Win32/Adware.Virtumonde.FP application

2

Win32/Adware.Virtumonde.FP application

offline
  • Pridružio: 07 Apr 2008
  • Poruke: 9

Jesam! - CFScript.txt i prevukao sam ga u ComboFix ili mozda treba bez ekstenzije?

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Probaj bez ekstenzije.

offline
  • Pridružio: 07 Apr 2008
  • Poruke: 9

Potpuno isto ponasanje!

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

offline
  • Pridružio: 07 Apr 2008
  • Poruke: 9

Pozdrav!
Nisam mogao da se javim ranije - pretrpan sam poslom. Najverovatnije ce racunar biti reinstaliran posto i ja menjam radno mesto vec od ponedeljka. Tako da ne moras nesto mnogo da se mucis. Hvala ti mnogo i izvini na utrosenom vremenu.Ako ti nesto znaci radi proucavanja uradio sam ovo i evo ga log.

ComboFix 08-04-10.7 - Dejan 2008-04-11 11:28:00.4 - NTFSx86
Running from: C:\Documents and Settings\Dejan\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\RqsAJRqr.ini
C:\WINDOWS\system32\RqsAJRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-09 11:52 . 2008-04-09 11:52 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Media Player Classic
2008-04-07 13:51 . 2008-04-07 13:51 15 --a------ C:\WINDOWS\system32\b48ce26b
2008-04-03 15:34 . 2008-04-03 15:34 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Grisoft
2008-04-03 15:34 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-31 13:35 . 2008-03-31 13:35 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Embarcadero
2008-03-31 13:34 . 2000-06-27 12:07 1,305,200 --a------ C:\WINDOWS\system32\sbe6_32.dll
2008-03-31 13:34 . 2000-06-18 23:53 512,560 --a------ C:\WINDOWS\system32\sb6ent.ocx
2008-03-31 13:34 . 2000-06-15 23:47 326,612 --a------ C:\WINDOWS\system32\SBE6_000.HLP
2008-03-31 13:34 . 1999-09-09 12:51 6,499 --a------ C:\WINDOWS\system32\SBE6_000.CNT
2008-03-31 13:33 . 2008-03-31 13:33 <DIR> d-------- C:\Program Files\Embarcadero
2008-03-31 13:33 . 2008-03-31 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Embarcadero
2008-03-31 08:13 . 2008-03-31 08:13 1,583,347 --ahs---- C:\WINDOWS\system32\ntjwfxfc.ini
2008-03-29 09:12 . 2008-03-28 16:02 1,584,019 --ahs---- C:\WINDOWS\system32\neducssk.ini
2008-03-28 16:37 . 2008-03-28 16:37 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-28 16:10 . 2008-03-31 08:13 1,583,287 --ahs---- C:\WINDOWS\system32\uyjtyxwg.ini
2008-03-27 09:40 . 2008-03-27 09:40 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-24 09:02 . 2008-03-24 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-22 13:22 . 2008-03-22 13:22 <DIR> d-------- C:\Program Files\Ref support camp
2008-03-22 13:22 . 2008-03-22 13:22 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-03-22 13:22 . 2008-03-22 13:22 <DIR> d-------- C:\Program Files\Circle Developement
2008-03-13 09:49 . 2007-10-10 05:34 216,064 --a------ C:\WINDOWS\UninstallW.exe
2008-03-13 09:49 . 2006-09-12 05:36 1,606 --a------ C:\WINDOWS\uninsW.bat
2008-03-13 09:49 . 2006-06-22 17:34 970 --a------ C:\WINDOWS\uninsWmove.bat
2008-03-13 09:49 . 2005-12-28 20:54 29 --a------ C:\WINDOWS\uninsW98.bat
2008-03-13 09:45 . 2008-03-13 09:45 <DIR> d-------- C:\Temp
2008-03-13 09:45 . 2008-03-13 09:45 <DIR> d-------- C:\Program Files\Wilcom2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 06:19 --------- d-----w C:\Program Files\ICQToolbar
2008-04-10 06:16 --------- d-----w C:\Documents and Settings\Dejan\Application Data\Skype
2008-04-08 08:18 --------- d-----w C:\Documents and Settings\Dejan\Application Data\uTorrent
2008-04-07 06:53 --------- d-----w C:\Program Files\DeskCall NG
2008-04-03 09:25 --------- d-----w C:\Program Files\Google
2008-04-03 09:20 --------- d-----w C:\Program Files\HijackThis 1.99.1
2008-03-31 11:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 07:46 --------- d-----w C:\Program Files\Winamp
2008-03-10 13:49 --------- d-----w C:\Program Files\Skype
2008-03-10 13:49 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-10 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-07 12:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-07 12:48 --------- d-----w C:\Program Files\Windows Live
2008-03-07 12:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-25 08:10 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-23 13:10 --------- d-----w C:\Program Files\Eset
2008-02-23 12:54 --------- d-----w C:\Program Files\Common Files\NSV
2008-02-23 12:00 502,368 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-02-13 13:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-13 13:49 --------- d-----w C:\Program Files\Bonjour
2008-02-13 13:42 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-02-12 11:48 --------- d-----w C:\Documents and Settings\Dejan\Application Data\DeskCallNG
2008-02-11 12:35 --------- d-----w C:\Program Files\TC UP
2008-01-12 08:48 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-07-10 08:04 20,112 ----a-w C:\Documents and Settings\Dejan\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C95106CD-4A96-4B61-9BC0-D905298BAAE4}]
1980-03-28 16:47 273920 --a------ C:\WINDOWS\system32\rqRJAsqR.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Magentic"="C:\PROGRA~1\Magentic\bin\Magentic.exe" [2007-10-09 14:42 475180]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-23 14:00 921600]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqRJAsqR.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2007-11-21 02:47 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Isoeggs]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-02 13:29 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 17:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tok-Cirrhatus]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\two city internet heck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\TC UP\\PLUGINS\\Media\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"512:TCP"= 512:TCP:KOMUNIKACIJA
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 14:00]
R2 pgAgent;PostgreSQL Scheduling Agent - pgAgent;C:\Program Files\PostgreSQL\8.1\bin\pgAgent RUN pgAgent hostaddr=127.0.0.1 dbname=postgres user=postgres []
R2 pgsql-8.1;PostgreSQL Database Server 8.1;"C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "C:\Program Files\PostgreSQL\8.1\data\" []
R2 U3SHLPDR;U3SHLPDR;C:\WINDOWS\System32\Drivers\U3SHLPDR.SYS [2007-10-21 10:41]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 13:00:12 C:\WINDOWS\Tasks\BackUp.job"
- D:\MARKO\Install_PoSo\BackUp\BackUp.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-11 11:34:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pgAgent]
"ImagePath"="C:\Program Files\PostgreSQL\8.1\bin\pgAgent RUN pgAgent hostaddr=127.0.0.1 dbname=postgres user=postgres"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\rqRJAsqR.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PostgreSQL\8.1\bin\pgAgent.exe
C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PostgreSQL\8.1\bin\postmaster.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-11 11:37:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 09:36:56
ComboFix2.txt 2008-04-07 13:38:30
Pre-Run: 26,200,281,088 bytes free
Post-Run: 26,164,187,136 bytes free
.
2008-01-09 15:38:09 --- E O F ---


HVALA JOS JEDNOM I POZDRAV!!

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Uradi ovo, ako hoces.

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\ntjwfxfc.ini
C:\WINDOWS\system32\neducssk.ini
C:\WINDOWS\system32\uyjtyxwg.ini
C:\WINDOWS\system32\rqRJAsqR.dll
C:\WINDOWS\system32\rqRJAsqR.dll

Folder::
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Program Files\Ref support camp
C:\Program Files\Messenger Plus! Live
C:\Program Files\Circle Developement

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Isoeggs]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tok-Cirrhatus]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\two city internet heck]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 07 Apr 2008
  • Poruke: 9

Danas mi je zadnji radni dan u ovoj firmi, ali sam uradio i ovo sto si mi poslao. Deluje mi kao da je sada zavrsio. Verovatno ce reinstalirati sistem na ovom racunaru jer nije skoro sredjivan. Evo ga i zadnji log koji sam uradio.

ComboFix 08-04-10.7 - Dejan 2008-04-12 10:45:37.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.187 [GMT 2:00]
Running from: C:\Documents and Settings\Dejan\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Program Files\Circle Developement
C:\Program Files\Circle Developement\Uninstall.exe
C:\Program Files\Messenger Plus! Live
C:\Program Files\Messenger Plus! Live\Detoured.dll
C:\Program Files\Messenger Plus! Live\Events Style Sheet.xsl
C:\Program Files\Messenger Plus! Live\lame_enc.dll
C:\Program Files\Messenger Plus! Live\Languages\Lng_Arabic.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_ChineseSimplified.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_ChineseTraditional.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Danish.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Default.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Dutch.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Estonian.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Finnish.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_French.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_German.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Hebrew.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Hungarian.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Italian.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Japanese.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Korean.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Norwegian.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Portuguese.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Spanish.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Swedish.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Thai.ini
C:\Program Files\Messenger Plus! Live\Languages\Lng_Turkish.ini
C:\Program Files\Messenger Plus! Live\libsndfile.dll
C:\Program Files\Messenger Plus! Live\Log Viewer.exe
C:\Program Files\Messenger Plus! Live\MPScripts.dll
C:\Program Files\Messenger Plus! Live\MPSkins.dll
C:\Program Files\Messenger Plus! Live\MPTools.exe
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
C:\Program Files\Messenger Plus! Live\MsgPlusLiveRes.dll
C:\Program Files\Messenger Plus! Live\MsgPlusLoader.dll
C:\Program Files\Messenger Plus! Live\Uninstall.exe
C:\Program Files\Ref support camp
C:\WINDOWS\system32\neducssk.ini
C:\WINDOWS\system32\ntjwfxfc.ini
C:\WINDOWS\system32\rqRJAsqR.dll
C:\WINDOWS\system32\RqsAJRqr.ini
C:\WINDOWS\system32\RqsAJRqr.ini2
C:\WINDOWS\system32\uyjtyxwg.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-09 11:52 . 2008-04-09 11:52 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Media Player Classic
2008-04-07 13:51 . 2008-04-07 13:51 15 --a------ C:\WINDOWS\system32\b48ce26b
2008-04-03 15:34 . 2008-04-03 15:34 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Grisoft
2008-04-03 15:34 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-31 13:35 . 2008-03-31 13:35 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Embarcadero
2008-03-31 13:34 . 2000-06-27 12:07 1,305,200 --a------ C:\WINDOWS\system32\sbe6_32.dll
2008-03-31 13:34 . 2000-06-18 23:53 512,560 --a------ C:\WINDOWS\system32\sb6ent.ocx
2008-03-31 13:34 . 2000-06-15 23:47 326,612 --a------ C:\WINDOWS\system32\SBE6_000.HLP
2008-03-31 13:34 . 1999-09-09 12:51 6,499 --a------ C:\WINDOWS\system32\SBE6_000.CNT
2008-03-31 13:33 . 2008-03-31 13:33 <DIR> d-------- C:\Program Files\Embarcadero
2008-03-31 13:33 . 2008-03-31 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Embarcadero
2008-03-28 16:37 . 2008-03-28 16:37 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-27 09:40 . 2008-03-27 09:40 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-13 09:49 . 2007-10-10 05:34 216,064 --a------ C:\WINDOWS\UninstallW.exe
2008-03-13 09:49 . 2006-09-12 05:36 1,606 --a------ C:\WINDOWS\uninsW.bat
2008-03-13 09:49 . 2006-06-22 17:34 970 --a------ C:\WINDOWS\uninsWmove.bat
2008-03-13 09:49 . 2005-12-28 20:54 29 --a------ C:\WINDOWS\uninsW98.bat
2008-03-13 09:45 . 2008-03-13 09:45 <DIR> d-------- C:\Temp
2008-03-13 09:45 . 2008-03-13 09:45 <DIR> d-------- C:\Program Files\Wilcom2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 08:34 --------- d-----w C:\Program Files\ICQToolbar
2008-04-11 13:04 --------- d-----w C:\Documents and Settings\Dejan\Application Data\Skype
2008-04-08 08:18 --------- d-----w C:\Documents and Settings\Dejan\Application Data\uTorrent
2008-04-07 06:53 --------- d-----w C:\Program Files\DeskCall NG
2008-04-03 09:25 --------- d-----w C:\Program Files\Google
2008-04-03 09:20 --------- d-----w C:\Program Files\HijackThis 1.99.1
2008-03-31 11:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 07:46 --------- d-----w C:\Program Files\Winamp
2008-03-10 13:49 --------- d-----w C:\Program Files\Skype
2008-03-10 13:49 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-10 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-07 12:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-07 12:48 --------- d-----w C:\Program Files\Windows Live
2008-03-07 12:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-25 08:10 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-23 13:10 --------- d-----w C:\Program Files\Eset
2008-02-23 12:54 --------- d-----w C:\Program Files\Common Files\NSV
2008-02-23 12:00 502,368 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-02-23 12:00 270,336 ----a-w C:\WINDOWS\system32\imon.dll
2008-02-13 13:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-13 13:49 --------- d-----w C:\Program Files\Bonjour
2008-02-13 13:42 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-02-12 11:48 --------- d-----w C:\Documents and Settings\Dejan\Application Data\DeskCallNG
2008-01-12 08:48 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-07-10 08:04 20,112 ----a-w C:\Documents and Settings\Dejan\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Magentic"="C:\PROGRA~1\Magentic\bin\Magentic.exe" [2007-10-09 14:42 475180]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-23 14:00 921600]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2007-11-21 02:47 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-02 13:29 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 17:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\TC UP\\PLUGINS\\Media\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"512:TCP"= 512:TCP:KOMUNIKACIJA
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 14:00]
R2 pgAgent;PostgreSQL Scheduling Agent - pgAgent;C:\Program Files\PostgreSQL\8.1\bin\pgAgent RUN pgAgent hostaddr=127.0.0.1 dbname=postgres user=postgres []
R2 pgsql-8.1;PostgreSQL Database Server 8.1;"C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "C:\Program Files\PostgreSQL\8.1\data\" []
R2 U3SHLPDR;U3SHLPDR;C:\WINDOWS\System32\Drivers\U3SHLPDR.SYS [2007-10-21 10:41]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 13:00:19 C:\WINDOWS\Tasks\BackUp.job"
- D:\MARKO\Install_PoSo\BackUp\BackUp.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-12 10:48:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pgAgent]
"ImagePath"="C:\Program Files\PostgreSQL\8.1\bin\pgAgent RUN pgAgent hostaddr=127.0.0.1 dbname=postgres user=postgres"
.
Completion time: 2008-04-12 10:49:34
ComboFix-quarantined-files.txt 2008-04-12 08:49:22
ComboFix2.txt 2008-04-11 09:37:09
ComboFix3.txt 2008-04-07 13:38:30
Pre-Run: 26,125,361,152 bytes free
Post-Run: 26,115,076,096 bytes free
.
2008-01-09 15:38:09 --- E O F ---



PUNO HVALA I POZDRAV!!!!!!!!!!!!!!!!!!!!!!!!

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Ko je trenutno na forumu
 

Ukupno su 966 korisnika na forumu :: 34 registrovanih, 9 sakrivenih i 923 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., ajo baba, antonije64, bojcistv, Boris90, Brana01, Cassius Clay, Dorcolac, Georgius, hooraay, Još malo pa deda, Karla, Lieutenant, loon123, Metanoja, milimoj, milos.cbr, milutin134, Misirac, Mixelotti, naki011, pera bager, powSrb, procesor, S2M, Srle993, Steeeefan, stegonosa, vladulns, Yugol33, zbazin, zlaya011, |_MeD_|, 79693