Malware brise boot.ini

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Pre neki dan pri bootovanja windowsa (XP) prijavi da je boot.ini corrupt or missing.

Ne obratih paznju (mislio da sam nesmotreno obrisao ili da je kakav registryfix pobrljavio), i kreirah novi.

Posle sledeceg bootovanja isto se dogodilo, i primetih da je obrisan i DevCpp koji je instaliran u rootu.

NOD32 nije nista nasao (sto uopste nije cudno), ne secam se da sam nesto neubicajeno cacka na netu i sl. (ADSL koristim).
Takodje sam primetio da je cpu performance od 50%-100% i ne pada ispod.

Na googlu nadjoh da je neko uspeo da resi tako sto je u msconfigu disableovao askupdate ili tako neki service, probao i to, nije mi se vise brisao boot.ini niti devcpp ali je cpu performance i dalje jako visok.



U prilogu logovi ddsa i gmer-a...
https://www.mycity.rs/must-login.png


DDS (Ver_09-09-29.01) - NTFSx86
Run by Drejk at 21:44:53.59 on Mon 10/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1880 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\Sys32\LUFO.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Drejk\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=13928&l=dis
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: IeCatch2 Class: {a5366673-e8ca-11d3-9cd9-0090271d075b} - c:\progra~1\flashget\jccatch.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [NVRTCLK] c:\windows\system32\nvrtclk\NVRTClk.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [PhilipsDM] "c:\program files\philips\philips device manager\bin\DeviceManager.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LUFO Agent] c:\windows\system32\sys32\LUFO.exe
mRun: [VMware hqtray] "c:\program files\vmware\vmware workstation\hqtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gwum.lnk - c:\program files\gigabyte\gigabyte windows utility manager\gwum.exe
IE: Crawler Search - tbr:iemenu
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {1DD44644-3732-4483-8CE4-71419D5E7547} = 194.247.192.33,194.247.192.1
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\progra~1\common~1\sapsha~1\system\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\progra~1\common~1\sapsha~1\system\SAPHTMLP.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\drejk\applic~1\mozilla\firefox\profiles\s0ncbhjb.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R0 1394VDBG;1394 Host Debugger I/O Driver;c:\windows\system32\drivers\1394vdbg.sys [2008-4-14 11264]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-13 15424]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-5-27 142592]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [2008-12-13 162476]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2008-12-13 552064]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-7-28 604488]
R3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\gigabyte windows utility manager\MARKFUN.W32 [2008-12-13 8236]
S2 OracleOraHome90TNSListener;OracleOraHome90TNSListener; [x]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-7-6 34064]
S3 WMIBIOS;%WMIBIOS.ServiceName%;c:\windows\system32\drivers\wmibios.sys [2008-12-13 18272]
S3 WMIINFO;WMIINFO Driver;c:\windows\system32\drivers\wmiinfo.sys [2008-12-13 21184]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-5-18 234888]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]

=============== Created Last 30 ================

2009-10-05 21:38 <DIR> --d----- C:\Dev-Cpp
2009-10-05 21:29 <DIR> --d----- c:\windows\pss
2009-10-04 20:17 <DIR> --d----- c:\docume~1\drejk\applic~1\Pelles C
2009-10-04 20:14 <DIR> --d----- c:\program files\PellesC
2009-10-02 17:52 20,375 a------- c:\windows\system32\TuneUpDefragService_20091002-155251.dmp
2009-09-28 22:11 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-09-27 02:19 <DIR> --d----- c:\documents and settings\drejk\.idlerc
2009-09-26 20:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Paradox Interactive
2009-09-26 15:42 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-25 19:50 20,383 a------- c:\windows\system32\TuneUpDefragService_20090925-175003.dmp
2009-09-24 21:36 95 a------- c:\windows\system32\productregistry
2009-09-21 22:22 1,024 a------- c:\windows\system32\grcauth2.dll
2009-09-21 22:22 1,024 a------- c:\windows\system32\grcauth1.dll
2009-09-21 22:22 114 a------- c:\windows\system32\prsgrc.tgz
2009-09-21 22:22 100 a------- c:\windows\system32\prsgrc.dll
2009-09-21 22:22 1,024 a------- c:\windows\system32\clauth2.dll
2009-09-21 22:22 1,024 a------- c:\windows\system32\clauth1.dll
2009-09-21 22:22 14 a------- c:\windows\system32\ssprs.tgz
2009-09-21 22:22 0 a------- c:\windows\system32\ssprs.dll
2009-09-21 22:22 0 a------- c:\windows\system32\serauth2.dll
2009-09-21 22:22 0 a------- c:\windows\system32\serauth1.dll
2009-09-21 22:22 0 a------- c:\windows\system32\nsprs.tgz
2009-09-21 22:22 0 a------- c:\windows\system32\nsprs.dll
2009-09-21 22:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SafeNet Sentinel
2009-09-21 22:22 <DIR> --d----- c:\program files\common files\Data Dynamics
2009-09-21 22:21 16 a---h--- c:\windows\system32\servdat.slm
2009-09-21 22:21 1,025 a------- c:\windows\system32\sysprs7.tgz
2009-09-21 22:21 1,025 a------- c:\windows\system32\sysprs7.dll
2009-09-21 22:21 219 a------- c:\windows\system32\lsprst7.tgz
2009-09-21 22:21 205 a------- c:\windows\system32\lsprst7.dll
2009-09-21 22:21 0 a------- C:\law.sp
2009-09-20 20:21 <DIR> --d----- c:\windows\system32\E177E04D548C4006A465EEB92D3DE021
2009-09-19 17:50 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Sports Interactive
2009-09-19 13:56 3,140 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-09-19 13:54 <DIR> --d----- c:\program files\common files\Protexis
2009-09-19 13:53 <DIR> --d----- c:\program files\common files\Corel
2009-09-19 13:53 <DIR> --d----- c:\program files\Corel
2009-09-13 11:14 <DIR> --d----- c:\docume~1\drejk\applic~1\SAS
2009-09-13 11:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SAS
2009-09-13 11:06 0 a------- c:\windows\vpd.properties
2009-09-13 11:03 <DIR> --d----- c:\windows\system32\URTTEMP
2009-09-13 11:03 1,700,352 a------- c:\windows\system32\gdiplus.dll
2009-09-13 11:03 974,848 a------- c:\windows\system32\mfc70.dll
2009-09-13 11:03 964,608 a------- c:\windows\system32\mfc70u.dll
2009-09-13 11:03 487,424 a------- c:\windows\system32\msvcp70.dll
2009-09-13 11:03 344,064 a------- c:\windows\system32\msvcr70.dll
2009-09-13 11:03 84,992 a------- c:\windows\system32\atl70.dll
2009-09-13 11:03 54,784 a------- c:\windows\system32\msvci70.dll
2009-09-11 21:07 <DIR> --dsh--- c:\documents and settings\drejk\IECompatCache
2009-09-11 21:02 <DIR> --dsh--- c:\documents and settings\drejk\PrivacIE

==================== Find3M ====================

2009-09-26 15:42 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-08 16:01 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-08-08 16:01 17,212 a------t c:\windows\system32\SIntf32.dll
2009-08-08 16:01 12,067 a------t c:\windows\system32\SIntf16.dll
2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 23:01 604,488 a------- c:\windows\system32\TUProgSt.exe
2009-07-28 23:01 361,288 a------- c:\windows\system32\TuneUpDefragService.exe
2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-15 11:48 29,000 a------- c:\windows\system32\uxtuneup.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2008-12-13 16:55 16,384 ac-sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-12-13 16:55 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-12-13 16:55 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121320081214\index.dat
2008-12-13 16:55 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 21:45:11.70 ===============







https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...


Pažljivo isprati sledeće uputstvo.




Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Izvolte...
https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png



ComboFix 09-10-04.01 - Drejk 10/05/2009 23:13.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1793 [GMT 2:00]
Running from: c:\documents and settings\Drejk\Desktop\Malware Log Tools\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\9.0\1033\ResourceCache.dll
c:\documents and settings\Drejk\Application Data\Desktopicon
c:\documents and settings\Drejk\Application Data\Desktopicon\config.ini
c:\windows\SW_Win2000X1.DLL
c:\windows\SW_Win2146X32.DLL
c:\windows\system32\AdCache
c:\windows\system32\Cache
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\prsgrc.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\ssprs.dll
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-05 19:38 . 2009-10-05 19:39 -------- d-----w- C:\Dev-Cpp
2009-10-05 19:32 . 2009-10-05 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-10-04 18:17 . 2009-10-04 18:41 -------- d-----w- c:\documents and settings\Drejk\Application Data\Pelles C
2009-10-04 18:14 . 2009-10-04 18:41 -------- d-----w- c:\program files\PellesC
2009-09-28 20:58 . 2009-09-28 21:06 -------- d-----w- c:\documents and settings\Drejk\Local Settings\Application Data\Temporary Projects
2009-09-28 20:11 . 2009-09-30 16:34 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-09-27 00:19 . 2009-09-27 00:19 -------- d-----w- c:\documents and settings\Drejk\.idlerc
2009-09-26 18:28 . 2009-09-26 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Paradox Interactive
2009-09-26 13:42 . 2009-09-26 13:42 -------- d-----w- c:\program files\Java
2009-09-26 10:17 . 2009-09-26 10:17 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-09-26 09:01 . 2009-09-26 13:23 79632 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-24 20:34 . 2009-09-28 19:40 -------- d-----w- c:\documents and settings\Drejk\Application Data\Notepad++
2009-09-21 20:24 . 2009-09-21 20:27 -------- d-----w- c:\documents and settings\Drejk\Local Settings\Application Data\Amos 16.0
2009-09-21 20:22 . 2009-09-21 20:22 1024 ----a-w- c:\windows\system32\grcauth2.dll
2009-09-21 20:22 . 2009-09-21 20:22 1024 ----a-w- c:\windows\system32\grcauth1.dll
2009-09-21 20:22 . 2009-09-21 20:22 1024 ----a-w- c:\windows\system32\clauth2.dll
2009-09-21 20:22 . 2009-09-21 20:22 1024 ----a-w- c:\windows\system32\clauth1.dll
2009-09-21 20:22 . 2009-09-21 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel
2009-09-21 20:22 . 2009-09-21 20:22 -------- d-----w- c:\program files\Common Files\Data Dynamics
2009-09-21 20:21 . 2009-09-21 20:21 1025 ----a-w- c:\windows\system32\sysprs7.dll
2009-09-20 18:21 . 2009-09-20 18:22 -------- d-----w- c:\windows\system32\E177E04D548C4006A465EEB92D3DE021
2009-09-19 15:50 . 2009-09-26 09:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-09-19 11:56 . 2009-09-19 11:56 -------- d-----w- c:\documents and settings\Drejk\Application Data\Corel
2009-09-19 11:54 . 2009-09-19 11:54 -------- d-----w- c:\program files\Common Files\Protexis
2009-09-19 11:53 . 2009-09-19 11:53 -------- d-----w- c:\program files\Common Files\Corel
2009-09-19 11:53 . 2009-09-19 11:53 -------- d-----w- c:\program files\Corel
2009-09-13 09:14 . 2007-09-13 09:20 -------- d-----w- c:\documents and settings\Drejk\Application Data\SAS
2009-09-13 09:14 . 2009-09-19 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SAS
2009-09-13 09:03 . 2009-09-13 09:03 -------- d-----w- c:\windows\system32\URTTEMP
2009-09-13 09:03 . 2002-01-05 05:48 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-09-13 09:03 . 2002-01-05 05:36 964608 ----a-w- c:\windows\system32\mfc70u.dll
2009-09-13 09:03 . 2002-01-05 04:40 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-09-13 09:03 . 2002-01-05 04:38 54784 ----a-w- c:\windows\system32\msvci70.dll
2009-09-13 09:03 . 2002-01-05 04:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-09-13 09:03 . 2002-01-05 03:18 84992 ----a-w- c:\windows\system32\atl70.dll
2009-09-13 09:03 . 2001-09-05 18:00 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2009-09-11 19:07 . 2009-09-11 19:07 -------- d-sh--w- c:\documents and settings\Drejk\IECompatCache
2009-09-11 19:02 . 2009-09-11 19:02 -------- d-sh--w- c:\documents and settings\Drejk\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 19:44 . 2009-08-09 14:23 -------- d-----w- c:\documents and settings\Drejk\Application Data\Dev-Cpp
2009-10-05 19:37 . 2009-07-20 17:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-10-05 19:37 . 2009-07-20 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-10-05 19:14 . 2008-12-27 18:04 -------- d-----w- c:\program files\FlashGet
2009-10-05 15:21 . 2008-12-22 14:00 -------- d-----w- c:\documents and settings\Drejk\Application Data\uTorrent
2009-10-05 15:12 . 2009-05-27 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-10-05 05:17 . 2009-05-27 20:11 -------- d-----w- c:\documents and settings\Drejk\Application Data\Spyware Terminator
2009-10-04 22:02 . 2009-08-12 21:04 -------- d-----w- c:\documents and settings\Drejk\Application Data\codeblocks
2009-09-30 16:32 . 2008-12-15 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-26 22:59 . 2009-06-28 11:12 -------- d-----w- c:\program files\Alawar
2009-09-26 19:13 . 2009-07-20 17:42 -------- d-----w- c:\documents and settings\Drejk\Application Data\VMware
2009-09-26 13:42 . 2008-12-20 13:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-26 13:25 . 2008-12-13 13:37 21096 ----a-w- c:\documents and settings\Drejk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 09:13 . 2008-12-13 16:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 20:00 . 2009-06-27 20:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-20 21:41 . 2007-09-13 19:22 -------- d-----w- c:\program files\Common Files\Macromedia
2009-09-20 18:21 . 2008-12-13 16:13 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-19 15:28 . 2009-03-22 17:43 -------- d-----w- c:\documents and settings\Drejk\Application Data\Sports Interactive
2009-09-19 11:56 . 2009-09-19 11:56 3140 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-09-14 20:01 . 2009-08-15 19:36 -------- d-----w- c:\documents and settings\Drejk\Application Data\Any Video Converter
2009-09-11 19:34 . 2009-05-23 13:12 -------- d-----w- c:\documents and settings\Drejk\Application Data\BSplayer PRO
2009-09-10 05:11 . 2009-06-06 21:23 -------- d-----w- c:\documents and settings\Drejk\Application Data\Azureus
2009-09-06 09:30 . 2009-05-27 20:10 -------- d-----w- c:\program files\Spyware Terminator
2009-09-05 22:00 . 2009-05-18 12:21 -------- d-----w- c:\documents and settings\Drejk\Application Data\Thinstall
2009-09-02 06:41 . 2008-12-13 13:39 -------- d-----w- c:\program files\Winamp
2009-08-15 19:36 . 2009-08-15 19:36 -------- d-----w- c:\program files\Any Video Converter
2009-08-09 15:42 . 2009-08-09 15:42 -------- d-----w- c:\program files\WinPcap
2009-08-09 12:28 . 2009-08-08 16:15 -------- d-----w- c:\program files\Farm Frenzy 2
2009-08-08 14:01 . 2009-08-07 11:00 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-08-08 14:01 . 2009-08-07 11:00 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-08-08 14:01 . 2009-08-07 11:00 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-08-06 17:24 . 2008-12-13 14:56 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 17:24 . 2008-12-13 14:56 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 17:24 . 2008-12-13 14:56 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 17:24 . 2008-10-16 09:39 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 17:24 . 2008-12-13 14:56 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 17:24 . 2008-04-14 08:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 17:23 . 2008-12-13 14:56 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 17:23 . 2008-12-13 14:56 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2008-04-14 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-28 21:01 . 2009-07-28 21:01 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-07-28 21:01 . 2009-07-28 21:01 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-07-18 22:40 . 2009-07-18 22:40 128 ----a-w- c:\documents and settings\Drejk\Local Settings\Application Data\fusioncache.dat
2009-07-17 19:01 . 2008-04-14 08:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 09:48 . 2009-07-28 21:01 29000 ----a-w- c:\windows\system32\uxtuneup.dll
2009-07-13 21:43 . 2008-07-12 19:25 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 10:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-06-03 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-12-13 949376]
"NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2006-09-28 659456]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-01-20 217088]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"LUFO Agent"="c:\windows\system32\Sys32\LUFO.exe" [2009-07-07 488448]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 55856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-26 149280]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-08-26 16851456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
gwum.lnk - c:\program files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe [2008-12-13 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ASKUpgrade"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\BEOGRID\\StrongDC++\\StrongDC.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R0 1394VDBG;1394 Host Debugger I/O Driver;c:\windows\system32\drivers\1394vdbg.sys [4/14/2008 10:00 AM 11264]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [12/13/2008 5:33 PM 15424]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [5/27/2009 10:11 PM 142592]
R2 ETDrv;ETDrv;c:\windows\system32\drivers\ETDrv.sys [12/13/2008 5:44 PM 162476]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [7/28/2009 11:01 PM 604488]
R3 MarkFun_NT;MarkFun_NT;c:\program files\Gigabyte\Gigabyte Windows Utility Manager\MARKFUN.W32 [12/13/2008 5:25 PM 8236]
S2 OracleOraHome90TNSListener;OracleOraHome90TNSListener; [x]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [7/6/2009 8:47 AM 34064]
S3 WMIBIOS;%WMIBIOS.ServiceName%;c:\windows\system32\drivers\wmibios.sys [12/13/2008 5:30 PM 18272]
S3 WMIINFO;WMIINFO Driver;c:\windows\system32\drivers\wmiinfo.sys [12/13/2008 5:30 PM 21184]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [5/18/2009 1:40 AM 234888]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - UXTDAPOW
*Deregistered* - uxtdapow

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 08:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=13928&l=dis
IE: Crawler Search - tbr:iemenu
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {1DD44644-3732-4483-8CE4-71419D5E7547} = 194.247.192.33,194.247.192.1
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\documents and settings\Drejk\Application Data\Mozilla\Firefox\Profiles\s0ncbhjb.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 23:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\Gigabyte Windows Utility Manager\markfun.w32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-790525478-884357618-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:46,d8,96,79,1c,c9,7f,f7,2a,64,87,cc,68,a0,c5,f7,4d,b1,f4,c9,58,
c8,33,88,8d,cc,29,04,fa,f2,03,6a,a5,ce,fb,c6,da,1a,25,11,a5,82,d5,6c,fb,6a,\
"rkeysecu"=hex:1a,db,67,c7,51,a2,0c,2b,6c,c2,a4,be,dc,2e,62,ba

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,5c,d5,5c,
e8,d2,54,5e,cf,ae,ae,b0,df,f8,95,ae,6f,02,98,a2,88,88,a5,57,b1,15,11,06,7e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44DDD7DB-C851-F5D8-43BBD1CB976AABCC}\{47326943-CE6C-E3D1-74FCCAE0772B4FAB}\{FA8F0E33-B888-6EFF-6240990870DDF055}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4F56E727-0A5D-9C93-99600FC5295CA3F5}\{8257E326-E765-C505-3AEB2DA5981E86BA}\{7ADCE296-1D79-0777-094B0CE9C6E4DF1E}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,5c,d5,5c,
e8,d2,54,5e,cf,ae,ae,b0,df,f8,95,ae,6f,02,98,a2,88,88,a5,57,b1,15,11,06,7e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5BE3D010-3EF3-EA3A-19EA72F7729702DF}\{352FFD75-9B70-D323-D2F13A6467AA3E3D}\{81CD47E4-7EF3-579C-2C259DBE42414B54}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A356E26F-F64B-8F5D-7C18E49D604F2F76}\{6A54AA76-7D92-69B0-4B2831BB70973615}\{981C58D8-528B-1766-742A6B252CC7665F}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EAE54BA3-56A0-7636-9D760FE75B19E95C}\{32AED356-A62E-B541-0C1631C471EC4552}\{622BCC28-1320-8061-75578A77CF92A31A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,5c,d5,5c,
e8,d2,54,5e,cf,ae,ae,b0,df,f8,95,ae,6f,02,98,a2,88,88,a5,57,b1,15,11,06,7e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1256)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-05 23:17
ComboFix-quarantined-files.txt 2009-10-05 21:17

Pre-Run: 85,964,435,456 bytes free
Post-Run: 86,173,388,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

275 --- E O F --- 2009-09-16 01:00

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Upload-uj file: c:\windows\system32\sys32\LUFO.exe

preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

uplodaovao...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Da li si sam instalirao Ardamax keylogger?



Zipuj folder C:\Qoobox\Quarantine i uploaduj ga preko ranije datog linka.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uploadovao, i ne nisam ja instalirao....majku mu

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:


File::
c:\windows\system32\Sys32\LUFO.exe

DirLook::
c:\windows\system32\Sys32

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LUFO Agent"=-



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Uradjeno i okaceno,

svaka cast majstore,

mislim da je to to, ali proveri.

btw... jel kelogger bio u pitanju, vidim da mi je napravio brdo printscreen-ova?

Da li bi bilo mudro da promenim passove i sl..?

hvala puno...


https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Čudan mi je ovaj log, kao da nije odrađeno sve što je trebalo.

Hajde ponovi postupak iz prethodnog post-a.