MyCity » Ambulanta -> Arhiva Ambulante » Win32.Sality virus

Win32.Sality virus

Napisano na dan: 21.3.2009
3

Win32.Sality virus
Pagination Prethodna strana
Sledeća strana Pagination

Idi na vrh

Poslao: 24 Mar 2009 18:12
Idi na vrh
offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

Ok sutra cu odaditi format xp-ove particije(kad bakapujem neke podatke)
Posle necu otvarati ni jednu particiju vec cu insalirati driver za modem sa cd i odmah skinuti i pokrenuti dr werb cure it Smile koji ce skenirati komp naredna dva do 3 do 4 do 5 sati Smilei posle toga cu ti posatviti nejogv log




pozz do sutra

Dopuna: 24 Mar 2009 17:53

Ovako dr boro situacija je sledeca formatirao sam xp particiju u instaliro vistu xp me vise iznervirao Sad.I particiju od 420gg sam formatirao bukvalno cep harm mi je formatiran Sad ) Ono sto nije formatiorano je externi hard disk i on je uboden u komp alli tsk mng je i dalje tu za sada..
Kako da ocistimo taj eksterni hard ?

Dopuna: 24 Mar 2009 18:12

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:43 PM, on 3/24/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\userinit.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\hjk.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O13 - Gopher Prefix:

--
End of file - 1897 bytes
opet task manager has been idisabled

Poslao: 24 Mar 2009 18:32
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Citat:Posle necu otvarati ni jednu particiju vec cu insalirati driver za modem sa cd i odmah skinuti i pokrenuti dr werb cure it

Jesi li ovo uradio?


Postavi ComboFix log (da proverim da li je ista infekcija u pitanju).

Poslao: 24 Mar 2009 18:47
Idi na vrh
offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

Otvarao sam samo ekserni hard onstale partiicji koje su izgred formatirane nisam(meni je sad ceo hard formatiran)
Sad cu cf log postaviti

Dopuna: 24 Mar 2009 18:47

ComboFix 09-03-23.01 - veljko 2009-03-24 19:39:48.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3070.2041 [GMT 1:00]
Running from: c:\users\veljko\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-25 02:07 . 2009-03-24 18:12 <DIR> d-------- c:\windows\Debug
2009-03-25 02:05 . 2009-03-25 02:09 <DIR> d-------- c:\windows\Panther
2009-03-25 02:05 . 2009-03-25 02:05 <DIR> d--hs---- C:\Boot
2009-03-25 02:05 . 2006-11-02 10:53 438,840 -rahs---- C:\bootmgr
2009-03-25 02:05 . 2009-03-25 02:05 8,192 -ra-s---- C:\BOOTSECT.BAK
2009-03-24 19:05 . 2009-03-24 19:05 <DIR> d-------- c:\program files\Trend Micro
2009-03-24 19:01 . 2009-03-24 19:02 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-03-24 18:57 . 2009-03-24 18:57 <DIR> d-------- c:\windows\System32\Macromed
2009-03-24 18:56 . 2009-03-24 18:56 0 --a------ c:\windows\nsreg.dat
2009-03-24 18:47 . 2008-01-03 22:26 1,079,840 --a------ c:\windows\System32\nvcpluir.dll
2009-03-24 18:47 . 2008-01-03 22:26 764,448 --a------ c:\windows\System32\nvcplui.exe
2009-03-24 18:47 . 2008-01-03 22:26 420,384 --a------ c:\windows\System32\nvcpl.cpl
2009-03-24 18:47 . 2008-01-03 22:26 360,448 --a------ c:\windows\System32\nvuninst.exe
2009-03-24 18:47 . 2008-01-03 22:26 313,888 --a------ c:\windows\System32\nvexpbar.dll
2009-03-24 18:46 . 2009-03-24 18:46 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-24 18:45 . 2009-03-24 18:45 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-03-24 18:38 . 2009-03-24 18:38 <DIR> d-------- c:\program files\Runtime Software
2009-03-24 18:36 . 2009-03-24 18:49 <DIR> d-------- c:\users\veljko\AppData\Roaming\DNA
2009-03-24 18:36 . 2009-03-24 18:38 <DIR> d-------- c:\users\veljko\AppData\Roaming\BitTorrent
2009-03-24 18:36 . 2009-03-24 18:42 <DIR> d-------- c:\program files\DNA
2009-03-24 18:36 . 2009-03-24 18:36 <DIR> d-------- c:\program files\BitTorrent
2009-03-24 18:35 . 2009-03-24 18:42 203,508,867 --a------ c:\windows\MEMORY.DMP
2009-03-24 18:31 . 2009-03-24 18:31 <DIR> d-------- c:\users\veljko\DoctorWeb
2009-03-24 18:25 . 2009-03-24 18:25 <DIR> d-------- c:\users\veljko\AppData\Roaming\GHISLER
2009-03-24 18:25 . 2009-03-24 18:25 <DIR> d-------- C:\totalcmd
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\UC.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\RAR.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\PKZIP.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\PKUNZIP.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\NOCLOSE.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\LHA.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\ARJ.PIF
2009-03-24 18:21 . 2003-04-03 00:54 20,648 --a------ c:\windows\System32\drivers\netrcacm.sys
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Videos
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Searches
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Saved Games
2009-03-24 18:13 . 2009-03-24 19:16 <DIR> dr------- c:\users\veljko\Pictures
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Music
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Links
2009-03-24 18:13 . 2009-03-24 19:39 <DIR> dr------- c:\users\veljko\Downloads
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Documents
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Contacts
2009-03-24 18:13 . 2006-11-02 13:35 <DIR> d-------- c:\users\veljko\AppData\Roaming\Media Center Programs
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> d--h----- c:\users\veljko\AppData
2009-03-24 18:13 . 2009-03-24 18:46 <DIR> d-------- c:\users\veljko
2009-03-24 18:12 . 2009-03-24 18:12 <DIR> dr------- c:\windows\System32\config\systemprofile\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-03-24 18:36 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-01-03 22:26 13515296 c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-01-03 22:26 86016 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2008-01-03 22:26 90112 c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2006-11-02 13:33 1196032 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-02 13:32 1004136 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2006-11-02 13:32 2159104 c:\windows\System32\oobefldr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4FBA1554-4C0B-4F97-B742-834EC9EF4D89}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{C2AC0505-42EC-4C28-AAF5-E4F8416FADF6}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{837A3202-8FA0-4C46-822E-BF2EB543A431}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{27F9BCA3-7ABB-44D4-9B68-D3AE6D033D8B}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {CD5C267B-C272-4234-9173-4D5552C39DCE}
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"d:\\Igre\\Warcraft III\\Frozen Throne.exe"= d:\igre\Warcraft III\Frozen Throne.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\Dwm.exe"= c:\windows\system32\Dwm.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winygwu.exe"= c:\users\veljko\AppData\Local\Temp\winygwu.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winmjokgf.exe"= c:\users\veljko\AppData\Local\Temp\winmjokgf.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\pond.exe"= c:\users\veljko\AppData\Local\Temp\pond.exe:*:Enabled:ipsec


--- Other Services/Drivers In Memory ---

*NewlyCreated* - DXGKRNL
*Deregistered* - DwShield00007E3A
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\veljko\AppData\Roaming\Mozilla\Firefox\Profiles\umn96b4m.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 19:40:37
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-24 19:41:47
ComboFix-quarantined-files.txt 2009-03-24 18:41:45

Pre-Run: 13,354,717,184 bytes free
Post-Run: 13,762,961,408 bytes free

121
Mislim da je nesto drugo ovog puta cf je brzo zavrsio i task maanger radi za sada Very Happy

Poslao: 24 Mar 2009 20:08
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ne vidim ovde nešto problematično.

Poslao: 26 Mar 2009 13:59
Idi na vrh
offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

Very Happy Smile Very Happy Smile Mr. Green Nadajmo se da je to istina..
Nadajvo se da je virus uklonjen ako nije evo mene oet tu da nastavimo Smile Smile
A sada ozbiljno posle prvog pokretanja cf task manager je proradio ali posle je opet presto da radi pa sam ja opet pokrenuo cf i od tada opet normalno radi i radi vec 2 sata.Nisam siguran da li josh uvek postoji virus ali to ce se otkiriti kad budem krenuo da kopiram stvari sa eksernog harda na moj hard ako josh uvek postoji virus bice svasta a ako ne postoji onda ...extra!
U svakom slucaju sutra javlajm stanje Ziveli pozZ

Dopuna: 26 Mar 2009 13:59

Posle instaliranja nekog programa sa Eksernog harda opet se task manager disejblovao....
I ja opet pokrenuo cf koji je brzo zavsio i open enablovao task manager

U cemu je problem?





ComboFix 09-03-25.03 - veljko 2009-03-26 14:49:28.5 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3070.2383 [GMT 1:00]
Running from: c:\users\veljko\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-25 23:07 . 2009-03-25 23:07 <DIR> d-------- c:\users\All Users\Google
2009-03-25 23:06 . 2009-03-25 23:06 <DIR> d-------- c:\program files\Nero 9
2009-03-25 23:06 . 2009-03-25 23:06 <DIR> d-------- c:\program files\Common Files\Nero
2009-03-25 23:06 . 2009-03-25 23:06 <DIR> d-------- c:\program files\Audacity 1.3 Beta (Unicode)
2009-03-25 23:06 . 2008-07-04 10:23 1,757,184 --a------ c:\windows\System32\imagX7.dll
2009-03-25 23:06 . 2008-07-04 10:23 802,816 --a------ c:\windows\System32\imagXRA7.dll
2009-03-25 23:06 . 2008-07-04 10:23 497,296 --a------ c:\windows\System32\imagXpr7.dll
2009-03-25 23:06 . 2006-03-17 15:49 368,640 --a------ c:\windows\System32\twnlib4.dll
2009-03-25 23:06 . 2008-07-04 10:23 258,048 --a------ c:\windows\System32\imagXR7.dll
2009-03-25 22:59 . 2009-03-25 23:02 <DIR> d-------- c:\program files\Garena
2009-03-25 22:57 . 2009-03-25 22:57 <DIR> d-------- c:\users\veljko\AppData\Roaming\OpenOffice.org
2009-03-25 22:53 . 2009-03-25 22:53 <DIR> d-------- c:\users\veljko\AppData\Roaming\Corel
2009-03-25 22:53 . 2009-03-25 22:53 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-03-25 22:53 . 2009-03-25 22:53 <DIR> d-------- c:\program files\JRE
2009-03-25 22:53 . 2009-03-25 22:56 2,828 --ahs---- c:\users\All Users\KGyGaAvL.sys
2009-03-25 22:53 . 2009-03-25 22:56 2,828 --ahs---- c:\programdata\KGyGaAvL.sys
2009-03-25 22:53 . 2009-03-25 22:53 8 -r-hs---- c:\users\All Users\77083ACD65.sys
2009-03-25 22:53 . 2009-03-25 22:53 8 -r-hs---- c:\programdata\77083ACD65.sys
2009-03-25 22:52 . 2009-03-25 22:52 <DIR> d-------- c:\users\All Users\Corel
2009-03-25 22:52 . 2009-03-25 22:52 <DIR> d-------- c:\programdata\Corel
2009-03-25 22:52 . 2009-03-25 22:52 <DIR> d-------- c:\program files\Common Files\Protexis
2009-03-25 22:49 . 2009-03-25 23:07 <DIR> d-------- c:\program files\Google
2009-03-25 22:46 . 2009-03-25 22:46 <DIR> d-------- c:\program files\Common Files\Corel
2009-03-25 22:45 . 2009-03-25 22:45 <DIR> d-------- c:\program files\Corel
2009-03-25 22:44 . 2009-03-25 22:44 <DIR> d-------- c:\users\veljko\AppData\Roaming\InstallShield
2009-03-25 22:42 . 2009-03-25 22:42 <DIR> d-------- c:\program files\AnswerWorks 4.0
2009-03-25 22:41 . 2009-03-25 22:41 <DIR> d-------- c:\users\veljko\AppData\Roaming\Autodesk
2009-03-25 22:41 . 2009-03-25 22:41 <DIR> d-------- c:\users\All Users\Autodesk
2009-03-25 22:41 . 2009-03-25 22:41 <DIR> d-------- c:\programdata\Autodesk
2009-03-25 22:41 . 2009-03-25 22:43 <DIR> d-------- c:\program files\AutoCAD 2007
2009-03-25 22:40 . 2009-03-25 22:42 <DIR> d-------- c:\program files\Common Files\Autodesk Shared
2009-03-25 22:40 . 2009-03-25 22:40 <DIR> d-------- c:\program files\Autodesk
2009-03-25 22:38 . 2009-03-25 22:38 <DIR> d-------- C:\install
2009-03-25 22:19 . 2009-03-25 22:19 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-25 22:18 . 2009-03-25 22:19 <DIR> d-------- c:\users\All Users\Adobe
2009-03-25 22:16 . 2009-03-25 22:16 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-25 22:15 . 2009-03-25 22:35 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-25 22:05 . 2009-03-25 22:05 <DIR> d-------- c:\program files\Print3D Corporation
2009-03-25 22:04 . 2009-03-25 22:04 <DIR> d-------- c:\program files\progeSOFT
2009-03-25 22:04 . 2009-01-10 18:54 1,645,320 --a------ c:\windows\System32\gdiplus.dll
2009-03-25 22:03 . 2009-03-25 22:03 155,655,543 --a------ c:\windows\System32\xa17798622.exe
2009-03-25 22:03 . 2009-03-25 22:03 155,655,543 --a------ c:\windows\System32\xa17772616.exe
2009-03-25 20:56 . 2009-03-25 20:56 <DIR> d-------- c:\users\veljko\AppData\Roaming\GRETECH
2009-03-25 20:55 . 2009-03-25 20:55 <DIR> d-------- c:\program files\GRETECH
2009-03-25 17:23 . 2009-03-25 17:23 <DIR> d-------- C:\lupo
2009-03-25 02:07 . 2009-03-24 18:12 <DIR> d-------- c:\windows\Debug
2009-03-25 02:05 . 2009-03-25 02:09 <DIR> d-------- c:\windows\Panther
2009-03-25 02:05 . 2009-03-25 02:05 <DIR> d--hs---- C:\Boot
2009-03-25 02:05 . 2006-11-02 10:53 438,840 -rahs---- C:\bootmgr
2009-03-25 02:05 . 2009-03-25 02:05 8,192 -ra-s---- C:\BOOTSECT.BAK
2009-03-24 20:02 . 2009-03-24 20:02 <DIR> d-------- c:\users\veljko\.gimp-2.6
2009-03-24 20:02 . 2009-03-24 20:02 <DIR> d-------- c:\users\veljko\.gegl-0.0
2009-03-24 20:01 . 2009-03-24 20:01 <DIR> d-------- c:\program files\Gimp-2.0
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\users\All Users\ACD Systems
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\programdata\ACD Systems
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\program files\Common Files\ACD Systems
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\program files\ACD Systems
2009-03-24 19:51 . 2009-03-25 23:07 <DIR> d--hs---- c:\windows\Installer
2009-03-24 19:05 . 2009-03-24 19:05 <DIR> d-------- c:\program files\Trend Micro
2009-03-24 19:01 . 2009-03-24 19:02 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-03-24 18:57 . 2009-03-24 18:57 <DIR> d-------- c:\windows\System32\Macromed
2009-03-24 18:56 . 2009-03-24 18:56 0 --a------ c:\windows\nsreg.dat
2009-03-24 18:47 . 2008-01-03 22:26 1,079,840 --a------ c:\windows\System32\nvcpluir.dll
2009-03-24 18:47 . 2008-01-03 22:26 764,448 --a------ c:\windows\System32\nvcplui.exe
2009-03-24 18:47 . 2008-01-03 22:26 420,384 --a------ c:\windows\System32\nvcpl.cpl
2009-03-24 18:47 . 2008-01-03 22:26 360,448 --a------ c:\windows\System32\nvuninst.exe
2009-03-24 18:47 . 2008-01-03 22:26 313,888 --a------ c:\windows\System32\nvexpbar.dll
2009-03-24 18:46 . 2009-03-25 22:59 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-24 18:45 . 2009-03-24 18:45 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-03-24 18:38 . 2009-03-24 18:38 <DIR> d-------- c:\program files\Runtime Software
2009-03-24 18:36 . 2009-03-24 18:49 <DIR> d-------- c:\users\veljko\AppData\Roaming\DNA
2009-03-24 18:36 . 2009-03-24 18:38 <DIR> d-------- c:\users\veljko\AppData\Roaming\BitTorrent
2009-03-24 18:36 . 2009-03-24 18:42 <DIR> d-------- c:\program files\DNA
2009-03-24 18:36 . 2009-03-24 18:36 <DIR> d-------- c:\program files\BitTorrent
2009-03-24 18:35 . 2009-03-24 18:42 203,508,867 --a------ c:\windows\MEMORY.DMP
2009-03-24 18:31 . 2009-03-24 18:31 <DIR> d-------- c:\users\veljko\DoctorWeb
2009-03-24 18:25 . 2009-03-24 18:25 <DIR> d-------- c:\users\veljko\AppData\Roaming\GHISLER
2009-03-24 18:25 . 2009-03-24 18:25 <DIR> d-------- C:\totalcmd
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\UC.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\RAR.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\PKZIP.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\PKUNZIP.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\NOCLOSE.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\LHA.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\ARJ.PIF
2009-03-24 18:21 . 2003-04-03 00:54 20,648 --a------ c:\windows\System32\drivers\netrcacm.sys
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Videos
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Searches
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Saved Games
2009-03-24 18:13 . 2009-03-24 19:16 <DIR> dr------- c:\users\veljko\Pictures
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Music
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Links
2009-03-24 18:13 . 2009-03-26 14:47 <DIR> dr------- c:\users\veljko\Downloads
2009-03-24 18:13 . 2009-03-25 20:56 <DIR> dr------- c:\users\veljko\Documents
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Contacts
2009-03-24 18:13 . 2006-11-02 13:35 <DIR> d-------- c:\users\veljko\AppData\Roaming\Media Center Programs
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> d--h----- c:\users\veljko\AppData
2009-03-24 18:13 . 2009-03-25 22:56 <DIR> d-------- c:\users\veljko
2009-03-24 18:12 . 2009-03-24 18:12 <DIR> dr------- c:\windows\System32\config\systemprofile\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 21:04 176,128 ----a-w c:\windows\System32\xwr70631.dll
2009-03-25 21:04 176,128 ----a-w c:\windows\System32\wr70631.dll
2009-01-10 17:58 89,360 ----a-w c:\windows\System32\vb5db.dll
2009-01-10 17:58 61,440 ----a-w c:\windows\System32\wintab32.dll
2009-01-10 17:58 1,060,864 ----a-w c:\windows\System32\mfc71.dll
2009-01-10 17:57 40,960 ----a-w c:\windows\System32\vbame.dll
2009-01-10 17:57 1,146,184 ----a-w c:\windows\System32\fm20.dll
2009-01-10 17:55 73,728 ----a-w c:\windows\System32\skeydrv.dll
2009-01-10 17:55 2,134,016 ----a-w c:\windows\System32\cdintf251.dll
2009-01-10 17:55 132,392 ----a-w c:\windows\System32\skeyinst.dll
2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477015AA-16EB-38E1-B145-C58AA00FA87E}]
2009-03-25 22:04 176128 --a------ c:\windows\system32\xwr70631.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^veljko^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\veljko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 07:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASuite]
--a------ 2008-05-24 21:26 457728 d:\lupo pensuite v6.70 full\Launcher\ASuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-03-24 18:36 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-01-03 22:26 13515296 c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-01-03 22:26 86016 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2008-01-03 22:26 90112 c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2006-11-02 13:33 1196032 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-02 13:32 1004136 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2006-11-02 13:32 2159104 c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-207583750-273483801-176882428-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4FBA1554-4C0B-4F97-B742-834EC9EF4D89}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{C2AC0505-42EC-4C28-AAF5-E4F8416FADF6}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{837A3202-8FA0-4C46-822E-BF2EB543A431}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{27F9BCA3-7ABB-44D4-9B68-D3AE6D033D8B}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{126C18EE-9920-40A5-8A96-5BCA753BC3C9}"= UDP:5353:Adobe CSI CS4
"{A39A8FA3-35D2-4A0C-B3F0-28B77CA81780}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{BC7FCD52-15C1-497D-86A9-1FDC0F3ABA35}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {CD5C267B-C272-4234-9173-4D5552C39DCE}
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"d:\\Igre\\Warcraft III\\Frozen Throne.exe"= d:\igre\Warcraft III\Frozen Throne.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\Dwm.exe"= c:\windows\system32\Dwm.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winygwu.exe"= c:\users\veljko\AppData\Local\Temp\winygwu.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winmjokgf.exe"= c:\users\veljko\AppData\Local\Temp\winmjokgf.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\pond.exe"= c:\users\veljko\AppData\Local\Temp\pond.exe:*:Enabled:ipsec
"d:\\Instalacije\\ACDSee Photo Manager 2009 v11.0.85\\ACDSee Photo Manager 2009 v11.0.85\\setup.exe"= d:\instalacije\ACDSee Photo Manager 2009 v11.0.85\ACDSee Photo Manager 2009 v11.0.85\setup.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winwoirq.exe"= c:\users\veljko\AppData\Local\Temp\winwoirq.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsteprg.exe"= c:\users\veljko\AppData\Local\Temp\winsteprg.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winlwxao.exe"= c:\users\veljko\AppData\Local\Temp\winlwxao.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\MsiExec.exe"= c:\windows\system32\MsiExec.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\Desktop\\Warcraft III\\Frozen Throne.exe"= c:\users\veljko\Desktop\Warcraft III\Frozen Throne.exe:*:Enabled:ipsec
"c:\\Program Files\\Runtime Software\\GetDataBack for NTFS\\gdbnt.exe"= c:\program files\Runtime Software\GetDataBack for NTFS\gdbnt.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\hcsd.exe"= c:\users\veljko\AppData\Local\Temp\hcsd.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wnyes.exe"= c:\users\veljko\AppData\Local\Temp\wnyes.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winndii.exe"= c:\users\veljko\AppData\Local\Temp\winndii.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winfybjh.exe"= c:\users\veljko\AppData\Local\Temp\winfybjh.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\mkjqw.exe"= c:\users\veljko\AppData\Local\Temp\mkjqw.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\windnwx.exe"= c:\users\veljko\AppData\Local\Temp\windnwx.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\fnlmgk.exe"= c:\users\veljko\AppData\Local\Temp\fnlmgk.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\hvuu.exe"= c:\users\veljko\AppData\Local\Temp\hvuu.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winuijcb.exe"= c:\users\veljko\AppData\Local\Temp\winuijcb.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winlrwi.exe"= c:\users\veljko\AppData\Local\Temp\winlrwi.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbuuji.exe"= c:\users\veljko\AppData\Local\Temp\winbuuji.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\dqmn.exe"= c:\users\veljko\AppData\Local\Temp\dqmn.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winobnim.exe"= c:\users\veljko\AppData\Local\Temp\winobnim.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsdngp.exe"= c:\users\veljko\AppData\Local\Temp\winsdngp.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winlssxgf.exe"= c:\users\veljko\AppData\Local\Temp\winlssxgf.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbmslv.exe"= c:\users\veljko\AppData\Local\Temp\winbmslv.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wincbxey.exe"= c:\users\veljko\AppData\Local\Temp\wincbxey.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wyoce.exe"= c:\users\veljko\AppData\Local\Temp\wyoce.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winqcvo.exe"= c:\users\veljko\AppData\Local\Temp\winqcvo.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wintbxpd.exe"= c:\users\veljko\AppData\Local\Temp\wintbxpd.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\oghr.exe"= c:\users\veljko\AppData\Local\Temp\oghr.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winxtikd.exe"= c:\users\veljko\AppData\Local\Temp\winxtikd.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winontc.exe"= c:\users\veljko\AppData\Local\Temp\winontc.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\CF16409.exe"= c:\windows\system32\CF16409.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winfybspi.exe"= c:\users\veljko\AppData\Local\Temp\winfybspi.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\xtwvcy.exe"= c:\users\veljko\AppData\Local\Temp\xtwvcy.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\uuiqlq.exe"= c:\users\veljko\AppData\Local\Temp\uuiqlq.exe:*:Enabled:ipsec
"d:\\Instalacije\\ostali programi vazni\\Avast 4.8 srb home.exe"= d:\instalacije\ostali programi vazni\Avast 4.8 srb home.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\qsmm.exe"= c:\users\veljko\AppData\Local\Temp\qsmm.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winkitgyg.exe"= c:\users\veljko\AppData\Local\Temp\winkitgyg.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winneoutw.exe"= c:\users\veljko\AppData\Local\Temp\winneoutw.exe:*:Enabled:ipsec

.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\veljko\AppData\Roaming\Mozilla\Firefox\Profiles\umn96b4m.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 14:50:27
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-26 14:51:47
ComboFix-quarantined-files.txt 2009-03-26 13:51:44
ComboFix2.txt 2009-03-25 20:54:50

Pre-Run: 1,385,799,680 bytes free
Post-Run: 1,046,921,216 bytes free

242

Poslao: 26 Mar 2009 20:16
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\System32\xwr70631.dll
c:\windows\System32\wr70631.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477015AA-16EB-38E1-B145-C58AA00FA87E}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winygwu.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winmjokgf.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\pond.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winwoirq.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsteprg.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winlwxao.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\hcsd.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wnyes.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winndii.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winfybjh.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\mkjqw.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\windnwx.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\fnlmgk.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\hvuu.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winuijcb.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winlrwi.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbuuji.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\dqmn.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winobnim.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsdngp.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winlssxgf.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbmslv.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wincbxey.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wyoce.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winqcvo.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wintbxpd.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\oghr.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winxtikd.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winontc.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winfybspi.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\xtwvcy.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\uuiqlq.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\qsmm.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winkitgyg.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winneoutw.exe"=-


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 26 Mar 2009 20:50
Idi na vrh
offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

E i ovo sality virus?

ComboFix 09-03-25.04 - veljko 2009-03-26 20:41:06.8 - NTFSx86

Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3070.2306 [GMT 1:00]
Running from: c:\users\veljko\Downloads\ComboFix.exe
Command switches used :: c:\users\veljko\Desktop\CFScript.txt

FILE ::
c:\windows\System32\wr70631.dll
c:\windows\System32\xwr70631.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-26 18:35 . 2009-03-26 18:35 <DIR> d-------- c:\program files\WinPcap
2009-03-26 18:35 . 2009-03-26 19:57 <DIR> d-------- c:\program files\WC3Banlist
2009-03-26 18:35 . 2005-01-22 20:12 679,936 --a------ c:\windows\System32\D3DX81ab.dll
2009-03-26 18:27 . 2009-03-26 20:43 655,360 --a------ c:\windows\SPInstall.etl
2009-03-26 17:32 . 2009-03-26 17:32 <DIR> d-------- C:\USBNoRisk
2009-03-26 17:17 . 2009-03-26 18:17 <DIR> d-a------ c:\users\All Users\TEMP
2009-03-26 17:17 . 2009-03-26 18:17 <DIR> d-a------ c:\programdata\TEMP
2009-03-26 17:17 . 2009-03-26 17:17 <DIR> d-------- c:\program files\GetData
2009-03-26 17:16 . 2009-03-26 17:16 <DIR> d-------- c:\program files\Active Data Recovery Software
2009-03-26 17:14 . 2009-03-26 17:14 <DIR> d-------- c:\program files\PC Inspector File Recovery
2009-03-26 17:14 . 2002-02-18 18:40 6,200 --a------ c:\windows\System32\INT13EXT.VXD
2009-03-26 17:07 . 2009-03-26 17:07 <DIR> d-------- c:\program files\Runtime Software
2009-03-26 16:43 . 2009-03-26 16:43 <DIR> d-------- c:\users\veljko\AppData\Roaming\Windows Live Writer
2009-03-26 16:39 . 2009-03-26 16:39 <DIR> d-------- c:\users\veljko\Tracing
2009-03-26 16:36 . 2009-03-26 16:36 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-03-26 16:36 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\System32\d3dx9_32.dll
2009-03-26 16:35 . 2009-03-26 16:35 <DIR> d-------- c:\program files\Microsoft
2009-03-26 16:24 . 2009-03-26 16:35 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-03-26 16:24 . 2009-03-26 16:35 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-03-26 16:24 . 2009-03-26 16:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-26 14:49 . 2009-03-26 14:49 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-26 14:48 . 2009-03-26 14:48 <DIR> d-------- c:\windows\PCHEALTH
2009-03-26 14:48 . 2009-03-26 16:38 <DIR> d-------- c:\program files\Windows Live
2009-03-26 14:45 . 2009-03-26 14:45 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-26 14:22 . 2009-03-26 14:22 <DIR> d-------- c:\program files\Picasa2
2009-03-26 14:22 . 2009-03-26 14:27 <DIR> d-------- c:\program files\PhotoFiltre
2009-03-26 14:22 . 2006-10-05 03:42 2,560 --------- c:\windows\System32\drivers\cdralw2k.sys
2009-03-26 14:22 . 2006-10-05 03:42 2,432 --------- c:\windows\System32\drivers\cdr4_xp.sys
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\users\veljko\AppData\Roaming\Winamp
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\program files\Yahoo!
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\program files\Winamp
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\program files\foobar2000
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\program files\CCleaner
2009-03-26 14:21 . 2007-03-08 00:51 129,784 --------- c:\windows\System32\pxafs.dll
2009-03-25 23:07 . 2009-03-26 14:46 <DIR> d-------- c:\users\All Users\Google
2009-03-25 23:06 . 2009-03-25 23:06 <DIR> d-------- c:\program files\Nero 9
2009-03-25 23:06 . 2009-03-25 23:06 <DIR> d-------- c:\program files\Common Files\Nero
2009-03-25 23:06 . 2009-03-25 23:06 <DIR> d-------- c:\program files\Audacity 1.3 Beta (Unicode)
2009-03-25 23:06 . 2008-07-04 10:23 1,757,184 --a------ c:\windows\System32\imagX7.dll
2009-03-25 23:06 . 2008-07-04 10:23 802,816 --a------ c:\windows\System32\imagXRA7.dll
2009-03-25 23:06 . 2008-07-04 10:23 497,296 --a------ c:\windows\System32\imagXpr7.dll
2009-03-25 23:06 . 2006-03-17 15:49 368,640 --a------ c:\windows\System32\twnlib4.dll
2009-03-25 23:06 . 2008-07-04 10:23 258,048 --a------ c:\windows\System32\imagXR7.dll
2009-03-25 22:59 . 2009-03-25 23:02 <DIR> d-------- c:\program files\Garena
2009-03-25 22:57 . 2009-03-25 22:57 <DIR> d-------- c:\users\veljko\AppData\Roaming\OpenOffice.org
2009-03-25 22:53 . 2009-03-25 22:53 <DIR> d-------- c:\users\veljko\AppData\Roaming\Corel
2009-03-25 22:53 . 2009-03-25 22:53 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-03-25 22:53 . 2009-03-25 22:53 <DIR> d-------- c:\program files\JRE
2009-03-25 22:53 . 2009-03-25 22:56 2,828 --ahs---- c:\users\All Users\KGyGaAvL.sys
2009-03-25 22:53 . 2009-03-25 22:56 2,828 --ahs---- c:\programdata\KGyGaAvL.sys
2009-03-25 22:53 . 2009-03-25 22:53 8 -r-hs---- c:\users\All Users\77083ACD65.sys
2009-03-25 22:53 . 2009-03-25 22:53 8 -r-hs---- c:\programdata\77083ACD65.sys
2009-03-25 22:52 . 2009-03-25 22:52 <DIR> d-------- c:\users\All Users\Corel
2009-03-25 22:52 . 2009-03-25 22:52 <DIR> d-------- c:\programdata\Corel
2009-03-25 22:52 . 2009-03-25 22:52 <DIR> d-------- c:\program files\Common Files\Protexis
2009-03-25 22:49 . 2009-03-25 23:07 <DIR> d-------- c:\program files\Google
2009-03-25 22:46 . 2009-03-25 22:46 <DIR> d-------- c:\program files\Common Files\Corel
2009-03-25 22:45 . 2009-03-25 22:45 <DIR> d-------- c:\program files\Corel
2009-03-25 22:44 . 2009-03-25 22:44 <DIR> d-------- c:\users\veljko\AppData\Roaming\InstallShield
2009-03-25 22:42 . 2009-03-25 22:42 <DIR> d-------- c:\program files\AnswerWorks 4.0
2009-03-25 22:41 . 2009-03-25 22:41 <DIR> d-------- c:\users\veljko\AppData\Roaming\Autodesk
2009-03-25 22:41 . 2009-03-25 22:41 <DIR> d-------- c:\users\All Users\Autodesk
2009-03-25 22:41 . 2009-03-25 22:41 <DIR> d-------- c:\programdata\Autodesk
2009-03-25 22:41 . 2009-03-25 22:43 <DIR> d-------- c:\program files\AutoCAD 2007
2009-03-25 22:40 . 2009-03-25 22:42 <DIR> d-------- c:\program files\Common Files\Autodesk Shared
2009-03-25 22:40 . 2009-03-25 22:40 <DIR> d-------- c:\program files\Autodesk
2009-03-25 22:38 . 2009-03-25 22:38 <DIR> d-------- C:\install
2009-03-25 22:19 . 2009-03-25 22:19 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-25 22:18 . 2009-03-26 14:21 <DIR> d-------- c:\users\All Users\Adobe
2009-03-25 22:16 . 2009-03-25 22:16 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-25 22:15 . 2009-03-26 14:21 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-25 22:05 . 2009-03-25 22:05 <DIR> d-------- c:\program files\Print3D Corporation
2009-03-25 22:04 . 2009-03-25 22:04 <DIR> d-------- c:\program files\progeSOFT
2009-03-25 22:04 . 2009-01-10 18:54 1,645,320 --a------ c:\windows\System32\gdiplus.dll
2009-03-25 22:03 . 2009-03-25 22:03 155,655,543 --a------ c:\windows\System32\xa17798622.exe
2009-03-25 22:03 . 2009-03-25 22:03 155,655,543 --a------ c:\windows\System32\xa17772616.exe
2009-03-25 20:56 . 2009-03-25 20:56 <DIR> d-------- c:\users\veljko\AppData\Roaming\GRETECH
2009-03-25 20:55 . 2009-03-25 20:55 <DIR> d-------- c:\program files\GRETECH
2009-03-25 17:23 . 2009-03-25 17:23 <DIR> d-------- C:\lupo
2009-03-25 02:07 . 2009-03-26 14:48 <DIR> d-------- c:\windows\Debug
2009-03-25 02:05 . 2009-03-25 02:09 <DIR> d-------- c:\windows\Panther
2009-03-25 02:05 . 2009-03-26 20:42 <DIR> d--hs---- C:\Boot
2009-03-25 02:05 . 2006-11-02 10:53 438,840 -rahs---- C:\bootmgr
2009-03-25 02:05 . 2009-03-25 02:05 8,192 -ra-s---- C:\BOOTSECT.BAK
2009-03-24 20:02 . 2009-03-24 20:02 <DIR> d-------- c:\users\veljko\.gimp-2.6
2009-03-24 20:02 . 2009-03-24 20:02 <DIR> d-------- c:\users\veljko\.gegl-0.0
2009-03-24 20:01 . 2009-03-24 20:01 <DIR> d-------- c:\program files\Gimp-2.0
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\users\All Users\ACD Systems
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\programdata\ACD Systems
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\program files\Common Files\ACD Systems
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\program files\ACD Systems
2009-03-24 19:51 . 2009-03-26 16:38 <DIR> d--hs---- c:\windows\Installer
2009-03-24 19:05 . 2009-03-24 19:05 <DIR> d-------- c:\program files\Trend Micro
2009-03-24 19:01 . 2009-03-24 19:02 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-03-24 18:57 . 2009-03-24 18:57 <DIR> d-------- c:\windows\System32\Macromed
2009-03-24 18:56 . 2009-03-24 18:56 0 --a------ c:\windows\nsreg.dat
2009-03-24 18:47 . 2008-01-03 22:26 1,079,840 --a------ c:\windows\System32\nvcpluir.dll
2009-03-24 18:47 . 2008-01-03 22:26 764,448 --a------ c:\windows\System32\nvcplui.exe
2009-03-24 18:47 . 2008-01-03 22:26 420,384 --a------ c:\windows\System32\nvcpl.cpl
2009-03-24 18:47 . 2008-01-03 22:26 360,448 --a------ c:\windows\System32\nvuninst.exe
2009-03-24 18:47 . 2008-01-03 22:26 313,888 --a------ c:\windows\System32\nvexpbar.dll
2009-03-24 18:46 . 2009-03-26 17:14 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-24 18:45 . 2009-03-24 18:45 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-03-24 18:36 . 2009-03-24 18:49 <DIR> d-------- c:\users\veljko\AppData\Roaming\DNA
2009-03-24 18:36 . 2009-03-26 17:16 <DIR> d-------- c:\users\veljko\AppData\Roaming\BitTorrent
2009-03-24 18:36 . 2009-03-24 18:42 <DIR> d-------- c:\program files\DNA
2009-03-24 18:36 . 2009-03-24 18:36 <DIR> d-------- c:\program files\BitTorrent
2009-03-24 18:31 . 2009-03-24 18:31 <DIR> d-------- c:\users\veljko\DoctorWeb
2009-03-24 18:25 . 2009-03-24 18:25 <DIR> d-------- c:\users\veljko\AppData\Roaming\GHISLER
2009-03-24 18:25 . 2009-03-24 18:25 <DIR> d-------- C:\totalcmd
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\UC.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\RAR.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\PKZIP.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\PKUNZIP.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\NOCLOSE.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\LHA.PIF
2009-03-24 18:25 . 2008-08-08 07:04 545 --a------ c:\windows\ARJ.PIF
2009-03-24 18:21 . 2003-04-03 00:54 20,648 --a------ c:\windows\System32\drivers\netrcacm.sys
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Videos
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Searches
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Saved Games
2009-03-24 18:13 . 2009-03-24 19:16 <DIR> dr------- c:\users\veljko\Pictures
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Music
2009-03-24 18:13 . 2009-03-24 18:13 <DIR> dr------- c:\users\veljko\Links
2009-03-24 18:13 . 2009-03-26 18:42 <DIR> dr------- c:\users\veljko\Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 18:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot_2009-03-26_16.49.25.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-26 16:39:59 163,840 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\c1622e34099e6578e046a537c89c65a3\WindowsLive.Client.ni.dll
+ 2009-03-26 16:40:01 163,840 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\04e5b6a3d303fc2c909aefad2eadb2a2\WindowsLive.Writer.Instrumentation.ni.dll
+ 2009-03-26 16:39:54 204,800 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\082bca43f887a56a1785ab6cda4c308a\WindowsLive.Writer.BrowserControl.ni.dll
+ 2009-03-26 16:39:55 176,128 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1988bb4f8f0ea75ad34b810b33da9643\WindowsLive.Writer.HtmlParser.ni.dll
+ 2009-03-26 16:39:56 475,136 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1a356b9d6d41a1c1670e92ecd640e42e\WindowsLive.Writer.Localization.ni.dll
+ 2009-03-26 16:39:56 131,072 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\238b856fd72e024db7300206a62a3caf\WindowsLive.Writer.Passport.ni.dll
+ 2009-03-26 16:39:54 335,872 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\25bff80337f1407fd29299ad1124fada\WindowsLive.Writer.Interop.ni.dll
+ 2009-03-26 16:40:00 643,072 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\45b42b7d438be1cf25cbd461727c89b5\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2009-03-26 16:39:58 114,688 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\48c6509291819db34750c429adcafa46\WindowsLive.Writer.Api.ni.dll
+ 2009-03-26 16:39:59 925,696 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\4df2d254e5b163ac6fddcc9119dcb4ad\WindowsLive.Writer.BlogClient.ni.dll
+ 2009-03-26 16:39:54 2,088,960 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\51a0da3727c0527eb6605f1a1b2d2624\WindowsLive.Writer.CoreServices.ni.dll
+ 2009-03-26 16:40:01 139,264 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\608edb9eda526ed0d6592193eb32c44c\WindowsLive.Writer.FileDestinations.ni.dll
+ 2009-03-26 16:39:52 872,448 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\813d503049cdaf5cea1209f212e68677\WindowsLive.Writer.Controls.ni.dll
+ 2009-03-26 16:39:55 331,776 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\902afd35271a72ead0ff0b4bdfc0f2e1\WindowsLive.Writer.Interop.Mshtml.ni.dll
+ 2009-03-26 16:39:55 348,160 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\95fb61726bed07bcd2e31f8ef7ec2517\WindowsLive.Writer.Interop.SHDocVw.ni.dll
+ 2009-03-26 16:40:01 344,064 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\a77f7fd9ccd45bff4b08383ac71de475\WindowsLive.Writer.SpellChecker.ni.dll
+ 2009-03-26 16:39:56 286,720 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\b21199f41faf2d2cb355fc4ed60925c9\WindowsLive.Writer.Mshtml.ni.dll
+ 2009-03-26 16:39:58 143,360 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\b60c84f042bcbc64f3ffb0e5d5fd80d3\WindowsLive.Writer.Extensibility.ni.dll
+ 2009-03-26 16:39:51 6,500,352 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\cdad7ad92a90e39cb9e3a15f5c71ae1e\WindowsLive.Writer.PostEditor.ni.dll
+ 2009-03-26 16:39:57 1,159,168 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\d781fdf0fcb2bd465af005273e6c9ff3\WindowsLive.Writer.ApplicationFramework.ni.dll
+ 2009-03-26 16:40:02 634,880 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\075751cf70509fc53bc123cf312fd80b\WindowsLiveLocal.WriterPlugin.ni.dll
+ 2009-03-26 16:39:45 49,152 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\a4c5d7eadd5821e93cc57b971fbf8fa5\WindowsLiveWriter.ni.exe
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-26 14:25:39 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-26 19:44:55 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-03-26 14:25:39 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-26 19:44:55 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-26 14:28:48 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-03-26 19:46:10 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-03-26 14:28:53 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-26 19:46:09 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-03-26 13:33:05 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-26 17:35:19 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-26 13:33:05 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-26 17:35:19 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-26 13:33:05 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-26 17:35:19 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2005-08-02 21:10:13 32,512 ----a-w c:\windows\System32\drivers\npf.sys
+ 2005-08-02 21:08:19 69,632 ----a-w c:\windows\System32\Packet.dll
- 2009-03-26 14:30:06 103,818 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-26 17:49:25 103,818 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-26 14:30:06 618,410 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-26 17:49:25 618,410 ----a-w c:\windows\System32\perfh009.dat
+ 2005-08-02 21:24:01 53,299 ----a-w c:\windows\System32\pthreadVC.dll
- 2009-03-26 15:36:28 5,767,168 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-03-26 15:51:31 5,767,168 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-03-26 13:39:01 3,572 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-207583750-273483801-176882428-1000_UserData.bin
+ 2009-03-26 17:46:35 3,692 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-207583750-273483801-176882428-1000_UserData.bin
- 2009-03-26 13:39:01 42,484 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-26 17:46:35 43,128 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-26 15:23:48 16,052 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-26 17:46:33 17,932 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2005-08-02 21:18:45 233,472 ----a-w c:\windows\System32\wpcap.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemExplorer"="c:\users\veljko\Desktop\Lupo PenSuite v6.70 Full\Apps\System Explorer\System Explorer.exe" [2008-08-25 569344]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3955040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASuite"="c:\users\veljko\Desktop\Lupo PenSuite v6.70 Full\Launcher\ASuite.exe" [2008-05-24 457728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^veljko^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\veljko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 116592 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 07:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASuite]
--a------ 2008-05-24 21:26 457728 d:\lupo pensuite v6.70 full\Launcher\ASuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-03-24 18:36 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-01-03 22:26 13515296 c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-01-03 22:26 86016 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2008-01-03 22:26 90112 c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2006-11-02 13:33 1196032 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-02 13:32 1004136 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2006-11-02 13:32 2159104 c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-207583750-273483801-176882428-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4FBA1554-4C0B-4F97-B742-834EC9EF4D89}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{C2AC0505-42EC-4C28-AAF5-E4F8416FADF6}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{837A3202-8FA0-4C46-822E-BF2EB543A431}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{27F9BCA3-7ABB-44D4-9B68-D3AE6D033D8B}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{126C18EE-9920-40A5-8A96-5BCA753BC3C9}"= UDP:5353:Adobe CSI CS4
"{A39A8FA3-35D2-4A0C-B3F0-28B77CA81780}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{BC7FCD52-15C1-497D-86A9-1FDC0F3ABA35}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {CD5C267B-C272-4234-9173-4D5552C39DCE}
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"d:\\Igre\\Warcraft III\\Frozen Throne.exe"= d:\igre\Warcraft III\Frozen Throne.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\Dwm.exe"= c:\windows\system32\Dwm.exe:*:Enabled:ipsec
"d:\\Instalacije\\ACDSee Photo Manager 2009 v11.0.85\\ACDSee Photo Manager 2009 v11.0.85\\setup.exe"= d:\instalacije\ACDSee Photo Manager 2009 v11.0.85\ACDSee Photo Manager 2009 v11.0.85\setup.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\MsiExec.exe"= c:\windows\system32\MsiExec.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\Desktop\\Warcraft III\\Frozen Throne.exe"= c:\users\veljko\Desktop\Warcraft III\Frozen Throne.exe:*:Enabled:ipsec
"c:\\Program Files\\Runtime Software\\GetDataBack for NTFS\\gdbnt.exe"= c:\program files\Runtime Software\GetDataBack for NTFS\gdbnt.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\CF16409.exe"= c:\windows\system32\CF16409.exe:*:Enabled:ipsec
"d:\\Instalacije\\ostali programi vazni\\Avast 4.8 srb home.exe"= d:\instalacije\ostali programi vazni\Avast 4.8 srb home.exe:*:Enabled:ipsec
"d:\\Instalacije\\ostali programi vazni\\blender-2.45-windows.exe"= d:\instalacije\ostali programi vazni\blender-2.45-windows.exe:*:Enabled:ipsec
"d:\\Instalacije\\ostali programi vazni\\AdbeRdr90_en_US.exe"= d:\instalacije\ostali programi vazni\AdbeRdr90_en_US.exe:*:Enabled:ipsec
"d:\\Instalacije\\ostali programi vazni\\CCleaner 2.10.618.exe"= d:\instalacije\ostali programi vazni\CCleaner 2.10.618.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winyhjq.exe"= c:\users\veljko\AppData\Local\Temp\winyhjq.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsryk.exe"= c:\users\veljko\AppData\Local\Temp\winsryk.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\kugm.exe"= c:\users\veljko\AppData\Local\Temp\kugm.exe:*:Enabled:ipsec
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"= c:\program files\Mozilla Firefox\firefox.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winworc.exe"= c:\users\veljko\AppData\Local\Temp\winworc.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\psdk.exe"= c:\users\veljko\AppData\Local\Temp\psdk.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbfjpx.exe"= c:\users\veljko\AppData\Local\Temp\winbfjpx.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\joevj.exe"= c:\users\veljko\AppData\Local\Temp\joevj.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winkveks.exe"= c:\users\veljko\AppData\Local\Temp\winkveks.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winwsxc.exe"= c:\users\veljko\AppData\Local\Temp\winwsxc.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbbtbsc.exe"= c:\users\veljko\AppData\Local\Temp\winbbtbsc.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winpdmeq.exe"= c:\users\veljko\AppData\Local\Temp\winpdmeq.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\yyurfh.exe"= c:\users\veljko\AppData\Local\Temp\yyurfh.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\foyj.exe"= c:\users\veljko\AppData\Local\Temp\foyj.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wingcgi.exe"= c:\users\veljko\AppData\Local\Temp\wingcgi.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsafmm.exe"= c:\users\veljko\AppData\Local\Temp\winsafmm.exe:*:Enabled:ipsec
"c:\\Windows\\VFIND.exe"= c:\windows\VFIND.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\Desktop\\Lupo PenSuite v6.70 Full\\Apps\\System Explorer\\System Explorer.exe"= c:\users\veljko\Desktop\Lupo PenSuite v6.70 Full\Apps\System Explorer\System Explorer.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\taskeng.exe"= c:\windows\system32\taskeng.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winjcoj.exe"= c:\users\veljko\AppData\Local\Temp\winjcoj.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\yycvjq.exe"= c:\users\veljko\AppData\Local\Temp\yycvjq.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\huuy.exe"= c:\users\veljko\AppData\Local\Temp\huuy.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\isiqr.exe"= c:\users\veljko\AppData\Local\Temp\isiqr.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winqqcl.exe"= c:\users\veljko\AppData\Local\Temp\winqqcl.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\tyktyr.exe"= c:\users\veljko\AppData\Local\Temp\tyktyr.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\rdidi.exe"= c:\users\veljko\AppData\Local\Temp\rdidi.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\ymiece.exe"= c:\users\veljko\AppData\Local\Temp\ymiece.exe:*:Enabled:ipsec

.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\veljko\AppData\Roaming\Mozilla\Firefox\Profiles\umn96b4m.default\
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 20:46:56
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-03-26 20:48:44 - machine was rebooted [veljko]
ComboFix-quarantined-files.txt 2009-03-26 19:48:42
ComboFix2.txt 2009-03-26 15:50:32
ComboFix3.txt 2009-03-26 13:51:48
ComboFix4.txt 2009-03-25 20:54:50

Pre-Run: 6,175,375,360 bytes free
Post-Run: 6,054,080,512 bytes free

340

Poslao: 26 Mar 2009 21:30
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ne izgleda kao Sality...

Restartuj PC i postavi novi ComboFix log.

Poslao: 26 Mar 2009 21:46
Idi na vrh
offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

ComboFix 09-03-25.04 - veljko 2009-03-26 21:41:43.9 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3070.2488 [GMT 1:00]
Running from: c:\users\veljko\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-26 21:41 . 2009-03-26 21:41 <DIR> d-------- c:\users\All Users\Yahoo! Companion
2009-03-26 21:41 . 2009-03-26 21:41 <DIR> d-------- c:\programdata\Yahoo! Companion
2009-03-26 21:38 . 2009-03-26 21:38 <DIR> d-------- C:\WFDB
2009-03-26 21:38 . 2009-03-26 21:38 <DIR> d-------- c:\program files\WinFast
2009-03-26 21:38 . 2009-03-26 21:38 <DIR> d-------- c:\program files\Common Files\Ulead Systems
2009-03-26 21:38 . 2009-03-26 21:38 <DIR> d-------- c:\program files\Common Files\ArcSoft
2009-03-26 21:31 . 2007-07-25 12:43 405,632 --a------ c:\windows\System32\drivers\wfeaglxt.sys
2009-03-26 21:27 . 2009-03-26 21:27 <DIR> d-------- c:\windows\Album
2009-03-26 21:27 . 2009-03-26 21:27 <DIR> d-------- c:\program files\KYE
2009-03-26 21:27 . 2005-01-28 14:15 7,064 --a------ c:\windows\System32\WMVCORE.lib
2009-03-26 21:26 . 2009-03-26 21:26 <DIR> d-------- c:\windows\PixArt
2009-03-26 21:26 . 2009-03-26 21:26 <DIR> d-------- c:\program files\Common Files\i-Look 110
2009-03-26 21:26 . 2008-04-23 14:05 47,616 --a------ c:\windows\System32\Remove.exe
2009-03-26 21:26 . 2007-06-29 11:07 566 --a------ c:\windows\System32\SP207.ini
2009-03-26 21:26 . 2008-05-07 16:19 407 --a------ c:\windows\System32\Remover.ini
2009-03-26 18:35 . 2009-03-26 18:35 <DIR> d-------- c:\program files\WinPcap
2009-03-26 18:35 . 2009-03-26 19:57 <DIR> d-------- c:\program files\WC3Banlist
2009-03-26 18:35 . 2005-01-22 20:12 679,936 --a------ c:\windows\System32\D3DX81ab.dll
2009-03-26 18:27 . 2009-03-26 21:34 786,432 --a------ c:\windows\SPInstall.etl
2009-03-26 17:32 . 2009-03-26 17:32 <DIR> d-------- C:\USBNoRisk
2009-03-26 17:17 . 2009-03-26 18:17 <DIR> d-a------ c:\users\All Users\TEMP
2009-03-26 17:17 . 2009-03-26 18:17 <DIR> d-a------ c:\programdata\TEMP
2009-03-26 17:17 . 2009-03-26 17:17 <DIR> d-------- c:\program files\GetData
2009-03-26 17:16 . 2009-03-26 17:16 <DIR> d-------- c:\program files\Active Data Recovery Software
2009-03-26 17:14 . 2009-03-26 17:14 <DIR> d-------- c:\program files\PC Inspector File Recovery
2009-03-26 17:14 . 2002-02-18 18:40 6,200 --a------ c:\windows\System32\INT13EXT.VXD
2009-03-26 17:07 . 2009-03-26 17:07 <DIR> d-------- c:\program files\Runtime Software
2009-03-26 16:43 . 2009-03-26 16:43 <DIR> d-------- c:\users\veljko\AppData\Roaming\Windows Live Writer
2009-03-26 16:39 . 2009-03-26 16:39 <DIR> d-------- c:\users\veljko\Tracing
2009-03-26 16:36 . 2009-03-26 16:36 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-03-26 16:36 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\System32\d3dx9_32.dll
2009-03-26 16:35 . 2009-03-26 16:35 <DIR> d-------- c:\program files\Microsoft
2009-03-26 16:24 . 2009-03-26 16:35 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-03-26 16:24 . 2009-03-26 16:35 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-03-26 16:24 . 2009-03-26 16:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-26 14:49 . 2009-03-26 14:49 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-26 14:48 . 2009-03-26 14:48 <DIR> d-------- c:\windows\PCHEALTH
2009-03-26 14:48 . 2009-03-26 16:38 <DIR> d-------- c:\program files\Windows Live
2009-03-26 14:45 . 2009-03-26 14:45 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-26 14:22 . 2009-03-26 14:22 <DIR> d-------- c:\program files\Picasa2
2009-03-26 14:22 . 2009-03-26 14:27 <DIR> d-------- c:\program files\PhotoFiltre
2009-03-26 14:22 . 2006-10-05 03:42 2,560 --------- c:\windows\System32\drivers\cdralw2k.sys
2009-03-26 14:22 . 2006-10-05 03:42 2,432 --------- c:\windows\System32\drivers\cdr4_xp.sys
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\users\veljko\AppData\Roaming\Winamp
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\program files\Yahoo!
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\program files\Winamp
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\program files\foobar2000
2009-03-26 14:21 . 2009-03-26 14:21 <DIR> d-------- c:\program files\CCleaner
2009-03-26 14:21 . 2007-03-08 00:51 129,784 --------- c:\windows\System32\pxafs.dll
2009-03-25 23:07 . 2009-03-26 14:46 <DIR> d-------- c:\users\All Users\Google
2009-03-25 23:06 . 2009-03-25 23:06 <DIR> d-------- c:\program files\Nero 9
2009-03-25 23:06 . 2009-03-25 23:06 <DIR> d-------- c:\program files\Common Files\Nero
2009-03-25 23:06 . 2009-03-25 23:06 <DIR> d-------- c:\program files\Audacity 1.3 Beta (Unicode)
2009-03-25 23:06 . 2008-07-04 10:23 1,757,184 --a------ c:\windows\System32\imagX7.dll
2009-03-25 23:06 . 2008-07-04 10:23 802,816 --a------ c:\windows\System32\imagXRA7.dll
2009-03-25 23:06 . 2008-07-04 10:23 497,296 --a------ c:\windows\System32\imagXpr7.dll
2009-03-25 23:06 . 2006-03-17 15:49 368,640 --a------ c:\windows\System32\twnlib4.dll
2009-03-25 23:06 . 2008-07-04 10:23 258,048 --a------ c:\windows\System32\imagXR7.dll
2009-03-25 22:59 . 2009-03-25 23:02 <DIR> d-------- c:\program files\Garena
2009-03-25 22:57 . 2009-03-25 22:57 <DIR> d-------- c:\users\veljko\AppData\Roaming\OpenOffice.org
2009-03-25 22:53 . 2009-03-25 22:53 <DIR> d-------- c:\users\veljko\AppData\Roaming\Corel
2009-03-25 22:53 . 2009-03-25 22:53 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-03-25 22:53 . 2009-03-25 22:53 <DIR> d-------- c:\program files\JRE
2009-03-25 22:53 . 2009-03-25 22:56 2,828 --ahs---- c:\users\All Users\KGyGaAvL.sys
2009-03-25 22:53 . 2009-03-25 22:56 2,828 --ahs---- c:\programdata\KGyGaAvL.sys
2009-03-25 22:53 . 2009-03-25 22:53 8 -r-hs---- c:\users\All Users\77083ACD65.sys
2009-03-25 22:53 . 2009-03-25 22:53 8 -r-hs---- c:\programdata\77083ACD65.sys
2009-03-25 22:52 . 2009-03-25 22:52 <DIR> d-------- c:\users\All Users\Corel
2009-03-25 22:52 . 2009-03-25 22:52 <DIR> d-------- c:\programdata\Corel
2009-03-25 22:52 . 2009-03-25 22:52 <DIR> d-------- c:\program files\Common Files\Protexis
2009-03-25 22:49 . 2009-03-25 23:07 <DIR> d-------- c:\program files\Google
2009-03-25 22:46 . 2009-03-25 22:46 <DIR> d-------- c:\program files\Common Files\Corel
2009-03-25 22:45 . 2009-03-25 22:45 <DIR> d-------- c:\program files\Corel
2009-03-25 22:44 . 2009-03-25 22:44 <DIR> d-------- c:\users\veljko\AppData\Roaming\InstallShield
2009-03-25 22:42 . 2009-03-25 22:42 <DIR> d-------- c:\program files\AnswerWorks 4.0
2009-03-25 22:41 . 2009-03-25 22:41 <DIR> d-------- c:\users\veljko\AppData\Roaming\Autodesk
2009-03-25 22:41 . 2009-03-25 22:41 <DIR> d-------- c:\users\All Users\Autodesk
2009-03-25 22:41 . 2009-03-25 22:41 <DIR> d-------- c:\programdata\Autodesk
2009-03-25 22:41 . 2009-03-25 22:43 <DIR> d-------- c:\program files\AutoCAD 2007
2009-03-25 22:40 . 2009-03-25 22:42 <DIR> d-------- c:\program files\Common Files\Autodesk Shared
2009-03-25 22:40 . 2009-03-25 22:40 <DIR> d-------- c:\program files\Autodesk
2009-03-25 22:38 . 2009-03-25 22:38 <DIR> d-------- C:\install
2009-03-25 22:19 . 2009-03-25 22:19 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-25 22:18 . 2009-03-26 14:21 <DIR> d-------- c:\users\All Users\Adobe
2009-03-25 22:16 . 2009-03-25 22:16 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-25 22:15 . 2009-03-26 14:21 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-25 22:05 . 2009-03-25 22:05 <DIR> d-------- c:\program files\Print3D Corporation
2009-03-25 22:04 . 2009-03-25 22:04 <DIR> d-------- c:\program files\progeSOFT
2009-03-25 22:04 . 2009-01-10 18:54 1,645,320 --a------ c:\windows\System32\gdiplus.dll
2009-03-25 22:03 . 2009-03-25 22:03 155,655,543 --a------ c:\windows\System32\xa17798622.exe
2009-03-25 22:03 . 2009-03-25 22:03 155,655,543 --a------ c:\windows\System32\xa17772616.exe
2009-03-25 20:56 . 2009-03-25 20:56 <DIR> d-------- c:\users\veljko\AppData\Roaming\GRETECH
2009-03-25 20:55 . 2009-03-25 20:55 <DIR> d-------- c:\program files\GRETECH
2009-03-25 17:23 . 2009-03-25 17:23 <DIR> d-------- C:\lupo
2009-03-25 02:07 . 2009-03-26 14:48 <DIR> d-------- c:\windows\Debug
2009-03-25 02:05 . 2009-03-25 02:09 <DIR> d-------- c:\windows\Panther
2009-03-25 02:05 . 2009-03-26 20:42 <DIR> d--hs---- C:\Boot
2009-03-25 02:05 . 2006-11-02 10:53 438,840 -rahs---- C:\bootmgr
2009-03-25 02:05 . 2009-03-25 02:05 8,192 -ra-s---- C:\BOOTSECT.BAK
2009-03-24 20:02 . 2009-03-24 20:02 <DIR> d-------- c:\users\veljko\.gimp-2.6
2009-03-24 20:02 . 2009-03-24 20:02 <DIR> d-------- c:\users\veljko\.gegl-0.0
2009-03-24 20:01 . 2009-03-24 20:01 <DIR> d-------- c:\program files\Gimp-2.0
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\users\All Users\ACD Systems
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\programdata\ACD Systems
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\program files\Common Files\ACD Systems
2009-03-24 19:59 . 2009-03-24 19:59 <DIR> d-------- c:\program files\ACD Systems
2009-03-24 19:51 . 2009-03-26 16:38 <DIR> d--hs---- c:\windows\Installer
2009-03-24 19:05 . 2009-03-24 19:05 <DIR> d-------- c:\program files\Trend Micro
2009-03-24 19:01 . 2009-03-24 19:02 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-03-24 18:57 . 2009-03-24 18:57 <DIR> d-------- c:\windows\System32\Macromed
2009-03-24 18:56 . 2009-03-24 18:56 0 --a------ c:\windows\nsreg.dat
2009-03-24 18:47 . 2008-01-03 22:26 1,079,840 --a------ c:\windows\System32\nvcpluir.dll
2009-03-24 18:47 . 2008-01-03 22:26 764,448 --a------ c:\windows\System32\nvcplui.exe
2009-03-24 18:47 . 2008-01-03 22:26 420,384 --a------ c:\windows\System32\nvcpl.cpl
2009-03-24 18:47 . 2008-01-03 22:26 360,448 --a------ c:\windows\System32\nvuninst.exe
2009-03-24 18:47 . 2008-01-03 22:26 313,888 --a------ c:\windows\System32\nvexpbar.dll
2009-03-24 18:46 . 2009-03-26 21:38 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-24 18:45 . 2009-03-26 21:38 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-03-24 18:36 . 2009-03-24 18:49 <DIR> d-------- c:\users\veljko\AppData\Roaming\DNA
2009-03-24 18:36 . 2009-03-26 17:16 <DIR> d-------- c:\users\veljko\AppData\Roaming\BitTorrent
2009-03-24 18:36 . 2009-03-24 18:42 <DIR> d-------- c:\program files\DNA
2009-03-24 18:36 . 2009-03-24 18:36 <DIR> d-------- c:\program files\BitTorrent
2009-03-24 18:31 . 2009-03-24 18:31 <DIR> d-------- c:\users\veljko\DoctorWeb
2009-03-24 18:25 . 2009-03-24 18:25 <DIR> d-------- c:\users\veljko\AppData\Roaming\GHISLER
2009-03-24 18:25 . 2009-03-24 18:25 <DIR> d-------- C:\totalcmd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 18:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 17:52 49,504 ----a-w c:\windows\System32\sirenacm.dll
2009-01-10 17:58 89,360 ----a-w c:\windows\System32\vb5db.dll
2009-01-10 17:58 61,440 ----a-w c:\windows\System32\wintab32.dll
2009-01-10 17:58 1,060,864 ----a-w c:\windows\System32\mfc71.dll
2009-01-10 17:57 40,960 ----a-w c:\windows\System32\vbame.dll
2009-01-10 17:57 1,146,184 ----a-w c:\windows\System32\fm20.dll
2009-01-10 17:55 73,728 ----a-w c:\windows\System32\skeydrv.dll
2009-01-10 17:55 2,134,016 ----a-w c:\windows\System32\cdintf251.dll
2009-01-10 17:55 132,392 ----a-w c:\windows\System32\skeyinst.dll
2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot_2009-03-26_20.47.42.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-25 21:04:35 51,200 ----a-w c:\windows\inf\infpub.dat
+ 2009-03-26 20:31:28 51,200 ----a-w c:\windows\inf\infpub.dat
- 2009-03-25 21:04:35 86,016 ----a-w c:\windows\inf\infstor.dat
+ 2009-03-26 20:31:25 86,016 ----a-w c:\windows\inf\infstor.dat
- 2009-03-25 21:04:35 86,016 ----a-w c:\windows\inf\infstrng.dat
+ 2009-03-26 20:31:28 86,016 ----a-w c:\windows\inf\infstrng.dat
+ 2006-11-20 08:01:08 163,840 ----a-w c:\windows\PixArt\i-Look110\AMCap.exe
+ 2007-12-10 14:55:26 323,584 ----a-w c:\windows\PixArt\i-Look110\Monitor.exe
+ 2007-10-22 13:46:56 425,984 ----a-w c:\windows\PixArt\i-Look110\PASnap.exe
- 2009-03-26 19:44:55 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-26 20:39:52 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-03-26 19:44:55 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-26 20:39:52 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-26 19:46:10 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-03-26 20:41:17 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-03-26 19:46:09 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-26 20:41:11 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2006-11-20 08:01:08 163,840 ----a-w c:\windows\System32\DriverStore\FileRepository\i-look110.inf_40ea3a98\AmCap.exe
+ 2007-12-10 14:55:26 323,584 ----a-w c:\windows\System32\DriverStore\FileRepository\i-look110.inf_40ea3a98\Monitor.exe
+ 2007-10-22 13:46:56 425,984 ----a-w c:\windows\System32\DriverStore\FileRepository\i-look110.inf_40ea3a98\PASnap.exe
+ 2007-11-02 10:07:32 6,656 ----a-w c:\windows\System32\DriverStore\FileRepository\i-look110.inf_40ea3a98\WNT\CoInst_080213.dll
+ 2008-02-13 12:17:26 618,112 ----a-w c:\windows\System32\DriverStore\FileRepository\i-look110.inf_40ea3a98\WNT\PFC027.SYS
+ 2007-07-25 11:43:28 405,632 ----a-w c:\windows\System32\DriverStore\FileRepository\wfeagle.inf_9c9477f0\wfeaglxt.sys
- 2003-03-18 19:14:52 499,712 ----a-w c:\windows\System32\msvcp71.dll
+ 2006-07-11 17:35:42 503,808 ----a-w c:\windows\System32\msvcp71.dll
- 2003-02-21 03:42:22 348,160 ----a-w c:\windows\System32\msvcr71.dll
+ 2006-07-11 17:35:38 348,160 ----a-w c:\windows\System32\msvcr71.dll
- 2009-03-26 17:49:25 103,818 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-26 19:49:31 103,818 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-26 17:49:25 618,410 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-26 19:49:31 618,410 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-26 17:46:35 3,692 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-207583750-273483801-176882428-1000_UserData.bin
+ 2009-03-26 20:42:34 4,242 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-207583750-273483801-176882428-1000_UserData.bin
- 2009-03-26 17:46:35 43,128 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-26 20:42:34 43,642 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-26 17:46:33 17,932 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-26 20:42:31 19,416 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2004-04-18 19:10:16 116,688 ------r c:\windows\System32\WinFast\AP\DTV\setup.exe
+ 2007-11-06 18:26:04 1,523,271 ----a-w c:\windows\System32\WinFast\Tools\MCE_PlugIN\MCE-PlugIN.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASuite"="c:\users\veljko\Desktop\Lupo PenSuite v6.70 Full\Launcher\ASuite.exe" [2008-05-24 457728]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-11-16 90112]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-11-15 2850816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^veljko^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\veljko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 116592 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 07:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASuite]
--a------ 2008-05-24 21:26 457728 d:\lupo pensuite v6.70 full\Launcher\ASuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-03-24 18:36 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2009-02-06 18:51 3955040 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-01-03 22:26 13515296 c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-01-03 22:26 86016 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2008-01-03 22:26 90112 c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2006-11-02 13:33 1196032 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemExplorer]
--a------ 2008-08-25 20:36 569344 c:\users\veljko\Desktop\Lupo PenSuite v6.70 Full\Apps\System Explorer\System Explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-02 13:32 1004136 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2006-11-02 13:32 2159104 c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-207583750-273483801-176882428-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4FBA1554-4C0B-4F97-B742-834EC9EF4D89}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{C2AC0505-42EC-4C28-AAF5-E4F8416FADF6}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{837A3202-8FA0-4C46-822E-BF2EB543A431}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{27F9BCA3-7ABB-44D4-9B68-D3AE6D033D8B}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{126C18EE-9920-40A5-8A96-5BCA753BC3C9}"= UDP:5353:Adobe CSI CS4
"{A39A8FA3-35D2-4A0C-B3F0-28B77CA81780}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{BC7FCD52-15C1-497D-86A9-1FDC0F3ABA35}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {CD5C267B-C272-4234-9173-4D5552C39DCE}
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"d:\\Igre\\Warcraft III\\Frozen Throne.exe"= d:\igre\Warcraft III\Frozen Throne.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\Dwm.exe"= c:\windows\system32\Dwm.exe:*:Enabled:ipsec
"d:\\Instalacije\\ACDSee Photo Manager 2009 v11.0.85\\ACDSee Photo Manager 2009 v11.0.85\\setup.exe"= d:\instalacije\ACDSee Photo Manager 2009 v11.0.85\ACDSee Photo Manager 2009 v11.0.85\setup.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\MsiExec.exe"= c:\windows\system32\MsiExec.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\Desktop\\Warcraft III\\Frozen Throne.exe"= c:\users\veljko\Desktop\Warcraft III\Frozen Throne.exe:*:Enabled:ipsec
"c:\\Program Files\\Runtime Software\\GetDataBack for NTFS\\gdbnt.exe"= c:\program files\Runtime Software\GetDataBack for NTFS\gdbnt.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\CF16409.exe"= c:\windows\system32\CF16409.exe:*:Enabled:ipsec
"d:\\Instalacije\\ostali programi vazni\\Avast 4.8 srb home.exe"= d:\instalacije\ostali programi vazni\Avast 4.8 srb home.exe:*:Enabled:ipsec
"d:\\Instalacije\\ostali programi vazni\\blender-2.45-windows.exe"= d:\instalacije\ostali programi vazni\blender-2.45-windows.exe:*:Enabled:ipsec
"d:\\Instalacije\\ostali programi vazni\\AdbeRdr90_en_US.exe"= d:\instalacije\ostali programi vazni\AdbeRdr90_en_US.exe:*:Enabled:ipsec
"d:\\Instalacije\\ostali programi vazni\\CCleaner 2.10.618.exe"= d:\instalacije\ostali programi vazni\CCleaner 2.10.618.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winyhjq.exe"= c:\users\veljko\AppData\Local\Temp\winyhjq.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsryk.exe"= c:\users\veljko\AppData\Local\Temp\winsryk.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\kugm.exe"= c:\users\veljko\AppData\Local\Temp\kugm.exe:*:Enabled:ipsec
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"= c:\program files\Mozilla Firefox\firefox.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winworc.exe"= c:\users\veljko\AppData\Local\Temp\winworc.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\psdk.exe"= c:\users\veljko\AppData\Local\Temp\psdk.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbfjpx.exe"= c:\users\veljko\AppData\Local\Temp\winbfjpx.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\joevj.exe"= c:\users\veljko\AppData\Local\Temp\joevj.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winkveks.exe"= c:\users\veljko\AppData\Local\Temp\winkveks.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winwsxc.exe"= c:\users\veljko\AppData\Local\Temp\winwsxc.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbbtbsc.exe"= c:\users\veljko\AppData\Local\Temp\winbbtbsc.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winpdmeq.exe"= c:\users\veljko\AppData\Local\Temp\winpdmeq.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\yyurfh.exe"= c:\users\veljko\AppData\Local\Temp\yyurfh.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\foyj.exe"= c:\users\veljko\AppData\Local\Temp\foyj.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wingcgi.exe"= c:\users\veljko\AppData\Local\Temp\wingcgi.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsafmm.exe"= c:\users\veljko\AppData\Local\Temp\winsafmm.exe:*:Enabled:ipsec
"c:\\Windows\\VFIND.exe"= c:\windows\VFIND.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\Desktop\\Lupo PenSuite v6.70 Full\\Apps\\System Explorer\\System Explorer.exe"= c:\users\veljko\Desktop\Lupo PenSuite v6.70 Full\Apps\System Explorer\System Explorer.exe:*:Enabled:ipsec
"c:\\Windows\\system32\\taskeng.exe"= c:\windows\system32\taskeng.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winjcoj.exe"= c:\users\veljko\AppData\Local\Temp\winjcoj.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\yycvjq.exe"= c:\users\veljko\AppData\Local\Temp\yycvjq.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\huuy.exe"= c:\users\veljko\AppData\Local\Temp\huuy.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\isiqr.exe"= c:\users\veljko\AppData\Local\Temp\isiqr.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winqqcl.exe"= c:\users\veljko\AppData\Local\Temp\winqqcl.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\tyktyr.exe"= c:\users\veljko\AppData\Local\Temp\tyktyr.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\rdidi.exe"= c:\users\veljko\AppData\Local\Temp\rdidi.exe:*:Enabled:ipsec
"c:\\Users\\veljko\\AppData\\Local\\Temp\\ymiece.exe"= c:\users\veljko\AppData\Local\Temp\ymiece.exe:*:Enabled:ipsec

R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFDTV\WFIOCTL.sys [2009-03-26 9446]
R3 WFLR6654;WinFast TV2000 XP Global/Global TV (Video);c:\windows\System32\drivers\wfeaglxt.sys [2009-03-26 405632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dab7d4e-18d9-11de-a2db-806e6f6e6963}]
\shell\AutoRun\command - E:\Install.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BMISR - c:\program files\KYE\WebMate\BM.exe


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\veljko\AppData\Roaming\Mozilla\Firefox\Profiles\umn96b4m.default\
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 21:43:34
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-26 21:44:46
ComboFix-quarantined-files.txt 2009-03-26 20:44:44
ComboFix2.txt 2009-03-26 19:48:45
ComboFix3.txt 2009-03-26 15:50:32
ComboFix4.txt 2009-03-26 13:51:48
ComboFix5.txt 2009-03-26 20:41:36

Pre-Run: 5,879,242,752 bytes free
Post-Run: 5,846,609,920 bytes free

324

Poslao: 27 Mar 2009 14:09
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:


Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winyhjq.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsryk.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\kugm.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winworc.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\psdk.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbfjpx.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\joevj.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winkveks.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winwsxc.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winbbtbsc.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winpdmeq.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\yyurfh.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\foyj.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\wingcgi.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winsafmm.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winjcoj.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\yycvjq.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\huuy.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\isiqr.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\winqqcl.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\tyktyr.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\rdidi.exe"=-
"c:\\Users\\veljko\\AppData\\Local\\Temp\\ymiece.exe"=-



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

MyCity » Ambulanta -> Arhiva Ambulante » Win32.Sality virus

Ko je trenutno na forumu
 

Ukupno su 828 korisnika na forumu :: 25 registrovanih, 4 sakrivenih i 799 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: babaroga, FileFinder, hooraay, Kibice, kolle.the.kid, Koridor, Lazarus, MaksicZoran, Marko Marković, marsovac 2, Milometer, Milos ZA, mrav pesadinac, nedeljkovici, panzerwaffe, raketaš, repac, S2M, shaja1, Srki94, Trpe Grozni, vathra, W123, Zimbabwe, šumar bk2