Problem sa malware-om "Spyware Guard 2008"

1

Problem sa malware-om "Spyware Guard 2008"

offline
  • BIO  Male
  • Super građanin
  • Pridružio: 12 Jun 2005
  • Poruke: 1056
  • Gde živiš: Beograd

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:43, on 22.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\b\Desktop\ciscenje\tr3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Almsms - {E9B5BA28-C732-49DC-94CE-9079F7F75F4E} - C:\WINDOWS\system32\avt.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: ieModule - {C63E21B8-6CF1-48CF-B800-F53BCFC618DF} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {5C1523E8-C3F9-46BF-8AD6-F448D082A256} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\wluwmecrbt.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8982 bytes







Nemam pojma kako je ovo uslo u moj komp Sad s obzirom da ne posecujem mnogo sajtova, ne shvrljam mnogo sa strane. Inace koristim NOD32 v2.7, da li je to dovoljno ili treba dodati i neki spyware ili nesto slicno? Nod32 mi je prijavio pokusaj upada sa sajta dornaboret.com i odbio ga (terminate), tako nekoliko puta. Poslednji put mi je dao samo opciju delete, sto sam i uradio i tad je nastao pichvajz. Inace taj sajt dornaboret.com mi se otvorio umesto foruma dizajnzona, kako, nemam pojma. Nisam ni primetio kad se otvorio umesto foruma i posto sam zurio, bio u frci on je ostao otvoren.
Evo slike sajtova sa kojih je verovatno stiglo to chudo (velicina oko 200kb) http://img227.imageshack.us/img227/3029/malwareva2.jpg

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...



Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.




Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • BIO  Male
  • Super građanin
  • Pridružio: 12 Jun 2005
  • Poruke: 1056
  • Gde živiš: Beograd

Ne radi.

Prvo nisam mogao uopste da skinem ComboFix.exe ni sa jednog od linkova koje si mi poslao. U operi otvori samo belu stranu, ako idem desni klik na link pa save as onda otvori Transfers i napise error, preko mozile napise mi da ne moze da otvori stranu i da se cini da je link u redu ali ne moze da ga otvori.

Drug mi je skinuo ComboFix.exe i narezao na disk. Snimio sam ga kod sebe, ali ne reaguje uopste! Kliknem na njega i krene onaj mali pescanik pored strelice da se vrti, ali ne prodje ni sekunda ugasi se i nista se ne desi. Probao sam iz safe moda i nista.

Mozda nesto znaci, zaboravio sam gore da kazem. Kad se to prvi put dogodilo probao sam System Restore, ali nije hteo da reaguje, ni iz windowsa ni pri podizanju windowsa (FCool.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pokušaj da preimenuješ file ComboFix.exe u npr. 123.exe i da ga onda pokreneš.

Ukoliko ne bude išlo, onda uradi sledeće:

Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

Ako ni download Gmer-a ne bude moguć, iskoristi sledeći link:
http://amf.mycity.rs/programs/mirrored/gmer.zip

offline
  • BIO  Male
  • Super građanin
  • Pridružio: 12 Jun 2005
  • Poruke: 1056
  • Gde živiš: Beograd

Uspeo sam sa 123.exe ali mi nije radio internet posle, pa sam restartovao komp i ne mogu sad da nadjem taj fajl da ga posaljem. Gde ga naci?

Inace ja sam samo pokrenuo ComboFix.exe, nisam ovaj drugi, jel treba i njega?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Lokacija loga je C:\ComboFix.txt.

offline
  • BIO  Male
  • Super građanin
  • Pridružio: 12 Jun 2005
  • Poruke: 1056
  • Gde živiš: Beograd

ComboFix 08-12-21.04 - b 2008-12-23 14:47:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1663 [GMT 1:00]
Running from: c:\documents and settings\b\Desktop\123.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\svhost.exe
c:\documents and settings\b\Favorites\Cheap Pharmacy Online.url
c:\documents and settings\b\Favorites\Search Online.url
c:\documents and settings\b\Favorites\SMS TRAP.url
c:\documents and settings\b\Favorites\VIP Casino.url
c:\documents and settings\b\Start Menu\Cheap Pharmacy Online.url
c:\documents and settings\b\Start Menu\Search Online.url
c:\documents and settings\b\Start Menu\SMS TRAP.url
c:\documents and settings\b\Start Menu\VIP Casino.url
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\~.exe
c:\windows\system32\c.ico
c:\windows\system32\drivers\TDSSmhxt.sys
c:\windows\system32\Dvbpws.dll
c:\windows\system32\m.ico
c:\windows\system32\p.ico
c:\windows\system32\s.ico
c:\windows\system32\TDSScfum.log
c:\windows\system32\TDSSfxwp.dll
c:\windows\system32\TDSSmaxt.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoexh.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dll
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.log
c:\windows\system32\tmp.reg
c:\windows\system32\winscenter.exe
c:\windows\system32\wuamgrd.exe
c:\windows\vmreg.dll
L:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-17 21:46 . 2008-12-19 13:27 <DIR> d-------- C:\flashhh
2008-12-17 18:59 . 2008-12-17 18:59 <DIR> d-------- c:\windows\SHELLNEW
2008-12-17 18:59 . 2008-12-17 18:59 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-17 18:59 . 2008-12-17 18:59 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-12-17 17:57 . 2008-12-17 17:57 <DIR> dr-h----- c:\documents and settings\b\Application Data\SecuROM
2008-12-17 17:56 . 2008-12-17 17:56 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
2008-12-17 17:43 . 2008-12-17 17:43 <DIR> d-------- C:\ProgramData
2008-12-17 17:43 . 2008-12-17 17:43 5,346 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-12-14 22:13 . 2008-12-14 22:13 <DIR> d-------- c:\program files\Imagenomic
2008-12-07 12:47 . 2008-12-11 18:54 <DIR> d-------- C:\100CANON
2008-12-05 20:26 . 2008-12-05 20:26 <DIR> d-------- c:\program files\Adobe Media Player
2008-12-05 20:25 . 2008-12-05 20:25 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-05 19:28 . 2008-12-05 22:40 <DIR> d-------- C:\WinFast WorkArea
2008-12-05 18:56 . 2008-12-05 19:46 <DIR> d-------- C:\Adobe CS4
2008-12-05 14:34 . 2008-12-05 14:59 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 14:32 . 2008-12-05 14:32 <DIR> d-------- c:\program files\Topaz Labs
2008-12-03 22:35 . 2005-10-17 17:15 2,605,056 --a------ c:\windows\system32\BCGCBPRO800u.dll
2008-12-03 22:35 . 2005-10-17 17:07 2,600,960 --a------ c:\windows\system32\BCGCBPRO800.dll
2008-12-03 22:35 . 2004-07-26 17:16 1,568,768 --a------ c:\windows\system32\imagX7.dll
2008-12-03 22:35 . 2004-07-26 17:16 476,320 --a------ c:\windows\system32\imagXpr7.dll
2008-12-03 22:35 . 2004-07-26 17:16 471,040 --a------ c:\windows\system32\imagXRA7.dll
2008-12-03 22:35 . 2004-07-09 09:43 364,544 --a------ c:\windows\system32\TwnLib4.dll
2008-12-03 22:35 . 2004-07-26 17:16 262,144 --a------ c:\windows\system32\imagXR7.dll
2008-12-03 22:35 . 2005-12-23 17:50 32,768 --a------ c:\windows\system32\BCGPOleAcc.dll
2008-12-02 18:06 . 2008-12-13 23:07 <DIR> d-------- C:\srdjannnnnnnnnnnnnnnnnnnnnnnnnnnnnn
2008-11-30 18:00 . 2008-11-30 18:00 <DIR> d-------- c:\program files\QT Lite
2008-11-30 18:00 . 2008-11-30 18:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-30 18:00 . 2008-09-06 15:09 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-30 18:00 . 2008-09-06 15:09 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-11-25 15:36 . 2008-12-05 21:15 <DIR> d-------- C:\z
2008-11-23 13:34 . 2008-12-05 18:25 <DIR> d-------- c:\program files\ApexDC++_Gusari_XY6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 13:45 --------- d-----w c:\documents and settings\b\Application Data\WTablet
2008-12-22 23:45 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-17 16:57 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-17 16:44 --------- d-----w c:\program files\Electronic Arts
2008-12-17 16:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 17:27 --------- d-----w c:\program files\Opera
2008-12-05 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-05 19:41 --------- d-----w c:\program files\Common Files\Adobe
2008-12-05 17:52 --------- d-----w c:\program files\THQ
2008-12-05 17:48 --------- d-----w c:\program files\The Witcher
2008-12-03 21:36 --------- d-----w c:\program files\Nero
2008-12-03 21:36 --------- d-----w c:\program files\Common Files\Ahead
2008-11-30 09:34 --------- d-----w c:\program files\Soulseek
2008-11-30 09:32 --------- d-----w c:\program files\Winamp
2008-11-30 09:32 --------- d-----w c:\program files\Dofus
2008-11-30 09:32 --------- d-----w c:\program files\DeskCall NG
2008-11-25 22:38 --------- d-----w c:\program files\BitComet
2008-11-22 23:01 --------- d-----w c:\program files\Valve
2008-11-22 17:43 102,400 ----a-w c:\windows\DUMP86d3.tmp
2008-11-16 21:53 --------- d-----w c:\program files\Bethesda Softworks
2008-11-16 21:53 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2008-11-16 21:52 --------- d-----w c:\program files\MSBuild
2008-11-16 21:50 --------- d-----w c:\program files\Reference Assemblies
2008-11-16 21:29 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-16 21:27 716,272 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-16 21:26 --------- d-----w c:\documents and settings\b\Application Data\DAEMON Tools
2008-11-14 18:31 --------- d-----w c:\documents and settings\b\Application Data\ATI
2008-11-14 18:31 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-14 18:27 --------- d-----w c:\program files\ATI Technologies
2008-11-14 18:24 --------- d-----w c:\program files\Common Files\ATI Technologies
2008-11-14 17:15 --------- d-----w c:\program files\ATI Multimedia
2008-03-24 09:25 18,424 ----a-w c:\documents and settings\b\Application Data\GDIPFONTCACHEV1.DAT
2008-02-03 19:13 22,328 ----a-w c:\documents and settings\b\Application Data\PnkBstrK.sys
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2008-03-04 22:22 56 --sh--r c:\windows\system32\11709D372B.sys
2008-03-04 22:22 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-02-14 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-08-08 949376]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 61440]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE" [2008-08-15 378224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.AP41"= APmpg4v1.dll
"vidc.DIV3"= divxc32.dll
"VIDC.DIV4"= divxc32f.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.MJPG"= pvmjpg21.dll
"vidc.DIV2"= divxc32.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeathAdder]
--a------ 2006-12-06 21:30 159744 c:\program files\Razer\DeathAdder\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
--------- 2005-07-03 08:20 372736 c:\windows\Samsung\ComSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-07-02 16:10 23237416 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--------- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2006-12-18 20:34 868352 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-07-16 16:57 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-02-11 12:11 1266936 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2005-05-18 14:29 131072 c:\program files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tarantula]
--a------ 2006-09-30 14:48 176128 c:\program files\Razer\Tarantula\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
--a------ 2007-02-12 16:22 397312 c:\program files\WinFast\WFDTV\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFastDTV]
--a------ 2007-02-12 18:16 69632 c:\program files\WinFast\WFDTV\DTVSchdl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Half Life 2\\root\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Games\\GamerX\\HL2\\hl2.exe"=
"c:\\Program Files\\TrillianAstra\\trillian.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Fusion\\eyeonScript.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Valve\\hlds.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23388:TCP"= 23388:TCP:BitCometBeta 23388 TCP
"23388:UDP"= 23388:UDP:BitCometBeta 23388 UDP
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2008-02-29 13696]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-08-08 15424]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-11-14 93696]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;"c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service [2008-08-15 284016]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-10-12 22144]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\DRIVERS\SE2Ebus.sys [2007-10-30 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\DRIVERS\SE2Emdfl.sys [2007-10-30 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\DRIVERS\SE2Emdm.sys [2007-10-30 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\SE2Emgmt.sys [2007-10-30 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\DRIVERS\se2End5.sys [2007-10-30 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\SE2Eobex.sys [2007-10-30 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\DRIVERS\se2Eunic.sys [2007-10-30 90800]
S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2007-10-12 44800]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys []
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS [2007-11-22 9446]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{091fa559-ae08-11dc-8d84-001bfc6f11b8}]
\Shell\AutoRun\command - L:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8b56211-a743-11dc-8d6f-001bfc6f11b8}]
\Shell\Auto\command - UFO.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfcc45cc-133b-11dd-8e6b-ad26502480a4}]
\Shell\Auto\command - Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\AC6C3F0E906FB1D6.job
- c:\docume~1\b\applic~1\spampr~1\Saveinternew.exe []

2008-12-04 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{E9B5BA28-C732-49DC-94CE-9079F7F75F4E} - c:\windows\system32\avt.dll
HKLM-Run-VMSnap3 - c:\windows\VMSnap3.EXE
HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe
MSConfigStartUp-ATI DeviceDetect - c:\program files\ATI Multimedia\main\ATIDtct.EXE
MSConfigStartUp-ATI Launchpad - c:\program files\ATI Multimedia\main\launchpd.exe
MSConfigStartUp-ATI Remote Control - c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe
MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
MSConfigStartUp-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MSConfigStartUp-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
MSConfigStartUp-DeskCallNG - c:\program files\DeskCall NG\DeskCallNG.exe
MSConfigStartUp-Domino - c:\windows\Domino.EXE
MSConfigStartUp-ISOUSER - c:\docume~1\b\APPLIC~1\SPAMPR~1\five way.exe
MSConfigStartUp-JMB36X Configure - c:\windows\system32\JMRaidSetup.exe
MSConfigStartUp-JMB36X IDE Setup - c:\windows\JM\JMInsIDE.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-Microsoft Update - wuamgrd.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\b\Application Data\Mozilla\Firefox\Profiles\aqmzz32l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dizajnzona.com/forums/index.php?s=f9a25e7700c540583fd62500f34bc49a&showforum=32
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 14:57:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmhxt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\imon.dll
.
Completion time: 2008-12-23 15:00:30
ComboFix-quarantined-files.txt 2008-12-23 13:59:27

Pre-Run: 32,736,657,408 bytes free
Post-Run: 35,920,269,312 bytes free

342

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\Tasks\AC6C3F0E906FB1D6.job
c:\windows\Tasks\rpc.job

Folder::
c:\program files\Winferno

DirLook::
C:\flashhh
C:\z

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8b56211-a743-11dc-8d6f-001bfc6f11b8}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.



-------------------------------------------------------------------------------------



Arrow Preuzmi Deljob.
Dvoklikom pokreni deljob.exe
Logfile logit.txt će se otvoriti u Notepad-u (file će se nalaziti u folderu u kojem je i deljob.exe)
Iskopiraj sadržaj tog loga u temu na forumu

offline
  • BIO  Male
  • Super građanin
  • Pridružio: 12 Jun 2005
  • Poruke: 1056
  • Gde živiš: Beograd

ComboFix 08-12-21.04 - b 2008-12-25 2:43:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1302 [GMT 1:00]
Running from: c:\documents and settings\b\Desktop\123.exe
Command switches used :: c:\documents and settings\b\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\Tasks\AC6C3F0E906FB1D6.job
c:\windows\Tasks\rpc.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Dvbpws.dll
c:\windows\Tasks\AC6C3F0E906FB1D6.job
c:\windows\Tasks\rpc.job

.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

2008-12-17 21:46 . 2008-12-19 13:27 <DIR> d-------- C:\flashhh
2008-12-17 18:59 . 2008-12-17 18:59 <DIR> d-------- c:\windows\SHELLNEW
2008-12-17 18:59 . 2008-12-17 18:59 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-17 18:59 . 2008-12-17 18:59 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-12-17 17:57 . 2008-12-17 17:57 <DIR> dr-h----- c:\documents and settings\b\Application Data\SecuROM
2008-12-17 17:56 . 2008-12-17 17:56 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
2008-12-17 17:43 . 2008-12-17 17:43 <DIR> d-------- C:\ProgramData
2008-12-17 17:43 . 2008-12-17 17:43 5,346 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-12-14 22:13 . 2008-12-14 22:13 <DIR> d-------- c:\program files\Imagenomic
2008-12-07 12:47 . 2008-12-11 18:54 <DIR> d-------- C:\100CANON
2008-12-05 20:26 . 2008-12-05 20:26 <DIR> d-------- c:\program files\Adobe Media Player
2008-12-05 20:25 . 2008-12-05 20:25 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-05 19:28 . 2008-12-05 22:40 <DIR> d-------- C:\WinFast WorkArea
2008-12-05 18:56 . 2008-12-05 19:46 <DIR> d-------- C:\Adobe CS4
2008-12-05 14:34 . 2008-12-05 14:59 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 14:32 . 2008-12-05 14:32 <DIR> d-------- c:\program files\Topaz Labs
2008-12-03 22:35 . 2005-10-17 17:15 2,605,056 --a------ c:\windows\system32\BCGCBPRO800u.dll
2008-12-03 22:35 . 2005-10-17 17:07 2,600,960 --a------ c:\windows\system32\BCGCBPRO800.dll
2008-12-03 22:35 . 2004-07-26 17:16 1,568,768 --a------ c:\windows\system32\imagX7.dll
2008-12-03 22:35 . 2004-07-26 17:16 476,320 --a------ c:\windows\system32\imagXpr7.dll
2008-12-03 22:35 . 2004-07-26 17:16 471,040 --a------ c:\windows\system32\imagXRA7.dll
2008-12-03 22:35 . 2004-07-09 09:43 364,544 --a------ c:\windows\system32\TwnLib4.dll
2008-12-03 22:35 . 2004-07-26 17:16 262,144 --a------ c:\windows\system32\imagXR7.dll
2008-12-03 22:35 . 2005-12-23 17:50 32,768 --a------ c:\windows\system32\BCGPOleAcc.dll
2008-12-02 18:06 . 2008-12-13 23:07 <DIR> d-------- C:\srdjannnnnnnnnnnnnnnnnnnnnnnnnnnnnn
2008-11-30 18:00 . 2008-11-30 18:00 <DIR> d-------- c:\program files\QT Lite
2008-11-30 18:00 . 2008-11-30 18:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-30 18:00 . 2008-09-06 15:09 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-30 18:00 . 2008-09-06 15:09 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-11-25 15:36 . 2008-12-05 21:15 <DIR> d-------- C:\z

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 12:22 --------- d-----w c:\program files\RapidTyping
2008-12-24 10:56 --------- d-----w c:\documents and settings\b\Application Data\WTablet
2008-12-24 00:46 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-17 16:57 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-17 16:44 --------- d-----w c:\program files\Electronic Arts
2008-12-17 16:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 17:27 --------- d-----w c:\program files\Opera
2008-12-05 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-05 19:41 --------- d-----w c:\program files\Common Files\Adobe
2008-12-05 17:52 --------- d-----w c:\program files\THQ
2008-12-05 17:48 --------- d-----w c:\program files\The Witcher
2008-12-05 17:25 --------- d-----w c:\program files\ApexDC++_Gusari_XY6
2008-12-03 21:36 --------- d-----w c:\program files\Nero
2008-12-03 21:36 --------- d-----w c:\program files\Common Files\Ahead
2008-11-30 09:34 --------- d-----w c:\program files\Soulseek
2008-11-30 09:32 --------- d-----w c:\program files\Winamp
2008-11-30 09:32 --------- d-----w c:\program files\Dofus
2008-11-30 09:32 --------- d-----w c:\program files\DeskCall NG
2008-11-25 22:38 --------- d-----w c:\program files\BitComet
2008-11-22 23:01 --------- d-----w c:\program files\Valve
2008-11-22 17:43 102,400 ----a-w c:\windows\DUMP86d3.tmp
2008-11-16 21:53 --------- d-----w c:\program files\Bethesda Softworks
2008-11-16 21:53 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2008-11-16 21:52 --------- d-----w c:\program files\MSBuild
2008-11-16 21:50 --------- d-----w c:\program files\Reference Assemblies
2008-11-16 21:29 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-16 21:27 716,272 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-16 21:26 --------- d-----w c:\documents and settings\b\Application Data\DAEMON Tools
2008-11-14 18:31 --------- d-----w c:\documents and settings\b\Application Data\ATI
2008-11-14 18:31 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-14 18:27 --------- d-----w c:\program files\ATI Technologies
2008-11-14 18:24 --------- d-----w c:\program files\Common Files\ATI Technologies
2008-11-14 17:15 --------- d-----w c:\program files\ATI Multimedia
2008-03-24 09:25 18,424 ----a-w c:\documents and settings\b\Application Data\GDIPFONTCACHEV1.DAT
2008-02-03 19:13 22,328 ----a-w c:\documents and settings\b\Application Data\PnkBstrK.sys
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2008-03-04 22:22 56 --sh--r c:\windows\system32\11709D372B.sys
2008-03-04 22:22 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\flashhh ----

2008-12-17 19:53 419328 --a------ c:\flashhh\Instalacije programa\WinAmp Pro v5.541.2189+Keygen[h33t]MasterUploader\Keygen\KeyMaker.exe
2008-12-17 19:53 11485176 --a------ c:\flashhh\Instalacije programa\WinAmp Pro v5.541.2189+Keygen[h33t]MasterUploader\Setup\winamp5541_pro_all.exe
2008-12-17 19:52 7980 --a------ c:\flashhh\Instalacije programa\WinAmp Pro v5.541.2189+Keygen[h33t]MasterUploader\MasterUploader.nfo
2008-12-17 19:52 23 --a------ c:\flashhh\Instalacije programa\WinAmp Pro v5.541.2189+Keygen[h33t]MasterUploader\tracked_by_h33t_com.txt
2008-12-17 19:50 2533559 --a------ c:\flashhh\Instalacije programa\Total Commander 7.04 Incl Keygen [RSiP]\tc704.exe
2008-12-17 18:51 74672991 --a------ c:\flashhh\Office2003Lite-SFX.exe
2008-12-17 18:51 74672991 --a------ c:\flashhh\Instalacije programa\Office2003Lite-SFX.exe
2008-12-17 18:25 5797488 --a------ c:\flashhh\Instalacije programa\GOMPLAYERENSETUP.EXE
2008-12-17 18:25 5797488 --a------ c:\flashhh\GOMPLAYERENSETUP.EXE
2008-12-17 14:22 20372480 --a------ c:\flashhh\Instalacije programa\NOD32 Antivirus 3.0.642(with unlimited update fix)\Setup\eav_nt32_enu.msi
2008-12-17 14:21 6031 --a------ c:\flashhh\Instalacije programa\NOD32 Antivirus 3.0.642(with unlimited update fix)\READ ME!!!.txt
2008-12-17 14:18 78 --a------ c:\flashhh\Instalacije programa\NOD32 Antivirus 3.0.642(with unlimited update fix)\Setup\Desktop.ini
2008-12-17 14:18 380612 --a------ c:\flashhh\Instalacije programa\NOD32 Antivirus 3.0.642(with unlimited update fix)\Fix\NOD32_v3.0.642_32bit_FiX_1.2-TemDono.exe
2008-12-17 14:18 189 --a------ c:\flashhh\Instalacije programa\NOD32 Antivirus 3.0.642(with unlimited update fix)\Fix\Virus test check here.txt
2008-11-14 21:01 388110969 --a------ c:\flashhh\Instalacije programa\Nero 9.0.9.4b - multilanguage - Final New version\Nero-9.0.9.4b_trial.exe
2008-09-29 17:34 608 --a------ c:\flashhh\Instalacije programa\Nero 9.0.9.4b - multilanguage - Final New version\serials.txt
2008-05-05 20:48 142204 --a------ c:\flashhh\Thomson_V2.2.5.zip
2008-01-02 20:24 2795832 --a------ c:\flashhh\ptanks.exe
2008-01-02 20:24 2795832 --a------ c:\flashhh\Instalacije programa\ptanks.exe
2007-01-31 15:34 1797 --a------ c:\flashhh\New Folder\Thomson usb driver release notes.txt
2007-01-31 15:19 16488 --a------ c:\flashhh\New Folder\RCAUSBCM.INF
2007-01-31 11:35 16482 --a------ c:\flashhh\New Folder\RCAUSBCM.INF.bak
2007-01-24 16:05 43520 --a------ c:\flashhh\New Folder\URCACMNTamd64.exe
2007-01-12 11:36 32768 --a------ c:\flashhh\New Folder\URCACM.exe
2007-01-09 11:32 45056 --a------ c:\flashhh\New Folder\RmCable.exe
2007-01-05 14:03 16384 --a------ c:\flashhh\New Folder\NetRcaCmVistaI386.sys
2007-01-05 13:53 18560 --a------ c:\flashhh\New Folder\NetRcaCmNTamd64.sys
2007-01-05 10:37 43520 --a------ c:\flashhh\New Folder\RmCableNTamd64.exe
2006-06-02 10:17 14336 --a------ c:\flashhh\New Folder\NetRcaCmXP.sys
2005-12-25 23:54 8042 --a------ c:\flashhh\Instalacije programa\Steinberg.Nuendo.v3.2.0.1128.MERRY.XMAS-H2O\h2o.nfo
2005-12-25 23:54 575 --a------ c:\flashhh\Instalacije programa\Steinberg.Nuendo.v3.2.0.1128.MERRY.XMAS-H2O\file_id.diz
2005-12-22 19:14 164510110 --a------ c:\flashhh\Instalacije programa\Steinberg.Nuendo.v3.2.0.1128.MERRY.XMAS-H2O\setup.exe
2005-11-11 14:22 15401 --a------ c:\flashhh\New Folder\RcaCm.sys
2004-08-18 13:41 29184 --a------ c:\flashhh\New Folder\RNDISMPK.sys
2004-08-18 13:41 13824 --a------ c:\flashhh\New Folder\usb8023k.sys
2003-11-27 23:49 2000324 -ra------ c:\flashhh\Instalacije programa\CDex v1.51\cdex_151.exe
2003-11-27 23:49 2000324 -ra------ c:\flashhh\CDex v1.51\cdex_151.exe
2003-01-20 12:50 20648 -ra------ c:\flashhh\New Folder\netrcacm.sys

---- Directory of C:\z ----

2008-12-05 21:15 5120 --ahs---- c:\z\Thumbs.db
2007-08-07 23:44 108094 --a------ c:\z\The Secret.srt
2007-07-22 10:37 732917760 --a------ c:\z\The Secret.avi


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-02-14 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-08-08 949376]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 61440]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE" [2008-08-15 378224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.AP41"= APmpg4v1.dll
"vidc.DIV3"= divxc32.dll
"VIDC.DIV4"= divxc32f.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.MJPG"= pvmjpg21.dll
"vidc.DIV2"= divxc32.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeathAdder]
--a------ 2006-12-06 21:30 159744 c:\program files\Razer\DeathAdder\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
--------- 2005-07-03 08:20 372736 c:\windows\Samsung\ComSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-07-02 16:10 23237416 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--------- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2006-12-18 20:34 868352 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-07-16 16:57 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-02-11 12:11 1266936 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2005-05-18 14:29 131072 c:\program files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tarantula]
--a------ 2006-09-30 14:48 176128 c:\program files\Razer\Tarantula\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
--a------ 2007-02-12 16:22 397312 c:\program files\WinFast\WFDTV\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFastDTV]
--a------ 2007-02-12 18:16 69632 c:\program files\WinFast\WFDTV\DTVSchdl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Half Life 2\\root\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Games\\GamerX\\HL2\\hl2.exe"=
"c:\\Program Files\\TrillianAstra\\trillian.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Fusion\\eyeonScript.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Valve\\hlds.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23388:TCP"= 23388:TCP:BitCometBeta 23388 TCP
"23388:UDP"= 23388:UDP:BitCometBeta 23388 UDP
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2008-02-29 13696]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-08-08 15424]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-11-14 93696]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"c:\program files\MSN Messenger\usnsvc.exe" [2007-01-19 97136]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;"c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service [2008-08-15 284016]
S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-10-12 22144]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\DRIVERS\SE2Ebus.sys [2007-10-30 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\DRIVERS\SE2Emdfl.sys [2007-10-30 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\DRIVERS\SE2Emdm.sys [2007-10-30 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\SE2Emgmt.sys [2007-10-30 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\DRIVERS\se2End5.sys [2007-10-30 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\SE2Eobex.sys [2007-10-30 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\DRIVERS\se2Eunic.sys [2007-10-30 90800]
S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2007-10-12 44800]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys []
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS [2007-11-22 9446]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{091fa559-ae08-11dc-8d84-001bfc6f11b8}]
\Shell\AutoRun\command - L:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfcc45cc-133b-11dd-8e6b-ad26502480a4}]
\Shell\Auto\command - Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\b\Application Data\Mozilla\Firefox\Profiles\aqmzz32l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dizajnzona.com/forums/index.php?s=f9a25e7700c540583fd62500f34bc49a&showforum=32
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 02:46:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\imon.dll
.
Completion time: 2008-12-25 2:52:25
ComboFix-quarantined-files.txt 2008-12-25 01:51:41
ComboFix2.txt 2008-12-23 14:00:31

Pre-Run: 34.867.048.448 bytes free
Post-Run: 34,868,510,720 bytes free

319






--------------------------------------------------------
No LOP job-files found
--------------------------------------------------------
Files in Windows Tasks folder

--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is C002-B540

Directory of C:\ProgramData

17.12.2008 17:43 <DIR> .
17.12.2008 17:43 <DIR> ..
17.12.2008 17:43 <DIR> ELECTR~1 Electronic Arts
0 File(s) 0 bytes
3 Dir(s) 35.025.805.312 bytes free
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
Administrator
All Users
b
--------------------------------------------------------

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Preuzmi Lop S&D na Desktop.
Dvoklikom pokreni LopSD.exe
Na prvom ekranu odaberi jezik kucajući E i Enter a zatim klikni OK
Odaberi opciju 1 - Search kucajući 1 i Enter
Sačekaj nekoliko minuta da program završi skeniranje
Na kraju procesa, log C:\LopR.txt će se otvoriti u Notepad-u

Iskopiraj dobijeni log u temu na forumu.

Ko je trenutno na forumu
 

Ukupno su 1356 korisnika na forumu :: 36 registrovanih, 11 sakrivenih i 1309 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: ajo baba, amaterSRB, Andrija357, Asparagus, bladesu, BORUTUS, debeli, Dimitrise93, Dorcolac, draganl, dushan, Georgius, hyla, jackreacher011011, Karla, kihot, kovinacc, kuntalo, kybonacci, Leonov, Lieutenant, Mi lao shu, MikeHammer, milenko crazy north, milos.cbr, MilosKop, nemkea71, nextyamb, procesor, royst33, srbijaiznadsvega, Stanlio, stegonosa, Trpe Grozni, vasa.93, W123