Trojanac/virus....

2

Trojanac/virus....

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

ComboFix 10-11-28.01 - Sandra 29.11.2010 16:22:05.13.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2225 [GMT 1:00]
Running from: c:\documents and settings\Sandra\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sandra\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\cwdrive32.exe"
"c:\windows\system32\x"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\00.exe
c:\windows\system32\25.exe
c:\windows\system32\30.exe
c:\windows\system32\42.exe
c:\windows\system32\50.exe
c:\windows\system32\53.exe
c:\windows\system32\56.exe
c:\windows\system32\70.exe
c:\windows\system32\72.exe
c:\windows\system32\81.exe
c:\windows\system32\83.exe
c:\windows\system32\84.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-28 21:16 . 2009-08-06 18:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-25 08:00 . 2010-11-25 08:00 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\ESET
2010-11-25 07:58 . 2010-11-25 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\program files\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-11-10 09:51 . 2003-03-18 19:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51 . 2003-03-18 19:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51 . 2010-11-23 08:45 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50 . 2006-09-09 15:46 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58 . 2010-10-30 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:50 . 2010-04-18 12:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29 . 2010-04-18 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57 . 2008-12-14 22:57 1851544 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-28_19.39.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-29 13:24 . 2010-11-29 13:24 16384 c:\windows\temp\Perflib_Perfdata_15c.dat
+ 2008-12-14 22:29 . 2009-08-06 18:24 44768 c:\windows\system32\wups2.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-28 21:16 . 2009-08-06 18:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-11-28 21:16 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-28 21:16 . 2009-08-06 18:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-03-18 22:51 . 2009-08-06 18:23 215904 c:\windows\system32\muweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13545472]
"nwiz"="nwiz.exe" [2008-09-19 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2005-02-07 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-17 1466384]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"1013:TCP"= 1013:TCP:BS
"7943:TCP"= 7943:TCP:FD

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [4/8/2009 2:34 PM 16872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/21/2010 7:19 PM 100480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/14/2008 12:18 AM 41376]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [4/7/2008 2:00 PM 6656]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [8/10/2009 12:07 PM 89600]
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2010-11-29 16:29:43
ComboFix-quarantined-files.txt 2010-11-29 15:29
ComboFix2.txt 2010-11-29 07:54
ComboFix3.txt 2010-11-28 23:34
ComboFix4.txt 2010-11-28 22:35
ComboFix5.txt 2010-11-29 15:21

Pre-Run: 15.984.652.288 bytes free
Post-Run: 16.083.816.448 bytes free

- - End Of File - - 7717C6ECEBB959EDD3E0A3BB21C2AC94

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Dvoklikom pokreni ComboFix i postavi novi log.

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

ComboFix 10-11-29.01 - Sandra 29.11.2010 19:35:14.14.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2124 [GMT 1:00]
Running from: c:\documents and settings\Sandra\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sandra\Application Data\oekx.exe
c:\windows\cfdrive32.exe
c:\windows\system32\72.exe
c:\windows\system32\77.exe
c:\windows\system32\78.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-28 21:16 . 2009-08-06 18:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-25 08:00 . 2010-11-25 08:00 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\ESET
2010-11-25 07:58 . 2010-11-25 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\program files\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-11-10 09:51 . 2003-03-18 19:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51 . 2003-03-18 19:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51 . 2010-11-23 08:45 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50 . 2006-09-09 15:46 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58 . 2010-10-30 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:50 . 2010-04-18 12:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29 . 2010-04-18 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57 . 2008-12-14 22:57 1851544 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-28_19.39.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-29 18:19 . 2010-11-29 18:19 16384 c:\windows\temp\Perflib_Perfdata_644.dat
+ 2008-12-14 22:29 . 2009-08-06 18:24 44768 c:\windows\system32\wups2.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-28 21:16 . 2009-08-06 18:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-11-28 21:16 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-28 21:16 . 2009-08-06 18:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-03-18 22:51 . 2009-08-06 18:23 215904 c:\windows\system32\muweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13545472]
"nwiz"="nwiz.exe" [2008-09-19 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2005-02-07 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-17 1466384]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"1013:TCP"= 1013:TCP:BS
"7943:TCP"= 7943:TCP:FD

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [4/8/2009 2:34 PM 16872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/14/2008 12:18 AM 41376]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [4/7/2008 2:00 PM 6656]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [8/10/2009 12:07 PM 89600]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/21/2010 7:19 PM 100480]
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 19:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2010-11-29 19:40:36
ComboFix-quarantined-files.txt 2010-11-29 18:40
ComboFix2.txt 2010-11-29 15:29
ComboFix3.txt 2010-11-29 07:54
ComboFix4.txt 2010-11-28 23:34
ComboFix5.txt 2010-11-29 18:33

Pre-Run: 16.084.672.512 bytes free
Post-Run: 16.067.563.520 bytes free

- - End Of File - - 8F6A65E57267C5A2F6C9DDE83EF2E782

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ovde se uporno pojavljuje novi malware.

Da li je taj kompjuter spojen u neku mrežu?



Start > Run:

combofix /F3M


Postavi log koji dobiješ...

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

Napisano: 29 Nov 2010 20:08

P.S. Nisam stigla ni da prokomentarisem...
Danas sam morala da ugasim laptop minimum 20 puta jer ga je totalno blokirao ili se sam gasio od sebe.
A izbacuje mi ove dve poruke ceo dan..... Bilo kakav klik na "ok" ili 'cancel' ne resava problem.
Nod ko lud na svakih 10 min izbacuje da ima nekog trojanca ili crva i da ga je obrisao.....




Dopuna: 29 Nov 2010 20:09

Nije umrezen.
Povremeno jeste ali nije u poslednjih tri meseca

Dopuna: 29 Nov 2010 20:28

ComboFix 10-11-29.02 - Sandra 29.11.2010 20:26:23.15.2 - x86
Running from: c:\documents and settings\Sandra\Desktop\ComboFix.exe
Command switches used :: /F3M
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-29 18:57 . 2010-11-29 18:57 98304 ----a-w- c:\windows\system32\60.exe
2010-11-29 18:52 . 2010-11-29 19:19 126976 --sh--r- c:\windows\cfdrive32.exe
2010-11-29 18:52 . 2010-11-29 19:18 98304 --sh--r- c:\documents and settings\Sandra\Application Data\oekx.exe
2010-11-29 18:51 . 2010-11-29 18:51 98304 ----a-w- c:\windows\system32\88.exe
2010-11-29 18:42 . 2010-11-29 18:42 101696 ----a-w- c:\windows\system32\msvmiode.exe
2010-11-29 18:42 . 2010-11-29 18:42 126976 --sh--r- c:\windows\cwdrive32.exe
2010-11-29 18:42 . 2010-11-29 18:42 94208 --sh--r- c:\documents and settings\Sandra\Application Data\ltzqai.exe
2010-11-29 18:42 . 2010-11-29 18:42 98304 ----a-w- c:\windows\system32\35.exe
2010-11-28 21:16 . 2009-08-06 18:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-25 08:00 . 2010-11-25 08:00 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\ESET
2010-11-25 07:58 . 2010-11-25 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\program files\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-11-10 09:51 . 2003-03-18 19:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51 . 2003-03-18 19:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51 . 2010-11-23 08:45 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50 . 2006-09-09 15:46 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58 . 2010-10-30 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:50 . 2010-04-18 12:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29 . 2010-04-18 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57 . 2008-12-14 22:57 1851544 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-28_19.39.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-29 19:18 . 2010-11-29 19:18 16384 c:\windows\temp\Perflib_Perfdata_670.dat
+ 2010-11-29 18:48 . 2010-11-29 18:48 16384 c:\windows\temp\Perflib_Perfdata_668.dat
+ 2010-11-29 18:19 . 2010-11-29 18:19 16384 c:\windows\temp\Perflib_Perfdata_644.dat
+ 2010-11-29 19:13 . 2010-11-29 19:13 16384 c:\windows\temp\Perflib_Perfdata_600.dat
+ 2008-12-14 22:29 . 2009-08-06 18:24 44768 c:\windows\system32\wups2.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-28 21:16 . 2009-08-06 18:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-11-28 21:16 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-28 21:16 . 2009-08-06 18:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-03-18 22:51 . 2009-08-06 18:23 215904 c:\windows\system32\muweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13545472]
"nwiz"="nwiz.exe" [2008-09-19 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2005-02-07 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-17 1466384]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="c:\documents and settings\Sandra\Application Data\oekx.exe,explorer.exe,c:\recycler\S-1-5-21-9971207920-4331519470-743919400-4157\winmap.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"="c:\documents and settings\Sandra\Application Data\oekx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"1013:TCP"= 1013:TCP:BS
"7943:TCP"= 7943:TCP:FD

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [4/8/2009 2:34 PM 16872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/14/2008 12:18 AM 41376]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [4/7/2008 2:00 PM 6656]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [8/10/2009 12:07 PM 89600]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/21/2010 7:19 PM 100480]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vqyln
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-psysnew - c:\recycler\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 20:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vqyln]
"ServiceDll"="c:\windows\system32\iyxvc.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2524)
c:\windows\system32\btmmhook.dll
.
Completion time: 2010-11-29 20:28:26
ComboFix-quarantined-files.txt 2010-11-29 19:28
ComboFix2.txt 2010-11-29 18:40
ComboFix3.txt 2010-11-29 15:29
ComboFix4.txt 2010-11-29 07:54
ComboFix5.txt 2010-11-29 19:25

Post-Run: 16.518.778.880 bytes free

- - End Of File - - 131896C8E8584F4B5E32C8CC9AE4FFCF

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Arrow Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder

Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:


Files to delete:
c:\windows\system32\60.exe
c:\windows\cfdrive32.exe
c:\documents and settings\Sandra\Application Data\oekx.exe
c:\windows\system32\88.exe
c:\windows\system32\msvmiode.exe
c:\windows\cwdrive32.exe
c:\documents and settings\Sandra\Application Data\ltzqai.exe
c:\windows\system32\35.exe
c:\windows\system32\iyxvc.dll

Folders to delete:
c:\recycler\S-1-5-21-9971207920-4331519470-743919400-4157

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon|Taskman

Drivers to delete:
vqyln



Obeleži kvadratiće ispred sledećih opcija:
Scan for rootkits
Automatically disable any rootkits found


Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u

Iskopiraj sadržaj dobijenog loga u temu na forumu.





Arrow Start > Run:

combofix /F3M

Postavi log koji dobiješ...

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

ComboFix 10-11-29.02 - Sandra 29.11.2010 20:49:27.16.2 - x86
Running from: c:\documents and settings\Sandra\Desktop\ComboFix.exe
Command switches used :: /F3M
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-29 19:49 . 2010-11-29 19:49 126976 --sh--r- c:\windows\cwdrive32.exe
2010-11-29 19:49 . 2010-11-29 19:49 94208 --sh--r- c:\documents and settings\Sandra\Application Data\ltzqai.exe
2010-11-29 19:48 . 2010-11-29 19:48 98304 ----a-w- c:\windows\system32\00.exe
2010-11-28 21:16 . 2009-08-06 18:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-25 08:00 . 2010-11-25 08:00 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\ESET
2010-11-25 07:58 . 2010-11-25 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\program files\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-11-10 09:51 . 2003-03-18 19:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51 . 2003-03-18 19:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51 . 2010-11-23 08:45 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50 . 2006-09-09 15:46 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58 . 2010-10-30 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 19:49 . 2010-11-29 19:49 101696 ----a-w- c:\windows\system32\msvmiode.exe
2010-09-15 02:50 . 2010-04-18 12:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29 . 2010-04-18 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57 . 2008-12-14 22:57 1851544 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-28_19.39.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-29 19:46 . 2010-11-29 19:46 16384 c:\windows\temp\Perflib_Perfdata_680.dat
+ 2008-12-14 22:29 . 2009-08-06 18:24 44768 c:\windows\system32\wups2.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-28 21:16 . 2009-08-06 18:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-11-28 21:16 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-28 21:16 . 2009-08-06 18:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-03-18 22:51 . 2009-08-06 18:23 215904 c:\windows\system32\muweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13545472]
"nwiz"="nwiz.exe" [2008-09-19 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2005-02-07 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]
"MSODESNV7"="c:\windows\system32\msvmiode.exe" [2010-11-29 101696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-17 1466384]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe,c:\documents and settings\Sandra\Application Data\ltzqai.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"="c:\recycler\S-1-5-21-0379964066-8904501903-642721754-1605\syscr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"1013:TCP"= 1013:TCP:BS
"7943:TCP"= 7943:TCP:FD
"5969:TCP"= 5969:TCP:iddclafz

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [4/8/2009 2:34 PM 16872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/14/2008 12:18 AM 41376]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [4/7/2008 2:00 PM 6656]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [8/10/2009 12:07 PM 89600]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/21/2010 7:19 PM 100480]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vqyln
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 20:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\msvmiode.exe 101696 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(804)
c:\windows\system32\btmmhook.dll
.
Completion time: 2010-11-29 20:51:11
ComboFix-quarantined-files.txt 2010-11-29 19:51
ComboFix2.txt 2010-11-29 19:28
ComboFix3.txt 2010-11-29 18:40
ComboFix4.txt 2010-11-29 15:29
ComboFix5.txt 2010-11-29 19:49

Post-Run: 16.539.488.256 bytes free

- - End Of File - - 7A7BBCE2081E89E30BAD9B7F0F806041



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\60.exe" deleted successfully.
File "c:\windows\cfdrive32.exe" deleted successfully.
File "c:\documents and settings\Sandra\Application Data\oekx.exe" deleted successfully.
File "c:\windows\system32\88.exe" deleted successfully.
File "c:\windows\system32\msvmiode.exe" deleted successfully.
File "c:\windows\cwdrive32.exe" deleted successfully.
File "c:\documents and settings\Sandra\Application Data\ltzqai.exe" deleted successfully.
File "c:\windows\system32\35.exe" deleted successfully.
File "c:\windows\system32\iyxvc.dll" deleted successfully.
Folder "c:\recycler\S-1-5-21-9971207920-4331519470-743919400-4157" deleted successfully.
Driver "vqyln" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon|Taskman" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Arrow Ponovo ćemo koristiti program The Avenger.

Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:

 
Files to delete:
c:\windows\system32\60.exe
c:\windows\cfdrive32.exe
c:\documents and settings\Sandra\Application Data\oekx.exe
c:\windows\system32\88.exe
c:\windows\system32\msvmiode.exe
c:\windows\cwdrive32.exe
c:\documents and settings\Sandra\Application Data\ltzqai.exe
c:\windows\system32\35.exe
c:\windows\system32\iyxvc.dll
c:\windows\system32\00.exe

Folders to delete:
c:\recycler\S-1-5-21-9971207920-4331519470-743919400-4157
c:\recycler\S-1-5-21-0379964066-8904501903-642721754-1605

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MSODESNV7
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon|Taskman
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List|5969:TCP

Drivers to delete:
vqyln


Obeleži kvadratiće ispred sledećih opcija:
Scan for rootkits
Automatically disable any rootkits found


Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u


Iskopiraj sadržaj dobijenog loga u temu na forumu.



Arrow Dvoklikom pokreni ComboFix i postavi log koji dobiješ.

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

ComboFix 10-11-29.02 - Sandra 29.11.2010 21:16:37.17.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2228 [GMT 1:00]
Running from: c:\documents and settings\Sandra\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-4694905717-3297081634-655703554-4598\winmap.exe
c:\windows\system32\21.exe
c:\windows\system32\26.exe
c:\windows\system32\50.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-28 21:16 . 2009-08-06 18:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-25 08:00 . 2010-11-25 08:00 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\ESET
2010-11-25 07:58 . 2010-11-25 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\program files\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-11-10 09:51 . 2003-03-18 19:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51 . 2003-03-18 19:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51 . 2010-11-23 08:45 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50 . 2006-09-09 15:46 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58 . 2010-10-30 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:50 . 2010-04-18 12:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29 . 2010-04-18 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57 . 2008-12-14 22:57 1851544 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-28_19.39.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-29 20:12 . 2010-11-29 20:12 16384 c:\windows\temp\Perflib_Perfdata_17c.dat
+ 2008-12-14 22:29 . 2009-08-06 18:24 44768 c:\windows\system32\wups2.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-28 21:16 . 2009-08-06 18:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-11-28 21:16 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-28 21:16 . 2009-08-06 18:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-03-18 22:51 . 2009-08-06 18:23 215904 c:\windows\system32\muweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13545472]
"nwiz"="nwiz.exe" [2008-09-19 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2005-02-07 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-17 1466384]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"1013:TCP"= 1013:TCP:BS
"7943:TCP"= 7943:TCP:FD

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [4/8/2009 2:34 PM 16872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/14/2008 12:18 AM 41376]
S2 iciro;Manager System;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 1:00 PM 14336]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [4/7/2008 2:00 PM 6656]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [8/10/2009 12:07 PM 89600]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/21/2010 7:19 PM 100480]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vqyln
iciro
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 21:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iciro]
"ServiceDll"="c:\windows\system32\iyxvc.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2010-11-29 21:22:52
ComboFix-quarantined-files.txt 2010-11-29 20:22
ComboFix2.txt 2010-11-29 19:51
ComboFix3.txt 2010-11-29 19:28
ComboFix4.txt 2010-11-29 18:40
ComboFix5.txt 2010-11-29 20:15

Pre-Run: 16.551.002.112 bytes free
Post-Run: 16.533.610.496 bytes free

- - End Of File - - 99F98F9636486402616478A2DDFC14F6




Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\60.exe" deleted successfully.
File "c:\windows\cfdrive32.exe" deleted successfully.
File "c:\documents and settings\Sandra\Application Data\oekx.exe" deleted successfully.

Error: file "c:\windows\system32\88.exe" not found!
Deletion of file "c:\windows\system32\88.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\msvmiode.exe" deleted successfully.
File "c:\windows\cwdrive32.exe" deleted successfully.
File "c:\documents and settings\Sandra\Application Data\ltzqai.exe" deleted successfully.

Error: file "c:\windows\system32\35.exe" not found!
Deletion of file "c:\windows\system32\35.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\iyxvc.dll" deleted successfully.
File "c:\windows\system32\00.exe" deleted successfully.

Error: folder "c:\recycler\S-1-5-21-9971207920-4331519470-743919400-4157" not found!
Deletion of folder "c:\recycler\S-1-5-21-9971207920-4331519470-743919400-4157" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\recycler\S-1-5-21-0379964066-8904501903-642721754-1605" deleted successfully.
Registry value "HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List|5969:TCP" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\vqyln" not found!
Deletion of driver "vqyln" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MSODESNV7"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MSODESNV7" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon|Taskman" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:


File::
c:\windows\system32\iyxvc.dll

KillAll::

Driver::
iciro

NetSvc::
vqyln
iciro



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 1182 korisnika na forumu :: 46 registrovanih, 10 sakrivenih i 1126 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, A.R.Chafee.Jr., Apok, babaroga, bokisha253, Boris Bosiljčić, BORUTUS, Bubili, Bubimir, cemix, croato, DENIRO, Dimitrise93, DPera, dule10savic, GenZee, goxin, ikan, JOntra, Kruger, Kubovac, KUZMAR, Lieutenant, ljuba, Luka Blažević, mercedesamg, milenko crazy north, Miroljub1979, MiroslavD, mkukoleca, naki011, ostoja, pein, prle122, royst33, sasakrajina, Shinobi, sickmouse, suponik, taz1cl, vathra, VJ, vladulns, voja64, VP6919, |_MeD_|