MyCity » Ambulanta -> Arhiva Ambulante » Hiden files i moguci trojanac

Hiden files i moguci trojanac

Napisano na dan: 25.3.2009
1

Hiden files i moguci trojanac
Sledeća strana Pagination

Idi na vrh

Poslao: 25 Mar 2009 13:01
Idi na vrh
offline
  • still 
  • Zaslužni građanin
  • Pridružio: 25 Feb 2005
  • Poruke: 639
  • Gde živiš: beli_grad>gistro

Cao uradio sam malocas system scan i Av mi je nasao (pogledaj sliku)
Inace fajlovi koji su na slici u karantinu su samo kopije falova, posto mi je AV prijavio da originalni nemogu biti pomerani/deletovani.
Trojanac iz karantina zvanicno nepostoji, nadjen je preko heuteristike.
Inace na kompu koristim Antivir Premium sa originalnom licencom, Comodo internet security sa disablovanim AV tj drugim recima koristim firewall pro varijantu dobro podesenu, i Spybot.
Spybot i Antivir su podeseni na realtime scan i nikad ih neiskljucujem, takodje Antivir je podesen na max detection i u real-time scan-u i na on-demand,kao i heutoristika na max (dosta false positive rezultata)
Jedino opciju WebGuard na AntiVir-u drzim iskljucenu ( ukljucim je po potrebi, tj kada procenim da rizik postoji)
Virus nisam video jedno recimo 3-4godine (do sad?) jel stvarno pazim da mi system bude cist.
Danas sam je brat preko mog PC trazio neke cheats za igrice il sta vec po netu i ja sam sedeo pored svo vreme jel znam kakvi su ti sajtovi, i naravno ukljucio sam WebGuard opciju u AntiViru na max, cim je burazer sisao sa kompa sam Clear private data u Firefox, i startovao scan-ove sa AntiVir/Spybot i pre samog skena AntiVir je nasao ovo sto je nasao (podeseno mi je da pre full system scan-a odradi Rootkit search systema.
U svakom slucaju evo slike..





A evo i hijackthis loga


https://www.mycity.rs/must-login.png


Fakticki zanima me da li ove "suspicius" fajlove da brisem iz safe moda, tj da li ima potrebe da brinem (preko ovog racunara koristim Visa card za shop na netu, takodje Wow acc koji nebi voleo da dovedem u rizik etc)

Hvala unapred! Ziveli

Dopuna: 25 Mar 2009 13:01

Hm zasto nema opcije Edit svog posta :O

Poslao: 25 Mar 2009 13:27
Idi na vrh
offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Nikad ali nikad nemoj sam procenjivati kad treba a kad ne treba da ukljucis web guard... U prevodu drzi ga uvek ukljucenog... Tako sam ja jednom nastradao misleci da je jedan sajt cist pa sam zakacio gamad koja se tek pojavila...

Ispostuj sledece :

Klikni desnim tasterom na Avira ikonicu ( ) u donjem, desnom uglu ekrana i deštikliraj AntiVir Guard Enable.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.



Pokrenite Spybot S&D
Kliknite Mode stavku u meniju
Odaberite Advance Mode
Na traci levo kliknite na Tools
Kliknite na Resident
Destiklirajte Resident Tea-Timer
Zatvorite Spybot S&D
Restartujte kompjuter.
- Zatim skinuti program sa ovog linka na Desktop.
- Pokrenuti ga dvoklikom i ispratiti uputstva.

Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsite sa uputstvom.


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Poslao: 25 Mar 2009 13:54
Idi na vrh
offline
  • still 
  • Zaslužni građanin
  • Pridružio: 25 Feb 2005
  • Poruke: 639
  • Gde živiš: beli_grad>gistro

Odradio sam sve, evo i log koji je kombo napravio.
https://www.mycity.rs/must-login.png




ComboFix 09-03-23.01 - Stillo 2009-03-25 13:30:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1612 [GMT 1:00]
Running from: c:\documents and settings\Stillo\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *disabled*
FW: COMODO Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ovfsthallsentxfamydxmbaymevrccmrdrpyur.dll
c:\windows\system32\ovfsthgdtctyjybjtrqmojfinnlolglfqonppv.dll
c:\windows\system32\ovfsthtppdbgrqoiurogrgcywnuwegdqapyjpt.dll
c:\windows\system32\pthreadGC2.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthwhkdabwwxvdlltappxwkosteoidwykrv


((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-25 10:32 . 2009-03-25 10:32 43 --a------ c:\windows\system32\ovfsthvtvfifaoynipahhmyrxttcdqtsikvfdl.dat
2009-03-25 10:31 . 2009-03-25 13:26 2,625 --a------ c:\windows\system32\ovfsthnjciohdmlvwqmnirrnswqlgqojjktxep.dat
2009-03-25 08:45 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-03-24 03:18 . 2009-03-24 03:43 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 03:18 . 2004-03-09 01:00 1,081,616 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-03-24 03:08 . 2009-03-24 03:08 <DIR> d-------- c:\program files\IObit
2009-03-24 03:08 . 2009-03-24 03:48 <DIR> d-------- c:\documents and settings\Stillo\Application Data\IObit
2009-03-23 23:32 . 2009-03-23 23:32 262,144 --a------ c:\windows\system32\wrap_oal.dll
2009-03-23 23:32 . 2009-03-23 23:32 86,016 --a------ c:\windows\system32\OpenAL32.dll
2009-03-23 23:28 . 2009-03-23 23:28 <DIR> d-------- c:\windows\system32\Futuremark
2009-03-23 23:28 . 2007-09-07 14:55 27,672 --a------ c:\windows\system32\drivers\Entech.sys
2009-03-23 23:28 . 2007-09-07 14:55 12,744 --a------ c:\windows\system32\drivers\Entech64.sys
2009-03-23 23:28 . 2007-09-07 14:55 6,173 --a------ c:\windows\system32\drivers\Entech.vxd
2009-03-23 23:28 . 2001-11-19 20:05 3,972 --a------ c:\windows\system32\drivers\PciBus.sys
2009-03-23 08:44 . 2009-03-23 08:44 166 --a------ c:\windows\usdthank.ini
2009-03-23 08:44 . 2009-03-23 08:44 31 --a------ c:\windows\idc.ini
2009-03-23 06:35 . 2009-03-23 06:35 <DIR> d-------- c:\program files\MSBuild
2009-03-23 06:33 . 2009-03-23 06:46 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-23 06:33 . 2009-03-23 06:33 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-23 06:33 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-03-23 06:28 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2009-03-23 06:28 . 2008-03-05 15:56 1,420,824 --a------ c:\windows\system32\D3DCompiler_37.dll
2009-03-23 06:28 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2009-03-23 06:28 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll
2009-03-23 06:27 . 2009-03-23 06:27 <DIR> d-------- c:\windows\system32\xlive
2009-03-23 06:27 . 2009-03-23 06:28 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-03-23 06:15 . 2009-03-23 06:15 1,060,864 --a------ c:\windows\system32\mfc71.dll
2009-03-23 03:00 . 2009-03-23 03:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-23 02:57 . 2009-03-23 02:58 <DIR> d-------- c:\program files\ATI Technologies
2009-03-21 19:49 . 2006-02-22 02:05 136,272 --a------ c:\windows\system32\atmenuxx.hlp
2009-03-21 19:49 . 2006-02-22 02:05 40,651 --a------ c:\windows\system32\attenuxx.hlp
2009-03-21 19:49 . 2006-02-22 02:05 23,224 --a------ c:\windows\system32\atfenuxx.hlp
2009-03-21 19:40 . 2009-03-21 19:40 <DIR> d-------- c:\documents and settings\Stillo\Application Data\atitray
2009-03-21 19:33 . 2009-03-21 19:33 472,576 --a------ c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2009-03-21 18:20 . 2009-03-21 18:20 <DIR> d-------- c:\program files\Curse
2009-03-21 04:12 . 2009-03-25 09:46 4,096 --a------ c:\windows\system32\crash
2009-03-21 02:46 . 2009-03-21 02:46 <DIR> dr-h----- c:\documents and settings\Stillo\Application Data\SecuROM
2009-03-21 02:46 . 2009-03-21 02:46 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-03-21 02:31 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-03-21 02:31 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2009-03-21 02:31 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2009-03-21 02:30 . 2009-03-21 02:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-21 01:27 . 2009-03-21 01:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-03-21 00:11 . 2009-03-23 21:12 <DIR> d-------- c:\program files\World of Warcraft
2009-03-20 23:34 . 2008-08-29 14:26 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-03-20 22:51 . 2009-03-23 02:48 10 --a------ c:\windows\WININIT.INI
2009-03-20 20:56 . 2008-11-27 05:45 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-20 19:27 . 2009-03-20 19:31 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Ventrilo
2009-03-20 19:19 . 2009-03-20 19:19 0 --a------ c:\windows\ativpsrm.bin
2009-03-20 18:52 . 2006-06-14 13:44 12,288 -ra------ c:\windows\system32\drivers\EIO_XP.sys
2009-03-20 18:50 . 2008-04-14 05:42 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2009-03-20 18:50 . 2008-04-14 05:42 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll
2009-03-20 18:49 . 2008-08-29 14:26 12,416 --a------ c:\windows\system32\drivers\asusgsb.sys
2009-03-20 18:38 . 2009-03-23 03:00 <DIR> d-------- c:\documents and settings\Stillo\Application Data\ATI
2009-03-20 18:36 . 2009-03-20 18:36 <DIR> d-------- c:\program files\My Company Name
2009-03-20 18:34 . 2009-03-20 18:34 <DIR> d-------- c:\program files\Common Files\ATI Technologies
2009-03-20 18:33 . 2006-12-28 05:44 84,992 -ra------ c:\windows\system32\drivers\AtiHdAud.sys
2009-03-20 18:24 . 2009-03-20 18:24 <DIR> d-------- c:\windows\NV27522908.TMP
2009-03-20 18:24 . 2009-03-20 18:24 <DIR> d-------- c:\program files\NVIDIA Corporation
2009-03-20 18:24 . 2009-03-20 18:24 22 --a------ c:\windows\FileName
2009-03-20 18:22 . 2009-03-21 18:13 22,962 --a------ c:\windows\Ascd_tmp.ini
2009-03-20 17:59 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-20 02:04 . 2009-03-20 02:04 <DIR> d---s---- c:\documents and settings\Stillo\UserData
2009-03-20 01:24 . 2009-03-22 06:44 <DIR> d-------- c:\program files\CryptLoad_1.1.6
2009-03-20 00:44 . 2009-03-20 00:44 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Auslogics
2009-03-19 22:55 . 2009-03-21 00:40 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-03-19 22:07 . 2009-03-19 22:07 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-03-19 03:18 . 2009-03-19 03:18 <DIR> dr------- c:\program files\Aston
2009-03-19 03:18 . 2009-03-23 02:32 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Aston
2009-03-19 02:48 . 2009-03-19 02:48 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Locktime
2009-03-19 02:27 . 2009-03-19 02:27 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Avira
2009-03-19 02:25 . 2009-03-19 02:25 <DIR> d-------- c:\program files\Avira
2009-03-19 02:25 . 2009-03-19 02:16 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-03-19 02:14 . 2009-03-19 02:14 <DIR> d-------- c:\documents and settings\Stillo\Application Data\DisplayTune
2009-03-19 02:06 . 2009-03-23 04:03 <DIR> d-------- c:\program files\ASUS
2009-03-19 02:06 . 2006-01-11 01:50 24,576 -ra------ c:\windows\system32\AsIO.dll
2009-03-19 02:06 . 2005-12-22 19:22 5,685 -ra------ c:\windows\system32\drivers\AsIO.sys
2009-03-19 02:06 . 2004-09-07 11:41 5,120 --a------ c:\windows\system32\drivers\AsInsHelp64.sys
2009-03-19 02:06 . 2004-03-10 14:31 3,328 --a------ c:\windows\system32\drivers\AsInsHelp32.sys
2009-03-19 02:04 . 2002-07-22 15:24 322,832 --a------ c:\windows\system32\MFC30.DLL
2009-03-19 02:04 . 2002-07-10 03:10 11,008 --a------ c:\windows\system32\drivers\itchfltr.sys
2009-03-19 01:58 . 2009-03-19 01:58 <DIR> d-------- c:\program files\Webteh
2009-03-19 01:58 . 2009-03-19 22:45 <DIR> d-------- c:\documents and settings\Stillo\Application Data\BSplayer PRO
2009-03-19 01:57 . 2009-03-19 01:57 361,344 --a------ c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-03-19 01:56 . 2009-03-19 02:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-19 01:56 . 2009-03-19 02:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-19 01:49 . 2009-03-19 02:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-19 01:48 . 2009-03-19 01:48 <DIR> d-------- c:\program files\COMODO
2009-03-19 01:48 . 2009-03-19 02:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-03-19 01:48 . 2009-03-19 01:48 155,384 --a------ c:\windows\system32\guard32.dll
2009-03-19 01:48 . 2009-03-19 01:48 110,992 --a------ c:\windows\system32\drivers\cmdguard.sys
2009-03-19 01:48 . 2009-03-19 01:48 24,336 --a------ c:\windows\system32\drivers\cmdhlp.sys
2009-03-19 01:42 . 2009-03-19 01:42 <DIR> d-------- c:\program files\MSN Messenger
2009-03-19 01:42 . 2009-03-20 02:05 <DIR> d-------- c:\documents and settings\Stillo\Contacts
2009-03-19 01:37 . 2009-03-19 01:37 <DIR> d-------- c:\program files\NetLimiter 2 Pro
2009-03-19 01:37 . 2009-03-19 01:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2009-03-19 01:36 . 2009-03-19 01:36 <DIR> d-------- c:\program files\Recover Files
2009-03-19 01:36 . 2009-03-19 01:36 <DIR> d-------- c:\program files\PowerISO
2009-03-19 01:36 . 2009-03-19 01:36 <DIR> d-------- c:\program files\CyberLink
2009-03-19 01:35 . 2009-03-19 01:35 <DIR> d-------- c:\program files\Teamspeak2_RC2
2009-03-19 01:34 . 2009-03-19 01:34 <DIR> d-------- c:\program files\uTorrent
2009-03-19 01:34 . 2009-03-25 13:28 <DIR> d-------- c:\documents and settings\Stillo\Application Data\uTorrent
2009-03-19 01:33 . 2009-03-19 01:33 <DIR> d-------- c:\program files\VentriloMIX
2009-03-19 01:33 . 2009-03-19 01:33 <DIR> d-------- c:\program files\Ventrilo
2009-03-19 01:33 . 2009-03-19 01:33 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-19 01:32 . 2009-03-19 01:33 <DIR> d-------- c:\program files\Winamp
2009-03-19 01:32 . 2003-10-28 11:02 20,016 --------- c:\windows\system32\drivers\pxhelp20.sys
2009-03-19 01:32 . 2009-03-23 22:13 155 --a------ c:\windows\winamp.ini
2009-03-19 01:31 . 2009-03-19 01:31 <DIR> d-------- C:\totalcmd
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\UC.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\RAR.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\PKZIP.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\PKUNZIP.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\NOCLOSE.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\LHA.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\ARJ.PIF
2009-03-19 01:31 . 2009-03-19 01:31 41 --a------ c:\windows\wincmd.ini
2009-03-19 01:30 . 2009-03-19 03:57 <DIR> d-------- c:\program files\Java
2009-03-19 01:30 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-19 01:30 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 01:27 . 2009-03-19 01:27 <DIR> d-------- c:\program files\Portrait Displays
2009-03-19 01:27 . 2009-03-19 01:27 <DIR> d-------- c:\program files\Common Files\Portrait Displays
2009-03-19 01:26 . 2009-03-19 01:26 <DIR> d-------- c:\program files\Auslogics
2009-03-19 01:24 . 2009-03-19 01:24 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-19 01:24 . 2009-03-19 01:24 <DIR> d-------- c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 10:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 03:03 12,288 ----a-w c:\windows\system32\drivers\EIO64_xp.sys
2009-03-19 00:57 361,344 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2009-03-19 00:03 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-18 23:54 --------- d-----w c:\program files\DIFX
2009-03-18 23:51 --------- d-----w c:\program files\Analog Devices
2009-03-18 22:38 --------- d-----w c:\program files\microsoft frontpage
2009-02-24 23:26 2,255,360 ----a-w c:\windows\system32\x264vfw.dll
2009-02-09 18:56 67,584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-09 12:18 801,312 ----a-w c:\windows\system32\nvcplui.exe
2009-02-09 12:18 667,648 ------w c:\windows\system32\nvapi.dll
2009-02-09 12:18 45,056 ----a-w c:\windows\system32\nvmccsrs.dll
2009-02-09 12:18 401,408 ----a-w c:\windows\system32\nvcuvid.dll
2009-02-09 12:18 2,744,320 ----a-w c:\windows\system32\nvwss.dll
2009-02-09 12:18 1,560,576 ----a-w c:\windows\system32\nvcuda.dll
.

------- Sigcheck -------

2009-03-19 01:57 361344 8e036eec565910417ea020ce0962aa24 c:\windows\system32\dllcache\TCPIP.SYS
2009-03-19 01:57 361344 8e036eec565910417ea020ce0962aa24 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-12-18 1175552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DT LGE"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-11 81920]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-19 1851128]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-19 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-07-20 847872]
"Launch PC Probe II"="c:\program files\ASUS\PC Probe II\Probe2.exe" [2006-07-28 2129408]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2008-08-29 380928]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSGamerOSD]
--a------ 2008-08-29 14:26 380928 c:\program files\ASUS\GamerOSD\GamerOSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 08:34 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 01:50 33792 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-03-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-03-19 24336]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-04-23 82200]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-03-19 186625]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-19 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [2009-03-19 432897]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-10-31 93184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\setup.exe
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.ati.com/online/cccwelcome/drivers.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\Stillo\Application Data\Mozilla\Firefox\Profiles\1ue3y1nb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 13:32:09
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-2025429265-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:7b,48,63,2f,ba,c6,01,86,6b,74,bb,eb,2c,44,3b,a3,6f,a9,9c,71,11,
da,14,bd,84,b3,fe,c0,e1,6c,25,f5,81,9a,78,6e,8b,9b,e4,b1,d0,ad,de,23,9b,16,\
"rkeysecu"=hex:63,f1,07,32,5f,fa,33,21,78,3b,0a,03,dc,38,db,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\guard32.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2009-03-25 13:33:06
ComboFix-quarantined-files.txt 2009-03-25 12:33:04

Pre-Run: 42,005,778,432 bytes free
Post-Run: 41,995,636,736 bytes free

263 --- E O F --- 2009-03-18 23:55:45








Inace WebGuard drzim iskljucen po default iz razloga sto mi usporava protok,i to bas bas, recimo da skidam direkt link neki inace 200kbps sa WebGuard ON ide oko 100kbps, to je jedini razlog sto ga drzim off, inace ja neposecujem nepoznate sajtove, to su uglavnom Srpski forumi slicni MyCity-ju i par sajtova tu i tamo svi provereni, tako da mislim da i nije neki problem sto je WebGuard off.
Inace mislim da je ovaj Kombo sta god da je on odradio sta je trebao,delete je neke faljlove,nisam imao vremena da vidim koje tacno,nisam bas siguran da su oni koje je AntiVir nasao.
A da Avira se automacki pali sa svim "guardovima" posle rebot-a a posto je Kombo uradio rebot samim tim se AntiVir prvi upalio (podesen je da "insistira" da se digne pre ostalih procesa pri dizanju sistema) i nasao je Kombo kao virus, ja sam stavio Ignore i nekim cudom nije davio dalje sa time.
Jos jednu stvar sam primetio, ja koristim Aston Shell, programcic koji menja izgled desktopa teme etc..nisam siguran da li ga je Kombo iskljucio al je bio disablovan posle rebota (sledeceg posle sto je kombo zavrsio sta je imao..) pa sam morao manualno da ga pokrenem.

Dopuna: 25 Mar 2009 13:54

Haha opet nemogu da Edit post.. ok totalno sam zaboravio da se zahvalim na pomoci, i tako brzom odgovoru! svaka cast Smile

Poslao: 25 Mar 2009 14:14
Idi na vrh
offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Da.. Avira ima taj problem... I ja sam imao muku oko skidanja fajlova.. malo zeza konekciju..

Uradi sledece :





Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\ovfsthvtvfifaoynipahhmyrxttcdqtsikvfdl.dat
c:\windows\system32\ovfsthnjciohdmlvwqmnirrnswqlgqojjktxep.dat

Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 25 Mar 2009 14:16
Idi na vrh
offline
  • still 
  • Zaslužni građanin
  • Pridružio: 25 Feb 2005
  • Poruke: 639
  • Gde živiš: beli_grad>gistro

Imam jedno pitanje za Strucna lica MyCity ambulante Razz
Totalno nepovezano sa temom, al mi se mota u zadnje vreme po glavi to pa reko da pitam sta vi mislite.
Registry cleaneri, generalno, vrede/imaju poentu il je to cista reklama i prodaja prasine, tolko toga sam citao o registry cleanerima, kako mogu da naprave probleme i deletuju sta netreba, i da njihova svrha ciscenja registryja je cista obmana da ubrzava rad PC/smanjuje sansu za system errorima i slicno.
Takodje sam citao da oni koji stvarno znaju oko systema nekoriste registry cleanere jel smatraju da su nepotrebni.
A onda gledam na drugu stranu, gomilu non experta, obicnih usera koji su prezadovoljni, osecaju ubrzanja i slicno, gomilu sajtova koji preporucuju registry cleanere, neki zbog profita neki zbog istine o registry cleanerima?
Dakle misljenje onih koji se razumeju u sistem generalno o registry cleanerima je? Razz

Poslao: 25 Mar 2009 14:17
Idi na vrh
offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Sto se tice drugih problema.. i registry cleanera... kasnije ces dobiti odgovor.. sad moram da begam Smile

Samo ti uradi ono sto sam ti rekao smešak

Poslao: 25 Mar 2009 14:29
Idi na vrh
offline
  • still 
  • Zaslužni građanin
  • Pridružio: 25 Feb 2005
  • Poruke: 639
  • Gde živiš: beli_grad>gistro

Aha ok uredu uradicu to, samo sam hteo da proverim jel je stvarno potrebno da napravim Back up systema ko sto Combo trazi? posto ja drzim system restore iskljucen bas zbog virusa?

Dopuna: 25 Mar 2009 14:27

OK evo novog loga
https://www.mycity.rs/must-login.png



ComboFix 09-03-23.01 - Stillo 2009-03-25 14:16:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1477 [GMT 1:00]
Running from: c:\documents and settings\Stillo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stillo\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *disabled*
FW: COMODO Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\ovfsthnjciohdmlvwqmnirrnswqlgqojjktxep.dat
c:\windows\system32\ovfsthvtvfifaoynipahhmyrxttcdqtsikvfdl.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ovfsthnjciohdmlvwqmnirrnswqlgqojjktxep.dat
c:\windows\system32\ovfsthvtvfifaoynipahhmyrxttcdqtsikvfdl.dat

.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-25 08:45 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2009-03-24 03:18 . 2009-03-24 03:43 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 03:18 . 2004-03-09 01:00 1,081,616 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-03-24 03:08 . 2009-03-24 03:08 <DIR> d-------- c:\program files\IObit
2009-03-24 03:08 . 2009-03-24 03:48 <DIR> d-------- c:\documents and settings\Stillo\Application Data\IObit
2009-03-23 23:32 . 2009-03-23 23:32 262,144 --a------ c:\windows\system32\wrap_oal.dll
2009-03-23 23:32 . 2009-03-23 23:32 86,016 --a------ c:\windows\system32\OpenAL32.dll
2009-03-23 23:28 . 2009-03-23 23:28 <DIR> d-------- c:\windows\system32\Futuremark
2009-03-23 23:28 . 2007-09-07 14:55 27,672 --a------ c:\windows\system32\drivers\Entech.sys
2009-03-23 23:28 . 2007-09-07 14:55 12,744 --a------ c:\windows\system32\drivers\Entech64.sys
2009-03-23 23:28 . 2007-09-07 14:55 6,173 --a------ c:\windows\system32\drivers\Entech.vxd
2009-03-23 23:28 . 2001-11-19 20:05 3,972 --a------ c:\windows\system32\drivers\PciBus.sys
2009-03-23 08:44 . 2009-03-23 08:44 166 --a------ c:\windows\usdthank.ini
2009-03-23 08:44 . 2009-03-23 08:44 31 --a------ c:\windows\idc.ini
2009-03-23 06:35 . 2009-03-23 06:35 <DIR> d-------- c:\program files\MSBuild
2009-03-23 06:33 . 2009-03-23 06:46 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-23 06:33 . 2009-03-23 06:33 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-23 06:33 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-03-23 06:28 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2009-03-23 06:28 . 2008-03-05 15:56 1,420,824 --a------ c:\windows\system32\D3DCompiler_37.dll
2009-03-23 06:28 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2009-03-23 06:28 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll
2009-03-23 06:27 . 2009-03-23 06:27 <DIR> d-------- c:\windows\system32\xlive
2009-03-23 06:27 . 2009-03-23 06:28 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-03-23 06:15 . 2009-03-23 06:15 1,060,864 --a------ c:\windows\system32\mfc71.dll
2009-03-23 03:00 . 2009-03-23 03:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-23 02:57 . 2009-03-23 02:58 <DIR> d-------- c:\program files\ATI Technologies
2009-03-21 19:49 . 2006-02-22 02:05 136,272 --a------ c:\windows\system32\atmenuxx.hlp
2009-03-21 19:49 . 2006-02-22 02:05 40,651 --a------ c:\windows\system32\attenuxx.hlp
2009-03-21 19:49 . 2006-02-22 02:05 23,224 --a------ c:\windows\system32\atfenuxx.hlp
2009-03-21 19:40 . 2009-03-21 19:40 <DIR> d-------- c:\documents and settings\Stillo\Application Data\atitray
2009-03-21 19:33 . 2009-03-21 19:33 472,576 --a------ c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2009-03-21 18:20 . 2009-03-21 18:20 <DIR> d-------- c:\program files\Curse
2009-03-21 04:12 . 2009-03-25 09:46 4,096 --a------ c:\windows\system32\crash
2009-03-21 02:46 . 2009-03-21 02:46 <DIR> dr-h----- c:\documents and settings\Stillo\Application Data\SecuROM
2009-03-21 02:46 . 2009-03-21 02:46 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-03-21 02:31 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-03-21 02:31 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2009-03-21 02:31 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2009-03-21 02:30 . 2009-03-21 02:30 <DIR> d--hs---- c:\windows\ftpcache
2009-03-21 01:27 . 2009-03-21 01:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-03-21 00:11 . 2009-03-23 21:12 <DIR> d-------- c:\program files\World of Warcraft
2009-03-20 23:34 . 2008-08-29 14:26 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-03-20 22:51 . 2009-03-23 02:48 10 --a------ c:\windows\WININIT.INI
2009-03-20 20:56 . 2008-11-27 05:45 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-20 19:27 . 2009-03-20 19:31 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Ventrilo
2009-03-20 19:19 . 2009-03-20 19:19 0 --a------ c:\windows\ativpsrm.bin
2009-03-20 18:52 . 2006-06-14 13:44 12,288 -ra------ c:\windows\system32\drivers\EIO_XP.sys
2009-03-20 18:50 . 2008-04-14 05:42 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2009-03-20 18:50 . 2008-04-14 05:42 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll
2009-03-20 18:49 . 2008-08-29 14:26 12,416 --a------ c:\windows\system32\drivers\asusgsb.sys
2009-03-20 18:38 . 2009-03-23 03:00 <DIR> d-------- c:\documents and settings\Stillo\Application Data\ATI
2009-03-20 18:36 . 2009-03-20 18:36 <DIR> d-------- c:\program files\My Company Name
2009-03-20 18:34 . 2009-03-20 18:34 <DIR> d-------- c:\program files\Common Files\ATI Technologies
2009-03-20 18:33 . 2006-12-28 05:44 84,992 -ra------ c:\windows\system32\drivers\AtiHdAud.sys
2009-03-20 18:24 . 2009-03-20 18:24 <DIR> d-------- c:\windows\NV27522908.TMP
2009-03-20 18:24 . 2009-03-20 18:24 <DIR> d-------- c:\program files\NVIDIA Corporation
2009-03-20 18:24 . 2009-03-20 18:24 22 --a------ c:\windows\FileName
2009-03-20 18:22 . 2009-03-21 18:13 22,962 --a------ c:\windows\Ascd_tmp.ini
2009-03-20 17:59 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-20 02:04 . 2009-03-20 02:04 <DIR> d---s---- c:\documents and settings\Stillo\UserData
2009-03-20 01:24 . 2009-03-22 06:44 <DIR> d-------- c:\program files\CryptLoad_1.1.6
2009-03-20 00:44 . 2009-03-20 00:44 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Auslogics
2009-03-19 22:55 . 2009-03-21 00:40 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-03-19 22:07 . 2009-03-19 22:07 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-03-19 03:18 . 2009-03-19 03:18 <DIR> dr------- c:\program files\Aston
2009-03-19 03:18 . 2009-03-25 13:39 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Aston
2009-03-19 02:48 . 2009-03-19 02:48 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Locktime
2009-03-19 02:27 . 2009-03-19 02:27 <DIR> d-------- c:\documents and settings\Stillo\Application Data\Avira
2009-03-19 02:25 . 2009-03-19 02:25 <DIR> d-------- c:\program files\Avira
2009-03-19 02:25 . 2009-03-19 02:16 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-03-19 02:14 . 2009-03-19 02:14 <DIR> d-------- c:\documents and settings\Stillo\Application Data\DisplayTune
2009-03-19 02:06 . 2009-03-23 04:03 <DIR> d-------- c:\program files\ASUS
2009-03-19 02:06 . 2006-01-11 01:50 24,576 -ra------ c:\windows\system32\AsIO.dll
2009-03-19 02:06 . 2005-12-22 19:22 5,685 -ra------ c:\windows\system32\drivers\AsIO.sys
2009-03-19 02:06 . 2004-09-07 11:41 5,120 --a------ c:\windows\system32\drivers\AsInsHelp64.sys
2009-03-19 02:06 . 2004-03-10 14:31 3,328 --a------ c:\windows\system32\drivers\AsInsHelp32.sys
2009-03-19 02:04 . 2002-07-22 15:24 322,832 --a------ c:\windows\system32\MFC30.DLL
2009-03-19 02:04 . 2002-07-10 03:10 11,008 --a------ c:\windows\system32\drivers\itchfltr.sys
2009-03-19 01:58 . 2009-03-19 01:58 <DIR> d-------- c:\program files\Webteh
2009-03-19 01:58 . 2009-03-19 22:45 <DIR> d-------- c:\documents and settings\Stillo\Application Data\BSplayer PRO
2009-03-19 01:57 . 2009-03-19 01:57 361,344 --a------ c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-03-19 01:56 . 2009-03-19 02:47 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-19 01:56 . 2009-03-19 02:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-19 01:49 . 2009-03-19 02:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-19 01:48 . 2009-03-19 01:48 <DIR> d-------- c:\program files\COMODO
2009-03-19 01:48 . 2009-03-19 02:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-03-19 01:48 . 2009-03-19 01:48 155,384 --a------ c:\windows\system32\guard32.dll
2009-03-19 01:48 . 2009-03-19 01:48 110,992 --a------ c:\windows\system32\drivers\cmdguard.sys
2009-03-19 01:48 . 2009-03-19 01:48 24,336 --a------ c:\windows\system32\drivers\cmdhlp.sys
2009-03-19 01:42 . 2009-03-19 01:42 <DIR> d-------- c:\program files\MSN Messenger
2009-03-19 01:42 . 2009-03-20 02:05 <DIR> d-------- c:\documents and settings\Stillo\Contacts
2009-03-19 01:37 . 2009-03-19 01:37 <DIR> d-------- c:\program files\NetLimiter 2 Pro
2009-03-19 01:37 . 2009-03-19 01:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2009-03-19 01:36 . 2009-03-19 01:36 <DIR> d-------- c:\program files\Recover Files
2009-03-19 01:36 . 2009-03-19 01:36 <DIR> d-------- c:\program files\PowerISO
2009-03-19 01:36 . 2009-03-19 01:36 <DIR> d-------- c:\program files\CyberLink
2009-03-19 01:35 . 2009-03-19 01:35 <DIR> d-------- c:\program files\Teamspeak2_RC2
2009-03-19 01:34 . 2009-03-19 01:34 <DIR> d-------- c:\program files\uTorrent
2009-03-19 01:34 . 2009-03-25 14:17 <DIR> d-------- c:\documents and settings\Stillo\Application Data\uTorrent
2009-03-19 01:33 . 2009-03-19 01:33 <DIR> d-------- c:\program files\VentriloMIX
2009-03-19 01:33 . 2009-03-19 01:33 <DIR> d-------- c:\program files\Ventrilo
2009-03-19 01:33 . 2009-03-19 01:33 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-19 01:32 . 2009-03-19 01:33 <DIR> d-------- c:\program files\Winamp
2009-03-19 01:32 . 2003-10-28 11:02 20,016 --------- c:\windows\system32\drivers\pxhelp20.sys
2009-03-19 01:32 . 2009-03-23 22:13 155 --a------ c:\windows\winamp.ini
2009-03-19 01:31 . 2009-03-19 01:31 <DIR> d-------- C:\totalcmd
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\UC.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\RAR.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\PKZIP.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\PKUNZIP.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\NOCLOSE.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\LHA.PIF
2009-03-19 01:31 . 2008-04-22 07:03 545 --a------ c:\windows\ARJ.PIF
2009-03-19 01:31 . 2009-03-19 01:31 41 --a------ c:\windows\wincmd.ini
2009-03-19 01:30 . 2009-03-19 03:57 <DIR> d-------- c:\program files\Java
2009-03-19 01:30 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-19 01:30 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 01:27 . 2009-03-19 01:27 <DIR> d-------- c:\program files\Portrait Displays
2009-03-19 01:27 . 2009-03-19 01:27 <DIR> d-------- c:\program files\Common Files\Portrait Displays
2009-03-19 01:26 . 2009-03-19 01:26 <DIR> d-------- c:\program files\Auslogics
2009-03-19 01:24 . 2009-03-19 01:24 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-19 01:24 . 2009-03-19 01:24 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-19 01:11 . 2009-03-19 01:11 0 --a------ c:\windows\nsreg.dat
2009-03-19 01:10 . 2009-03-19 01:10 <DIR> d-------- c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 10:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 03:03 12,288 ----a-w c:\windows\system32\drivers\EIO64_xp.sys
2009-03-19 00:57 361,344 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2009-03-19 00:03 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-18 23:54 --------- d-----w c:\program files\DIFX
2009-03-18 23:51 --------- d-----w c:\program files\Analog Devices
2009-03-18 22:38 --------- d-----w c:\program files\microsoft frontpage
2009-02-24 23:26 2,255,360 ----a-w c:\windows\system32\x264vfw.dll
2009-02-09 18:56 67,584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-09 12:18 801,312 ----a-w c:\windows\system32\nvcplui.exe
2009-02-09 12:18 667,648 ------w c:\windows\system32\nvapi.dll
2009-02-09 12:18 45,056 ----a-w c:\windows\system32\nvmccsrs.dll
2009-02-09 12:18 401,408 ----a-w c:\windows\system32\nvcuvid.dll
2009-02-09 12:18 2,744,320 ----a-w c:\windows\system32\nvwss.dll
2009-02-09 12:18 1,560,576 ----a-w c:\windows\system32\nvcuda.dll
.

------- Sigcheck -------

2009-03-19 01:57 361344 8e036eec565910417ea020ce0962aa24 c:\windows\system32\dllcache\TCPIP.SYS
2009-03-19 01:57 361344 8e036eec565910417ea020ce0962aa24 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( SnapShot@2009-03-25_13.32.28.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-25 12:30:23 32,768 ----a-w c:\windows\Temp\Cookies\index.dat
+ 2009-03-25 12:40:13 32,768 ----a-w c:\windows\Temp\Cookies\index.dat
- 2009-03-25 12:30:23 32,768 ----a-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-25 12:40:13 32,768 ----a-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-25 12:36:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_81c.dat
- 2009-03-25 12:30:23 49,152 ----a-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-25 12:40:13 49,152 ----a-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-12-18 1175552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DT LGE"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-11 81920]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-19 1851128]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-19 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-07-20 847872]
"Launch PC Probe II"="c:\program files\ASUS\PC Probe II\Probe2.exe" [2006-07-28 2129408]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2008-08-29 380928]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSGamerOSD]
--a------ 2008-08-29 14:26 380928 c:\program files\ASUS\GamerOSD\GamerOSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 08:34 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 01:50 33792 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-03-19 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-03-19 24336]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-04-23 82200]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-03-19 186625]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-19 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [2009-03-19 432897]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-10-31 93184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\setup.exe
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.ati.com/online/cccwelcome/drivers.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\Stillo\Application Data\Mozilla\Firefox\Profiles\1ue3y1nb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 14:17:42
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-2025429265-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:7b,48,63,2f,ba,c6,01,86,6b,74,bb,eb,2c,44,3b,a3,6f,a9,9c,71,11,
da,14,bd,84,b3,fe,c0,e1,6c,25,f5,81,9a,78,6e,8b,9b,e4,b1,d0,ad,de,23,9b,16,\
"rkeysecu"=hex:63,f1,07,32,5f,fa,33,21,78,3b,0a,03,dc,38,db,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\guard32.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2009-03-25 14:18:36
ComboFix-quarantined-files.txt 2009-03-25 13:18:33
ComboFix2.txt 2009-03-25 12:33:07

Pre-Run: 41,981,427,712 bytes free
Post-Run: 41,968,402,432 bytes free

274 --- E O F --- 2009-03-18 23:55:45






Inace ovog puta Combo nije rebot PC, tako da nije gasio Aston shell al evo gledam sad Firefox mi nije vise bio setovan za glavni browser.

Dopuna: 25 Mar 2009 14:29

Predpostavljam da sacuvam neko vreme Backup deletovanih fajlova koje je Combo napravio za svaki slucaj :O

Poslao: 25 Mar 2009 22:13
Idi na vrh
offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Kada zavrsimo ovde slucaj dacu ti uputstvo koje ce deinstalirati Combofix i obrisati taj backup... Znaci ti fajlovi su maliciozni i nema potrebe da ih cuvas Smile

Sto se tice registry cleaner-a... Pazi generalno registry cleaneri nisu prodaja prasine.. Oni (po mom misljenju) ne mogu da ubrzaju sistem ali mogu da srede neke greske koje su dovele do usporenja sistema losom deinstalacijom programa ili tako tih stvari... da ne idemo u detalje Wink

Naravno, postoje programi koji prodaju prasinu i navodno resavaju sve probleme Smile Ali takvih programa ima na sve strane(npr. lazni AV programi itd.) Wink


Dalje.. combofix ti je vratio default podesavanja sistema(security sistem, system restore, default browser itd.) to ces morati ti sam da vratis Wink

I na kraju.,.. Pusti Aviru i javi mi dali jos uvek ima nekih problema...

Poslao: 27 Mar 2009 01:57
Idi na vrh
offline
  • still 
  • Zaslužni građanin
  • Pridružio: 25 Feb 2005
  • Poruke: 639
  • Gde živiš: beli_grad>gistro

Evo sve je cisto! prijavio je jedan warning ali 0 detekcija/hiden filova etc.
Warning je listovan u logu koji sam okacio.
https://www.mycity.rs/must-login.png

Da li bi trebao da koristim neki software za unistalliranje programa il je to nepotrebno?

Dopuna: 27 Mar 2009 1:57

Jel moze to uputstvo za brisanje combo-a?

Poslao: 27 Mar 2009 02:06
Idi na vrh
offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Ofkors Mr. Green

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore

Svi programi za deinstalaciju rade jedno te isto... Pokrecu deinstaler programa... Ako je program lose napisan... onda ce nesto ostaviti za sobom.... Ja koristim te aplikacije za deinstalaciju samo kod non-security programa.... Security programe ipak pustim da sami rade svoj posao Wink

MyCity » Ambulanta -> Arhiva Ambulante » Hiden files i moguci trojanac

Ko je trenutno na forumu
 

Ukupno su 850 korisnika na forumu :: 47 registrovanih, 6 sakrivenih i 797 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, A.R.Chafee.Jr., Alexandar-1973, amaterSRB, bojcistv, Boris90, crnitrn, deLacy, djboj, DonRumataEstorski, dragoljub11987, drazenm, dushan, esx66, FOX, goxin, Griffon vulture, Jahorina, Karla, kybonacci, laurusri, mercedesamg, mikrimaus, milenko crazy north, Milometer, mnn2, nebojsag, nemkea71, nenad81, NoOneEver Dreams, pein, raso7, Regrut Boskica, ruma, simazr, Sirius, Smiljke, Srle993, stalja, vathra, vladulns, vlajkox, zlaya011, Šraf, šumar bk2, 1107, 79693