Provera loga

1

Provera loga

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 238
  • Gde živiš: Bačka Palanka

HT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:13, on 18.12.2008
Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\spoolsv.exe
C:\totalcmd\TC PowerPack\TOTALCMD.EXE
D:\Stef4n\za malware\Hijack This\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Preuzmi odabrano Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Preuzmi sa Free Download Managerom - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Preuzmi sve sa Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F6198DD-FBC9-4ECF-9259-B28F52C27765}: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F6198DD-FBC9-4ECF-9259-B28F52C27765}: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CS3\Services\Tcpip\..\{4F6198DD-FBC9-4ECF-9259-B28F52C27765}: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.130;85.255.112.64
O20 - Winlogon Notify: jqzaotzn - C:\WINDOWS\SYSTEM32\jqzaotzn.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6108 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Imaš par ''finih'' infekcija ovde. Da pogledamo malo detaljnije šta se tu događa.



Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 238
  • Gde živiš: Bačka Palanka

Konacno log,nisam bio tu par dana pa me izvinite za neozbiljnost:
---
ComboFix 08-12-23.01 - Stefan 2008-12-23 23:17:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.614 [GMT 1:00]
Running from: c:\documents and settings\Stefan\Desktop\ComboFix.exe
* Resident AV is active

.
ADS - svchost.exe: deleted 25088 bytes in 1 streams.
/wow section - STAGE 41


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ati7wcxx.sys
c:\windows\system32\drivers\msqpdxpqltoiqh.sys
c:\windows\system32\jqzaotzn.dll
c:\windows\system32\msqpdxorvdbrsr.dll
D:\resycled
d:\resycled\boot.com
E:\resycled
e:\resycled\boot.com
F:\resycled
f:\resycled\boot.com
.
---- Previous Run -------
.
C:\Autorun.inf
c:\docume~1\Stefan\LOCALS~1\Temp\tmp2.tmp
c:\program files\Mozilla Firefox\components\iamfamous.dll
C:\resycled
c:\resycled\boot.com
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI7WCXX
-------\Legacy_FCI
-------\Legacy_ICF
-------\Service_ati7wcxx
-------\Service_FCI
-------\Service_ICF
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-23 22:29 . 2008-12-23 22:29 <DIR> d-------- c:\windows\system32\VIRepair
2008-12-18 23:32 . 2008-12-18 23:33 <DIR> d-------- c:\program files\RogueRemover FREE
2008-12-16 22:42 . 2008-12-16 22:42 61,440 --a------ c:\windows\system32\drivers\htmsmm.sys
2008-12-16 21:09 . 2008-12-16 21:09 61,440 --a------ c:\windows\system32\drivers\ibsiwu.sys
2008-12-16 10:37 . 2008-12-16 10:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 10:37 . 2008-09-08 00:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 10:37 . 2008-09-08 00:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 19:34 . 2008-12-13 19:36 <DIR> d-------- c:\program files\FOX Video Converter
2008-12-10 22:16 . 2008-12-10 22:16 <DIR> d-------- c:\program files\Uniblue
2008-12-10 21:55 . 2008-12-10 21:55 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-12-10 21:55 . 2008-12-10 21:55 362,240 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-12-10 21:55 . 2008-11-12 16:44 27,904 --a------ c:\windows\system32\uxtuneup.dll
2008-12-10 21:54 . 2008-12-10 21:55 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-12-10 21:32 . 2008-12-10 21:32 2 --a------ C:\-1732176044
2008-12-10 20:40 . 2008-12-10 20:40 <DIR> d-------- c:\program files\WinFlip
2008-12-10 20:40 . 2008-12-10 20:40 <DIR> d-------- c:\program files\TrueTransparency
2008-12-10 20:40 . 2008-12-23 22:29 <DIR> d-------- c:\program files\Styler
2008-12-10 20:38 . 2008-12-10 20:38 76,214 --a------ c:\windows\Icon_2.ico
2008-12-06 19:44 . 2008-12-06 19:45 <DIR> d-------- c:\program files\Planplus
2008-12-05 11:44 . 2008-12-05 11:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Safer Networking
2008-12-05 11:43 . 2008-12-05 11:43 <DIR> d-------- c:\program files\Safer Networking
2008-12-02 11:01 . 2006-09-28 13:10 11,648 --a------ c:\windows\system32\drivers\ggsemc.sys
2008-12-02 11:00 . 2006-09-28 13:10 11,648 --a------ c:\windows\system32\drivers\gggen.sys
2008-11-30 16:42 . 2008-11-30 16:42 <DIR> d-------- c:\documents and settings\Stefan\Application Data\MSNInstaller
2008-11-28 14:37 . 2008-11-28 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-28 14:37 . 2008-11-28 14:37 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-11-28 14:32 . 2008-11-28 14:32 <DIR> d-------- c:\program files\Windows Installer 4.5 SDK
2008-11-27 22:26 . 2008-11-27 22:26 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Styler
2008-11-27 22:23 . 2008-12-23 22:30 <DIR> d-------- c:\windows\system32\VITrans
2008-11-27 22:23 . 2008-12-11 21:35 <DIR> d-------- C:\VTPFiles
2008-11-27 22:23 . 2004-11-27 19:00 94,208 --a------ c:\windows\system32\pskill.exe
2008-11-27 22:23 . 2008-11-27 22:23 78,942 --a------ c:\windows\Icon_1.ico
2008-11-27 22:23 . 2006-12-03 17:15 69,632 --a------ c:\windows\system32\moveex.exe
2008-11-27 22:23 . 2006-12-03 17:14 8,636 --a------ c:\windows\system32\modifype.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 21:42 102 ----a-w c:\program files\scmn.txt
2008-12-16 20:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 19:47 --------- d-----w c:\documents and settings\Stefan\Application Data\Free Download Manager
2008-12-13 18:35 81,920 ----a-w c:\documents and settings\Stefan\Application Data\ezpinst.exe
2008-12-13 18:35 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-13 18:35 47,360 ----a-w c:\documents and settings\Stefan\Application Data\pcouffin.sys
2008-12-13 18:35 --------- d-----w c:\documents and settings\Stefan\Application Data\Vso
2008-12-10 21:17 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-05 18:35 --------- d-----w c:\program files\Sony Ericsson
2008-11-30 11:29 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-11-26 13:59 --------- d-----w c:\documents and settings\Stefan\Application Data\mIRC
2008-11-26 13:58 --------- d-----w c:\program files\mIRC
2008-11-25 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 20:44 --------- d-----w c:\program files\MSN Messenger
2008-11-16 18:57 --------- d-----w c:\program files\Alcohol Soft
2008-11-15 18:08 --------- d-----w c:\program files\YouTube Downloader
2008-11-14 20:15 --------- d-----w c:\documents and settings\Stefan\Application Data\Teleca
2008-11-13 16:01 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-12 12:02 --------- d-----w c:\program files\iPassion
2008-11-12 12:01 --------- d-----w c:\documents and settings\Stefan\Application Data\InstallShield
2008-11-12 12:00 --------- d-----w c:\program files\MSI
2008-11-10 20:02 --------- d-----w c:\documents and settings\Stefan\Application Data\Sony Ericsson
2008-11-10 19:57 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-11-10 19:57 --------- d-----w c:\program files\Common Files\Sony Ericsson Shared
2008-11-10 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Teleca
2008-11-10 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-11-08 20:58 --------- d-----w c:\documents and settings\Stefan\Application Data\Thunderbird
2008-11-08 20:57 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-04 19:46 --------- d-----w c:\documents and settings\Stefan\Application Data\Thinstall
2008-11-04 19:39 287,976 ----a-w C:\cc_20081104_203843.reg
2008-11-01 12:09 --------- d-----w c:\program files\The Weather Channel FW
2008-10-28 21:42 --------- d-----w c:\program files\Common Files\Adobe
2008-10-28 21:40 --------- d-----w c:\program files\HotPotatoes6
2008-10-28 21:39 --------- d-----w c:\program files\RapidTyping
2008-10-27 10:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-26 15:31 --------- d-----w c:\documents and settings\Stefan\Application Data\skypePM
2008-10-26 15:28 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-23 08:52 --------- d-----w c:\documents and settings\Stefan\Application Data\Uniblue
2008-08-04 12:42 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2003-03-21 12:45 250,544 ----a-w c:\program files\Common Files\keyhelp.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-10-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 11:32 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.l3acm"= L3codecp.acm
"msacm.divxa32"= DivXa32.acm
"vidc.asv2"= asusasv2.dll
"vidc.div3"= DivXc32.dll
"vidc.div4"= DivXc32f.dll
"vidc.ap41"= APmpg4v1.dll
"vidc.mjpg"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.rud0"= rududu.dll
"vidc.mj2c"= M3JP2K32.dll
"vidc.mmes"= DigiVCap.dll
"vidc.vixl"= Miroxl32.dll
"vidc.sony"= sonydv.dll
"vidc.dv25"= DigiVCap.dll
"vidc.dv50"= DigiVCap.dll
"vidc.msmc"= DigiVCap.dll
"vidc.mmjp"= DigiVCap.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.vssv"= vsscodec.dll
"vidc.pim1"= pclepim1.dll
"vidc.advs"= Dvc.dll
"vidc.asv1"= asusasv1.dll
"vidc.aflc"= flccodec32.dll
"vidc.aasc"= Aasc32.dll
"vidc.avrn"= AvidAVICodec.dll
"VIDC.mszh"= avimszh.dll
"vidc.zlib"= avizlib.dll
"vidc.mwv1"= icmw_32.dll
"vidc.bt20"= btvvc32.drv
"vidc.y41p"= btvvc32.drv
"vidc.cscd"= camcodec.dll
"vidc.cdvc"= CSCCDVC.DLL
"vidc.ddvc"= CSCdvsd.DLL
"vidc.dps0"= DpsAviCC.dll
"vidc.dvx4"= divx4.dll
"vidc.em2v"= EtxCodec.dll
"vidc.frwd"= frwd.dll
"vidc.frwt"= frwt.dll
"vidc.frwu"= frwu.dll
"vidc.glzw"= GLZW.dll
"vidc.gpeg"= GPEG.dll
"vidc.hfyu"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.ir21"= IR21_R.DLL
"vidc.rt21"= IR21_R.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-10-31 00:32 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-08 23:00 128920 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2008-09-09 14:06 2465839 c:\program files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-09 14:06 133104 c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPPCamScan]
--a------ 2008-01-23 18:41 86016 c:\windows\iPScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray2K]
--a------ 2003-03-25 04:49 57344 c:\windows\system32\mmtray2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTrayLSI]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtraylsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2006-06-29 06:32 89541 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-11-30 11:42 16858624 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
--a------ 2003-03-25 04:49 106544 c:\windows\system32\tweakui.cpl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-14 45848]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-10 603904]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-06-09 31232]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2008-09-23 57024]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys []
S3 DCamUSBTP10;StarCam mini+;c:\windows\system32\Drivers\iP293x.sys [2008-11-12 241920]
S3 gggen;Generic USB Flash Driver;c:\windows\system32\DRIVERS\gggen.sys [2008-12-02 11648]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-16 38528]
S4 LMIRfsClientNP;LMIRfsClientNP; []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com l:
\Shell\Open\command - l:\resycled\boot.com l:
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2008-12-19 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 14:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windowsxlive.net
FF - ProfilePath - c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\6797vdyr.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://google.rs
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 23:22:07
Windows 5.1.2600 Service Pack 3, v.3244 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308-)
c:\windows\system32\athgina.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
.
**************************************************************************
.
Completion time: 2008-12-23 23:24:44 - machine was rebooted [Stefan]
ComboFix-quarantined-files.txt 2008-12-23 22:24:41
ComboFix2.txt 2008-11-25 13:28:23
ComboFix3.txt 2008-11-24 20:29:55
ComboFix4.txt 2008-10-05 11:21:57

Pre-Run: 19,311,116,288 bytes free
Post-Run: 19,299,098,624 bytes free

301 --- E O F --- 2008-11-17 17:32:29

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\htmsmm.sys
c:\windows\system32\drivers\ibsiwu.sys

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.




Pitanje: imaš li USB flash drive (tj. bilo šta što se ponaša kao USB memorija; flash drive, mp3 player, telefon, eksterni HDD...)?

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 238
  • Gde živiš: Bačka Palanka

ComboFix 08-12-23.01 - Stefan 2008-12-24 18:03:37.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.460 [GMT 1:00]
Running from: c:\documents and settings\Stefan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stefan\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\drivers\htmsmm.sys
c:\windows\system32\drivers\ibsiwu.sys
.
/wow section - STAGE 41


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\htmsmm.sys
c:\windows\system32\drivers\ibsiwu.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_ICF


((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-23 22:29 . 2008-12-23 22:29 <DIR> d-------- c:\windows\system32\VIRepair
2008-12-18 23:32 . 2008-12-18 23:33 <DIR> d-------- c:\program files\RogueRemover FREE
2008-12-16 10:37 . 2008-12-16 10:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 10:37 . 2008-09-08 00:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 10:37 . 2008-09-08 00:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 19:34 . 2008-12-13 19:36 <DIR> d-------- c:\program files\FOX Video Converter
2008-12-10 22:16 . 2008-12-10 22:16 <DIR> d-------- c:\program files\Uniblue
2008-12-10 21:55 . 2008-12-10 21:55 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-12-10 21:55 . 2008-12-10 21:55 362,240 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-12-10 21:55 . 2008-11-12 16:44 27,904 --a------ c:\windows\system32\uxtuneup.dll
2008-12-10 21:54 . 2008-12-10 21:55 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-12-10 21:32 . 2008-12-10 21:32 2 --a------ C:\-1732176044
2008-12-10 20:40 . 2008-12-10 20:40 <DIR> d-------- c:\program files\WinFlip
2008-12-10 20:40 . 2008-12-10 20:40 <DIR> d-------- c:\program files\TrueTransparency
2008-12-10 20:40 . 2008-12-23 22:29 <DIR> d-------- c:\program files\Styler
2008-12-10 20:38 . 2008-12-10 20:38 76,214 --a------ c:\windows\Icon_2.ico
2008-12-06 19:44 . 2008-12-06 19:45 <DIR> d-------- c:\program files\Planplus
2008-12-05 11:44 . 2008-12-05 11:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Safer Networking
2008-12-05 11:43 . 2008-12-05 11:43 <DIR> d-------- c:\program files\Safer Networking
2008-12-02 11:01 . 2006-09-28 13:10 11,648 --a------ c:\windows\system32\drivers\ggsemc.sys
2008-12-02 11:00 . 2006-09-28 13:10 11,648 --a------ c:\windows\system32\drivers\gggen.sys
2008-11-30 16:42 . 2008-11-30 16:42 <DIR> d-------- c:\documents and settings\Stefan\Application Data\MSNInstaller
2008-11-28 14:37 . 2008-11-28 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-28 14:37 . 2008-11-28 14:37 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-11-28 14:32 . 2008-11-28 14:32 <DIR> d-------- c:\program files\Windows Installer 4.5 SDK
2008-11-27 22:26 . 2008-11-27 22:26 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Styler
2008-11-27 22:23 . 2008-12-23 22:30 <DIR> d-------- c:\windows\system32\VITrans
2008-11-27 22:23 . 2008-12-11 21:35 <DIR> d-------- C:\VTPFiles
2008-11-27 22:23 . 2004-11-27 19:00 94,208 --a------ c:\windows\system32\pskill.exe
2008-11-27 22:23 . 2008-11-27 22:23 78,942 --a------ c:\windows\Icon_1.ico
2008-11-27 22:23 . 2006-12-03 17:15 69,632 --a------ c:\windows\system32\moveex.exe
2008-11-27 22:23 . 2006-12-03 17:14 8,636 --a------ c:\windows\system32\modifype.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 21:42 102 ----a-w c:\program files\scmn.txt
2008-12-16 20:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 19:47 --------- d-----w c:\documents and settings\Stefan\Application Data\Free Download Manager
2008-12-13 18:35 81,920 ----a-w c:\documents and settings\Stefan\Application Data\ezpinst.exe
2008-12-13 18:35 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-13 18:35 47,360 ----a-w c:\documents and settings\Stefan\Application Data\pcouffin.sys
2008-12-13 18:35 --------- d-----w c:\documents and settings\Stefan\Application Data\Vso
2008-12-10 21:17 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-05 18:35 --------- d-----w c:\program files\Sony Ericsson
2008-11-30 11:29 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-11-26 13:59 --------- d-----w c:\documents and settings\Stefan\Application Data\mIRC
2008-11-26 13:58 --------- d-----w c:\program files\mIRC
2008-11-25 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 20:44 --------- d-----w c:\program files\MSN Messenger
2008-11-16 18:57 --------- d-----w c:\program files\Alcohol Soft
2008-11-15 18:08 --------- d-----w c:\program files\YouTube Downloader
2008-11-14 20:15 --------- d-----w c:\documents and settings\Stefan\Application Data\Teleca
2008-11-13 16:01 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-12 12:02 --------- d-----w c:\program files\iPassion
2008-11-12 12:01 --------- d-----w c:\documents and settings\Stefan\Application Data\InstallShield
2008-11-12 12:00 --------- d-----w c:\program files\MSI
2008-11-10 20:02 --------- d-----w c:\documents and settings\Stefan\Application Data\Sony Ericsson
2008-11-10 19:57 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-11-10 19:57 --------- d-----w c:\program files\Common Files\Sony Ericsson Shared
2008-11-10 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Teleca
2008-11-10 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-11-08 20:58 --------- d-----w c:\documents and settings\Stefan\Application Data\Thunderbird
2008-11-08 20:57 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-04 19:46 --------- d-----w c:\documents and settings\Stefan\Application Data\Thinstall
2008-11-04 19:39 287,976 ----a-w C:\cc_20081104_203843.reg
2008-11-01 12:09 --------- d-----w c:\program files\The Weather Channel FW
2008-10-28 21:42 --------- d-----w c:\program files\Common Files\Adobe
2008-10-28 21:40 --------- d-----w c:\program files\HotPotatoes6
2008-10-28 21:39 --------- d-----w c:\program files\RapidTyping
2008-10-27 10:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-26 15:31 --------- d-----w c:\documents and settings\Stefan\Application Data\skypePM
2008-10-26 15:28 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-08-04 12:42 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2003-03-21 12:45 250,544 ----a-w c:\program files\Common Files\keyhelp.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-10-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 11:32 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.l3acm"= L3codecp.acm
"msacm.divxa32"= DivXa32.acm
"vidc.asv2"= asusasv2.dll
"vidc.div3"= DivXc32.dll
"vidc.div4"= DivXc32f.dll
"vidc.ap41"= APmpg4v1.dll
"vidc.mjpg"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.rud0"= rududu.dll
"vidc.mj2c"= M3JP2K32.dll
"vidc.mmes"= DigiVCap.dll
"vidc.vixl"= Miroxl32.dll
"vidc.sony"= sonydv.dll
"vidc.dv25"= DigiVCap.dll
"vidc.dv50"= DigiVCap.dll
"vidc.msmc"= DigiVCap.dll
"vidc.mmjp"= DigiVCap.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.vssv"= vsscodec.dll
"vidc.pim1"= pclepim1.dll
"vidc.advs"= Dvc.dll
"vidc.asv1"= asusasv1.dll
"vidc.aflc"= flccodec32.dll
"vidc.aasc"= Aasc32.dll
"vidc.avrn"= AvidAVICodec.dll
"VIDC.mszh"= avimszh.dll
"vidc.zlib"= avizlib.dll
"vidc.mwv1"= icmw_32.dll
"vidc.bt20"= btvvc32.drv
"vidc.y41p"= btvvc32.drv
"vidc.cscd"= camcodec.dll
"vidc.cdvc"= CSCCDVC.DLL
"vidc.ddvc"= CSCdvsd.DLL
"vidc.dps0"= DpsAviCC.dll
"vidc.dvx4"= divx4.dll
"vidc.em2v"= EtxCodec.dll
"vidc.frwd"= frwd.dll
"vidc.frwt"= frwt.dll
"vidc.frwu"= frwu.dll
"vidc.glzw"= GLZW.dll
"vidc.gpeg"= GPEG.dll
"vidc.hfyu"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.ir21"= IR21_R.DLL
"vidc.rt21"= IR21_R.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-10-31 00:32 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-08 23:00 128920 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2008-09-09 14:06 2465839 c:\program files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-09 14:06 133104 c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPPCamScan]
--a------ 2008-01-23 18:41 86016 c:\windows\iPScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray2K]
--a------ 2003-03-25 04:49 57344 c:\windows\system32\mmtray2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTrayLSI]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtraylsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2006-06-29 06:32 89541 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-11-30 11:42 16858624 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
--a------ 2003-03-25 04:49 106544 c:\windows\system32\tweakui.cpl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-14 45848]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-10 603904]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-06-09 31232]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2008-09-23 57024]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys []
S3 DCamUSBTP10;StarCam mini+;c:\windows\system32\Drivers\iP293x.sys [2008-11-12 241920]
S3 gggen;Generic USB Flash Driver;c:\windows\system32\DRIVERS\gggen.sys [2008-12-02 11648]
S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;"c:\program files\MSN Messenger\usnsvc.exe" [2007-01-19 97136]
S4 LMIRfsClientNP;LMIRfsClientNP; []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98fbfdef-51f7-11dd-b7bc-0015af99d8cd}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com m:
\Shell\Open\command - m:\resycled\boot.com m:
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2008-12-19 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 14:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windowsxlive.net
FF - ProfilePath - c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\6797vdyr.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://google.rs
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 18:07:26
Windows 5.1.2600 Service Pack 3, v.3244 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1312)
c:\windows\system32\athgina.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
.
**************************************************************************
.
Completion time: 2008-12-24 18:10:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-24 17:10:02
ComboFix2.txt 2008-12-23 22:24:45
ComboFix3.txt 2008-11-25 13:28:23
ComboFix4.txt 2008-11-24 20:29:55
ComboFix5.txt 2008-12-24 17:02:59

Pre-Run: 19.320.987.648 bytes free
Post-Run: 19,305,324,544 bytes free

279 --- E O F --- 2008-11-17 17:32:29


---
Od USB uredjaja imam:USB Flash Drive,Telefon + memorijska,Web kamera,skener,USB Miš.To je sve.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

U međuvremenu, između ova dva skeniranja si priključivao neki inficirani drive. Hajde da i to sredimo... Od značaja su nam samo telefon i flash drive, ostalo ne.



Skini sledeci program - http://amf.mycity.rs/personal/bobby/USB_blocker/usb_blocker.exe
- startuj ga i odaberi opciju Auto block
- ubaci USB stick u komp i sacekaj koji sekund (recimo 5-10 sekundi)
- program je sada uradio analizu sticka (vidi se u donjem delu programa, u logu)
- gore levo klikni duplo na slovo koje oznacava particiju, tj. tvoj USB stick
- dole kraj sata ce se pojaviti poruka da smes da izvadis USB stick iz kompa
- ne gasi program, vec ubaci sledeci USB stick i za njega isto sacekaj par sekundi, i tako redom za sve stickove, MP3 plejere, mobilni
- zapamti kojim redom su ubacivani stickovi

Kada sve to zavrsis, log u donjem delu programa ce sadrzati sve podatke koji su meni potrebni da bih video koji stick je zarazen.
Klikni desnim dugmetom misa na log/izvestaj i odaberi Save log.
Automatski ce se otvoriti Notepad i u njemu izvestaj.
Iskopiraj mi taj izvestaj ovde na forum.

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 238
  • Gde živiš: Bačka Palanka

USB_blocker by bobby

Started at 25.12.2008 13:09:33

Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
C: 279bcd1c-51f4-11dd-b1a4-806d6172696f
D: 279bcd1d-51f4-11dd-b1a4-806d6172696f
E: 279bcd1e-51f4-11dd-b1a4-806d6172696f
F: 279bcd1f-51f4-11dd-b1a4-806d6172696f
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================



New device connected at 25.12.2008 13:10:12

Scanning for connected USB Mass storage...
========================================
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
========================================


New device connected at 25.12.2008 13:10:13

Scanning for connected USB Mass storage...
========================================
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
========================================


New device connected at 25.12.2008 13:12:04

Scanning for connected USB Mass storage...
========================================
J: 98fbfdee-51f7-11dd-b7bc-0015af99d8cd
M: 98fbfdef-51f7-11dd-b7bc-0015af99d8cd
L: b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================

autorun.inf found on M:
File M:\autorun.inf renamed successfully
Sanitizing Shell Menu...
No key for GUID: 98fbfdee-51f7-11dd-b7bc-0015af99d8cd
Sanitized 98fbfdef-51f7-11dd-b7bc-0015af99d8cd
No key for GUID: b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd
========================================
M: 98fbfdef-51f7-11dd-b7bc-0015af99d8cd
L: b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ponovo priključi uređaj koji si poslednji priključivao.

Na njemu se nalazi file autorun.inf.blocked - otvori ga u Notepad-u i iskopiraj sadržaj u iduću poruku.

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 238
  • Gde živiš: Bačka Palanka

[autorun]
;wsogcjvvkbzkjtaeeofedejhbqusshfuvfyfdbahzcahionjjuseiaushpzjak
shellexecute="resycled\boot.com l:"
;wpdcjbubghbpwtagvzszosgoqxqgrwstgkygcjbdomitlsjplojpcxmyhpycmrkqmnrrduhebsnnzhpqprfldprjp
shell\Open\command="resycled\boot.com l:"
;ekfqzd

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Sa tog drive-a obriši folder pod nazivom resycled.

Ukoliko ga ne vidiš, aktiviraj prikaz skrivenih file-ova:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-videti-skrivene-fajlove.html


Zatim upakuj u zip/rar kompletan folder: C:\qoobox\quarantine i upload-uj ga preko sledećeg linka:
http://www.mycity.rs/ambulanta-upload.php


Javi kada si to odradio i reci mi kakvo je sada stanje.

Ko je trenutno na forumu
 

Ukupno su 1057 korisnika na forumu :: 46 registrovanih, 5 sakrivenih i 1006 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Petar, A.R.Chafee.Jr., AleksSE, Asparagus, Battlehammer, bokisha253, Boris BM, Cassius Clay, cvrle312, dijica, Dimitrije Paunovic, draganca, FOX, Georgius, hologram, hyla, ivan1973, Ivica1102, janbo, JOntra, Kriglord, Kubovac, KUZMAR, Leonov, Lieutenant, ljuba, lord sir giga, Luka Blažević, Magistar78, MikeHammer, milos.cbr, milutin134, Misirac, nebidrag, nebkv, opt1, Outis, procesor, raptorsi, sevenino, stegonosa, taz1cl, Trpe Grozni, Vatreni Zmaj, wolf431, Zerajic