Winlogon u tempu

Winlogon u tempu

offline
  • fellow 
  • Novi MyCity građanin
  • Pridružio: 21 Mar 2008
  • Poruke: 8

Winlogon u tempu

Dopuna: 25 Mar 2008 12:37

ej hvala momci,ja sam vec ono izbrisao,vjerojatno neki virus bio.
al zaljepit cu vam log pa vidite ima li jos nesto sto se treba da obriseLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:05, on 25.3.2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = toggle.com/index.php?rvs=hompag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\user\LOCALS~1\Temp\winlogon.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Pomoc za prijavu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1423.exe 61A847B5BBF7281336993B466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Flash Driver] C:\DOCUME~1\user\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D746E69-A369-4F89-8971-60DC1FE3BF3D}: NameServer = 212.39.98.162 212.39.98.161
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7075 bytes
recite ako ima sta za obrisati

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Iz loga se vidi da imaš aktivan malware na sistemu iako si obrisao winlogon.exe iz temp folder-a. Uradi sledeće...

-----------------
Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • fellow 
  • Novi MyCity građanin
  • Pridružio: 21 Mar 2008
  • Poruke: 8

ComboFix 08-03-25.4 - user 2008-03-26 10:37:06.1 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
MTEE /+ d-delA.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\NoDNS
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\WINDOWS\system32\msssc.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 16:07 . 2008-03-25 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-25 15:48 . 2008-03-25 15:48 <DIR> d-------- C:\Program Files\cdromdrawweb
2008-03-25 15:48 . 2008-03-25 15:49 <DIR> d-------- C:\Documents and Settings\user\Application Data\cdromdrawweb
2008-03-25 15:48 . 2008-03-25 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Memo save stupid creative
2008-03-25 15:47 . 2008-03-25 15:47 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-03-25 15:47 . 2008-03-25 15:47 <DIR> d-------- C:\Program Files\Circle Developement
2008-03-24 17:48 . 2008-03-24 17:48 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-24 11:54 . 2008-03-24 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 11:29 . 2008-03-25 13:15 <DIR> d-------- C:\Program Files\Incomplete
2008-03-05 15:35 . 2008-03-05 15:35 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-05 15:35 . 2008-03-05 15:46 <DIR> d-------- C:\Program Files\Chord Pickout
2008-03-03 19:10 . 2008-03-03 19:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-03 15:32 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-03 15:32 . 2008-03-03 15:32 244 --ah----- C:\sqmnoopt04.sqm
2008-03-03 15:32 . 2008-03-03 15:32 232 --ah----- C:\sqmdata04.sqm
2008-03-01 09:15 . 2008-03-01 09:15 <DIR> d-------- C:\Program Files\Code-it Software
2008-02-29 22:47 . 2008-02-29 22:47 <DIR> d-------- C:\Documents and Settings\user\Application Data\Uniblue
2008-02-29 21:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-29 21:50 . 2008-02-29 21:52 <DIR> d-------- C:\Program Files\Java
2008-02-29 21:47 . 2008-02-29 21:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-27 20:01 . 2008-02-27 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-27 14:06 . 2008-02-27 14:08 <DIR> d-------- C:\Program Files\Croatian Mini-Dictionary

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 14:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-25 12:25 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-03-25 12:16 --------- d-----w C:\Program Files\LimeWire
2008-03-24 18:04 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-03-18 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-18 10:09 90,112 ----a-w C:\WINDOWS\DUMP6ab0.tmp
2008-02-29 21:22 --------- d-----w C:\Program Files\Winamp
2008-02-26 11:21 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-24 19:33 --------- d-----w C:\Program Files\Lavasoft
2008-02-24 19:33 --------- d-----w C:\Documents and Settings\user\Application Data\Lavasoft
2008-02-24 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 19:04 --------- d-----w C:\Program Files\Windows Live
2008-02-23 11:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 09:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-21 07:33 --------- d-----w C:\Program Files\Activision
2008-02-20 10:19 --------- d-----w C:\Documents and Settings\user\Application Data\InterVideo
2008-02-19 20:28 --------- d-----w C:\Documents and Settings\user\Application Data\Teleca
2008-02-19 20:28 --------- d-----w C:\Documents and Settings\user\Application Data\Sony Ericsson
2008-02-19 13:03 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-02-19 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-19 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-19 13:02 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-19 12:55 96,672 ----a-w C:\WINDOWS\system32\drivers\w550mdm.sys
2008-02-19 12:55 8,336 ----a-w C:\WINDOWS\system32\drivers\w550mdfl.sys
2008-02-19 12:55 60,928 ----a-w C:\WINDOWS\system32\drivers\w550bus.sys
2008-02-19 12:55 6,176 ----a-w C:\WINDOWS\system32\drivers\w550cmnt.sys
2008-02-19 12:55 6,176 ----a-w C:\WINDOWS\system32\drivers\w550cm.sys
2008-02-19 12:55 5,808 ----a-w C:\WINDOWS\system32\drivers\w550whnt.sys
2008-02-19 12:55 5,808 ----a-w C:\WINDOWS\system32\drivers\w550wh.sys
2008-02-18 12:39 --------- d-----w C:\Documents and Settings\user\Application Data\Winamp
2008-02-16 15:31 --------- d-----w C:\Program Files\Guitar Pro 4
2008-02-14 07:44 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-11 13:25 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-11 13:24 --------- d-----w C:\Program Files\HP
2008-02-09 11:12 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-09 11:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-09 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 10:40 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-09 10:39 --------- d-----w C:\Program Files\Microsoft Works
2008-02-09 10:34 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-09 10:34 --------- d-----w C:\Program Files\Ahead
2008-02-09 10:32 --------- d-----w C:\Documents and Settings\user\Application Data\Talkback
2008-02-09 10:29 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-02-09 10:28 --------- d-----w C:\Program Files\InterVideo
2008-02-09 09:35 --------- d-----w C:\Program Files\Analog Devices
2008-02-09 09:25 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-09 09:19 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-08-09 19:14 155648]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-01 00:26 1695232]
"regsmfcd"="C:\DOCUME~1\user\APPLIC~1\CDROMD~1\64 proxy.exe" [2008-03-25 15:48 402944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 18:26 98304]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-11 17:02 579072]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 12:42 176128]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37 229437]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"stupid creative poll axis"="C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\draw ante.exe" [2008-03-26 10:45 471040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-12-01 00:26 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 12:12 219136]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-12-01 00:26 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;"C:\Program Files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 11:31]
S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys [2008-02-19 13:55]
S3 w550mdfl;Sony Ericsson W550 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w550mdfl.sys [2008-02-19 13:55]
S3 w550mdm;Sony Ericsson W550 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w550mdm.sys [2008-02-19 13:55]
S3 w550mgmt;Sony Ericsson W550 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w550mgmt.sys [2005-08-01 14:46]
S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w550obex.sys [2005-08-01 14:46]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 21:00:01 C:\WINDOWS\Tasks\AE68D8F3915F5297.job"
- c:\docume~1\user\applic~1\cdromd~1\Balmdvdtype.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-03-26 10:45:11
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-03-26 10:52:27 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-03-26 09:51:54
.
2008-03-13 12:40:52 --- E O F ---

sto sad da radim?

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\sqmnoopt04.sqm
C:\sqmdata04.sqm
C:\WINDOWS\DUMP6ab0.tmp
C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\draw ante.exe
C:\WINDOWS\Tasks\AE68D8F3915F5297.job
C:\DOCUME~1\user\APPLIC~1\CDROMD~1\64 proxy.exe

Folder::
C:\Program Files\cdromdrawweb
C:\Documents and Settings\user\Application Data\cdromdrawweb
C:\Documents and Settings\All Users\Application Data\Memo save stupid

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"regsmfcd"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"stupid creative poll axis"=-



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • fellow 
  • Novi MyCity građanin
  • Pridružio: 21 Mar 2008
  • Poruke: 8

ComboFix 08-03-25.4 - user 2008-03-26 18:17:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.76 [GMT 1:00]Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\user\APPLIC~1\CDROMD~1\64 proxy.exe
C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\draw ante.exe
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\DUMP6ab0.tmp
C:\WINDOWS\Tasks\AE68D8F3915F5297.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\user\APPLIC~1\CDROMD~1\64 proxy.exe
C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\draw ante.exe
C:\Documents and Settings\user\Application Data\cdromdrawweb
C:\Documents and Settings\user\Application Data\cdromdrawweb\0
C:\Documents and Settings\user\Application Data\cdromdrawweb\64 proxy.exe
C:\Documents and Settings\user\Application Data\cdromdrawweb\Balmdvdtype.exe
C:\Documents and Settings\user\Application Data\cdromdrawweb\Global inter dumb anti.exe
C:\Documents and Settings\user\Application Data\cdromdrawweb\smraparl.exe
C:\Program Files\cdromdrawweb
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\DUMP6ab0.tmp
C:\WINDOWS\Tasks\AE68D8F3915F5297.job

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 16:17 . 2008-03-26 16:17 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-03-26 16:15 . 2008-03-26 16:17 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-03-26 16:15 . 2008-03-26 16:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-03-26 14:48 . 2008-03-26 14:48 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-03-26 14:48 . 2008-03-26 14:48 <DIR> d-------- C:\Program Files\Circle Developement
2008-03-26 14:48 . 2008-03-26 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Memo save stupid creative
2008-03-26 14:04 . 2008-03-26 14:48 <DIR> d-------- C:\Program Files\AlienGUIse
2008-03-26 14:04 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-03-26 14:04 . 2008-03-26 14:04 56 --a------ C:\WINDOWS\wb.ini
2008-03-25 16:07 . 2008-03-25 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-25 15:47 . 2008-03-26 14:45 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-03-24 17:48 . 2008-03-26 14:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-24 11:54 . 2008-03-24 11:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 11:29 . 2008-03-25 13:15 <DIR> d-------- C:\Program Files\Incomplete
2008-03-05 15:35 . 2008-03-05 15:35 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-05 15:35 . 2008-03-05 15:46 <DIR> d-------- C:\Program Files\Chord Pickout
2008-03-03 19:10 . 2008-03-03 19:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-03 15:32 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-01 09:15 . 2008-03-01 09:15 <DIR> d-------- C:\Program Files\Code-it Software
2008-02-29 22:47 . 2008-02-29 22:47 <DIR> d-------- C:\Documents and Settings\user\Application Data\Uniblue
2008-02-29 21:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-29 21:50 . 2008-02-29 21:52 <DIR> d-------- C:\Program Files\Java
2008-02-29 21:47 . 2008-02-29 21:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-27 20:01 . 2008-02-27 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-27 14:06 . 2008-02-27 14:08 <DIR> d-------- C:\Program Files\Croatian Mini-Dictionary

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 13:47 --------- d-----w C:\Program Files\LimeWire
2008-03-26 13:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-26 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 12:25 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-03-24 18:04 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-03-18 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-29 21:22 --------- d-----w C:\Program Files\Winamp
2008-02-26 11:21 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-24 19:33 --------- d-----w C:\Program Files\Lavasoft
2008-02-24 19:33 --------- d-----w C:\Documents and Settings\user\Application Data\Lavasoft
2008-02-24 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-24 19:04 --------- d-----w C:\Program Files\Windows Live
2008-02-23 11:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 09:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-21 07:33 --------- d-----w C:\Program Files\Activision
2008-02-20 10:19 --------- d-----w C:\Documents and Settings\user\Application Data\InterVideo
2008-02-19 20:28 --------- d-----w C:\Documents and Settings\user\Application Data\Teleca
2008-02-19 20:28 --------- d-----w C:\Documents and Settings\user\Application Data\Sony Ericsson
2008-02-19 13:03 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-02-19 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-19 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-19 13:02 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-19 12:55 96,672 ----a-w C:\WINDOWS\system32\drivers\w550mdm.sys
2008-02-19 12:55 8,336 ----a-w C:\WINDOWS\system32\drivers\w550mdfl.sys
2008-02-19 12:55 60,928 ----a-w C:\WINDOWS\system32\drivers\w550bus.sys
2008-02-19 12:55 6,176 ----a-w C:\WINDOWS\system32\drivers\w550cmnt.sys
2008-02-19 12:55 6,176 ----a-w C:\WINDOWS\system32\drivers\w550cm.sys
2008-02-19 12:55 5,808 ----a-w C:\WINDOWS\system32\drivers\w550whnt.sys
2008-02-19 12:55 5,808 ----a-w C:\WINDOWS\system32\drivers\w550wh.sys
2008-02-18 12:39 --------- d-----w C:\Documents and Settings\user\Application Data\Winamp
2008-02-16 15:31 --------- d-----w C:\Program Files\Guitar Pro 4
2008-02-14 07:44 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-11 13:25 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-11 13:24 --------- d-----w C:\Program Files\HP
2008-02-09 11:12 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-09 11:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-09 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 10:40 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-09 10:39 --------- d-----w C:\Program Files\Microsoft Works
2008-02-09 10:34 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-09 10:34 --------- d-----w C:\Program Files\Ahead
2008-02-09 10:32 --------- d-----w C:\Documents and Settings\user\Application Data\Talkback
2008-02-09 10:29 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-02-09 10:28 --------- d-----w C:\Program Files\InterVideo
2008-02-09 09:35 --------- d-----w C:\Program Files\Analog Devices
2008-02-09 09:25 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-09 09:19 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((( snapshot@2008-03-26_10.51.08.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-26 13:48:10 3,599,196 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-08-09 19:14 155648]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-01 00:26 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 18:26 98304]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-11 17:02 579072]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 12:42 176128]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37 229437]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-12-01 00:26 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 12:12 219136]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-12-01 00:26 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;"C:\Program Files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 11:31]
S3 w550bus;Sony Ericsson W550 driver (WDM);C:\WINDOWS\system32\DRIVERS\w550bus.sys [2008-02-19 13:55]
S3 w550mdfl;Sony Ericsson W550 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w550mdfl.sys [2008-02-19 13:55]
S3 w550mdm;Sony Ericsson W550 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w550mdm.sys [2008-02-19 13:55]
S3 w550mgmt;Sony Ericsson W550 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w550mgmt.sys [2005-08-01 14:46]
S3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w550obex.sys [2005-08-01 14:46]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 15:15:31 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-03-26 18:21:57
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-26 18:23:28
ComboFix-quarantined-files.txt 2008-03-26 17:23:17
ComboFix2.txt 2008-03-26 09:52:30
.
2008-03-13 12:40:52 --- E O F ---


Jeli sada u redu?

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

offline
  • fellow 
  • Novi MyCity građanin
  • Pridružio: 21 Mar 2008
  • Poruke: 8

Eto DEMIAN hvala ti puno,ne znam sta bih bez tebe,hehe! Hvala puno!
P.S. izbrisao sam i alien temu,hvala na savjetu:D

Ko je trenutno na forumu
 

Ukupno su 777 korisnika na forumu :: 56 registrovanih, 5 sakrivenih i 716 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 8u47, A.R.Chafee.Jr., airsuba, ajo baba, Alibaba1981, Areal84, babaroga, Bane san, Bobrock1, Boter, BradaRS, cemix, Cobi026, crnitrn, Dannyboy, dejanbenkovic, djboj, doklevise, Dr.Strangelove, Drug pukovnik, Duh sa sekirom, Gosha101980, goxin, HogarStrashni, kokodakalo, krlebgd77, menges, Mercury, mile23, mnn2, novator, operniki, ostoja, Outis, Pikac-47, promajauglavi, raskoljnikov, regul, repac, RiV, RJ, Rocker, Rogan33, S2M, Steeeefan, strn, theNedjeljko, Van, vathra, VJ, Vlad000, vladas87, Voja1978, Webb, zixmix, zodiac94