 c:\windows\system32\laprxy.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 6656 c:\windows\system32\dllcache\laprxy.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 809984 c:\windows\system32\wmvdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 896512 c:\windows\system32\wmspdmoe.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 484864 c:\windows\system32\wmspdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 759296 c:\windows\system32\wmsdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 151552 c:\windows\system32\wmidx.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 230400 c:\windows\system32\wmasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 670720 c:\windows\system32\wmadmoe.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 408064 c:\windows\system32\wmadmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 237568 c:\windows\system32\qasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 245760 c:\windows\system32\mswmdm.dll
+ 2004-08-03 22:57 . 2004-08-03 22:57 356352 c:\windows\system32\msscp.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 201728 c:\windows\system32\mspmsp.dll
+ 2004-08-03 22:57 . 2004-08-03 22:57 259072 c:\windows\system32\msnetobj.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 240640 c:\windows\system32\mpg4dmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 384512 c:\windows\system32\mp4sdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 310272 c:\windows\system32\mp43dmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 103936 c:\windows\system32\logagent.exe
+ 2009-04-21 13:07 . 2009-04-21 13:07 148888 c:\windows\system32\javaws.exe
+ 2009-04-21 13:07 . 2009-04-21 13:07 144792 c:\windows\system32\javaw.exe
+ 2009-04-21 13:07 . 2009-04-21 13:07 144792 c:\windows\system32\java.exe
+ 2004-08-03 22:57 . 2004-08-03 22:57 695296 c:\windows\system32\drmv2clt.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 809984 c:\windows\system32\dllcache\wmvdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 896512 c:\windows\system32\dllcache\wmspdmoe.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 484864 c:\windows\system32\dllcache\wmspdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 759296 c:\windows\system32\dllcache\wmsdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 151552 c:\windows\system32\dllcache\wmidx.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 230400 c:\windows\system32\dllcache\wmasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 670720 c:\windows\system32\dllcache\wmadmoe.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 408064 c:\windows\system32\dllcache\wmadmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 237568 c:\windows\system32\dllcache\qasf.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 245760 c:\windows\system32\dllcache\mswmdm.dll
+ 2004-08-03 22:57 . 2004-08-03 22:57 356352 c:\windows\system32\dllcache\msscp.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 201728 c:\windows\system32\dllcache\mspmsp.dll
+ 2004-08-03 22:57 . 2004-08-03 22:57 259072 c:\windows\system32\dllcache\msnetobj.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 240640 c:\windows\system32\dllcache\mpg4dmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 384512 c:\windows\system32\dllcache\mp4sdmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 310272 c:\windows\system32\dllcache\mp43dmod.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 103936 c:\windows\system32\dllcache\logagent.exe
+ 2004-08-03 22:57 . 2004-08-03 22:57 695296 c:\windows\system32\dllcache\drmv2clt.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 159232 c:\windows\system32\dllcache\cewmdm.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 286208 c:\windows\system32\dllcache\blackbox.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 159232 c:\windows\system32\cewmdm.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 286208 c:\windows\system32\blackbox.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1001472 c:\windows\system32\wmvdmoe2.dll
+ 2004-08-03 22:57 . 2006-12-07 16:02 2174976 c:\windows\system32\wmvcore.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1119744 c:\windows\system32\wmsdmoe2.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1050624 c:\windows\system32\wmnetmgr.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1001472 c:\windows\system32\dllcache\wmvdmoe2.dll
+ 2004-08-03 22:57 . 2006-12-07 16:02 2174976 c:\windows\system32\dllcache\wmvcore.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1119744 c:\windows\system32\dllcache\wmsdmoe2.dll
+ 2004-08-03 22:56 . 2004-08-03 22:56 1050624 c:\windows\system32\dllcache\wmnetmgr.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-09 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-19 185896]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-21 148888]
"au"="c:\program files\Dealio\DealioAU.exe" [2007-10-09 492896]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-01-11 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-09 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\xxx\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe [2007-6-1 720896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" -nogui
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Programi\\uTorrent.exe"=
"c:\\Documents and Settings\\xxx\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flock\\flock.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 setup_7.0.0.180_30.04.2008_14-26;setup_7.0.0.180_30.04.2008_14-26; [x]
R2 WRConsumerService;Webroot Client Service; [x]
R3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\Malwarebytes' Scheduled Scan for xxx.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-20 13:32]

2009-04-24 c:\windows\Tasks\Malwarebytes' Scheduled Update for xxx.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-20 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Compare Prices with &Dealio - c:\documents and settings\xxx\Application Data\Dealio\kb124\res\DealioSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-28 14:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-562591055-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:01,d7,9d,16,d1,ed,9d,a9,ab,00,d0,51,f7,2a,44,df,fb,39,a5,ee,29,
cd,49,15,d5,8d,0b,c6,d8,08,f7,a6,5b,a3,56,7e,9a,52,54,19,dc,28,ee,e3,81,91,\
"rkeysecu"=hex:87,dd,bc,25,c7,7c,00,40,07,4a,2b,38,f2,54,ed,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ff,b7,d0,40,c1,3c,33,74,7d,79,2d,9e,74,cb,41,d6,70,fe,75,10,e4,
46,c9,8e,5f,64,74,99,b6,75,e8,e5,29,b2,4d,cc,1d,8a,33,f3,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):9f,e5,68,a8,99,c4,fc,97,2b,b5,31,c6,59,f4,42,0c,ff,62,6f,cb,a2,
29,f7,dd,8d,66,42,77,21,53,8e,77,4e,23,5c,8c,b2,72,5e,28,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{89d8de28-60b7-4d33-9965-269e32426821}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b1
"Therad"=dword:00000020
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,30,e2,5c,65,1b,80,a4,1f,d1,e5,bd,4d,4b,50,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eed6e8dd-528e-4142-9f0d-b7f2d6e075fc}]
@Denied: (Full) (Everyone)
"Model"=dword:00000127
"Therad"=dword:00000015
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3248-)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-04-28 14:16
ComboFix-quarantined-files.txt 2009-04-28 12:15
ComboFix2.txt 2009-04-21 09:38
ComboFix3.txt 2009-04-16 21:19

Pre-Run: 3.775.156.224 bytes free
Post-Run: 3.782.356.992 bytes free

272 --- E O F --- 2007-08-11 01:12

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini novu verziju ComboFix-a sa ranije datih linkova.


Otvoriti Notepad i iskopirati sledeci tekst:


Driver::
setup_7.0.0.180_30.04.2008_14-26



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 851 korisnika na forumu :: 43 registrovanih, 5 sakrivenih i 803 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., Cufo, djboj, Doca, dozorni, Dragan Smiljanić, dragoljub11987, dragon986, gogiboj, Joja, Jovan Nenad, Mercury, Milan A. Nikolic, Milos ZA, Mixelotti, mrav pesadinac, mushroom, Neutral-M, nuke92, ostoja, ozzy, Pakito93, Panter, pedja.st, Polemarchoi, Raptor1, RiV, RJ, samsung, shone34, Sr.Stat., Srki94, ssekir75, Tragač, vasa.93, VJ, Vlada78, vlvl, voja64, wexy, xJeremijAx, zixo