[bobby] problem

1

[bobby] problem

offline
  • Pridružio: 02 Jul 2008
  • Poruke: 125

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:31:44, on 18.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\quaryhoobou.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Zoki\Desktop\Ambulanta\TR3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66010
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = crawler.com/search/ie.aspx?tb_id=66010
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = dnl.crawler.com/support/sa_customize.aspx?TbId=66010
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = crawler.com/search/ie.aspx?tb_id=66010
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = dnl.crawler.com/support/sa_customize.aspx?TbId=66010
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [ciko] C:\WINDOWS\system32\nydooryt.exe
O4 - HKLM\..\RunServices: [Speed Driver] sbthost.exe
O4 - HKLM\..\RunServices: [ciko] C:\WINDOWS\system32\nydooryt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd.dll,C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd3.dll,C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll,C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\kloehk.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Blue Coat K9 Web Protection (zaefnat7zy4jy) - Unknown owner - C:\WINDOWS\system32\quaryhoobou.exe (file missing)

--
End of file - 7301 bytes



U zadnje vreme imam problem sa računarom koji navodi na neki virus:
1. "Automatic updates " opcija mi je uvek isključena, a kad pokušam da je aktiviriram windows mi saopštava da to nije u mogućnosti. Kada probam sa "Microsoft Windows Update" putem interneta dobijam sledeću poruku "The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem. "
2. Drugarica se žali da joj preko "Windows Live Messenger-a" stižu virusi sa mog računara.
3. U procesima u Task manager-u se javljaju procesi čudnog imena.

Koristim WinXP professional SP3, ADSL Eunet 512/64 flat

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 02 Jul 2008
  • Poruke: 125

ComboFix 08-10-17.01 - Zoki 2008-10-18 11:28:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.2595 [GMT 2:00]
Running from: C:\Documents and Settings\Zoki\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\INSTALL.LOG
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.

2063-09-19 07:50 . 2063-09-19 07:50 5,501 --a------ C:\WINDOWS\system32\rtclmg32.dll
2008-10-18 09:46 . 2008-10-03 11:35 230,400 --a------ C:\WINDOWS\system32\quaryhoobou.exe
2008-10-17 19:08 . 2008-10-18 08:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-17 19:08 . 2008-10-17 19:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-16 19:05 . 2008-10-16 19:25 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-10-16 19:05 . 2008-10-16 19:05 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-10-16 19:04 . 2008-10-16 19:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-10-16 19:04 . 2008-10-18 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-10-16 19:04 . 2008-10-18 11:31 6,576,672 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-16 19:04 . 2008-10-18 11:31 442,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-10-16 19:04 . 2008-10-18 11:31 55,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-16 19:04 . 2008-10-18 11:31 4,688 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-10-13 20:35 . 2008-10-17 19:10 9,221 --a------ C:\WINDOWS\system32\QuickTimeFavorites.qtr
2008-10-13 20:34 . 2008-10-13 20:35 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-10-13 20:34 . 2004-03-22 07:52 12,276,904 --a------ C:\temp\QuickTimeInstaller.exe
2008-10-13 20:34 . 2008-10-17 19:11 10,308 --a------ C:\WINDOWS\system32\QuickTime.qtp
2008-10-13 20:31 . 2008-10-13 20:32 <DIR> d-------- C:\temp\QT6
2008-10-13 20:15 . 2008-10-13 20:15 <DIR> d-------- C:\Program Files\TEXTware
2008-10-13 20:15 . 2003-09-24 20:24 327,680 --a------ C:\WINDOWS\system32\QFClient2.dll
2008-10-13 20:10 . 2008-10-13 20:10 <DIR> d-------- C:\Program Files\Longman
2008-10-11 15:37 . 2008-10-11 15:37 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-07 18:05 . 2008-10-07 18:05 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\Ahead
2008-10-07 17:46 . 2008-10-07 17:46 <DIR> d-------- C:\Program Files\Valve
2008-10-07 17:45 . 2008-10-16 19:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-07 13:39 . 2008-10-07 13:39 <DIR> d-------- C:\Program Files\MSN Messenger
2008-10-04 21:29 . 2002-04-01 17:53 102,400 --a------ C:\WINDOWS\system32\TrackerNET.dll
2008-10-04 21:27 . 2001-07-31 10:55 217,088 --a------ C:\WINDOWS\system32\libmySQL.dll
2008-10-03 16:41 . 1996-11-08 02:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-10-03 16:41 . 2006-08-23 14:00 163,840 --a------ C:\WINDOWS\system32\egusound.ocx
2008-10-03 16:41 . 1999-03-13 00:00 127,488 --a------ C:\WINDOWS\system32\Ccrpsld.ocx
2008-10-03 10:03 . 2008-10-03 11:35 230,400 --a------ C:\WINDOWS\system32\nydooryt.exe
2008-09-29 22:19 . 2008-09-29 22:19 134 --a------ C:\WINDOWS\system32\CTSTATUS.FCS
2008-09-29 22:10 . 2008-10-03 17:09 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\F-Secure
2008-09-29 21:41 . 2008-10-16 19:02 <DIR> d-------- C:\Program Files\PC Protection Plus
2008-09-29 21:41 . 2008-09-29 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-09-29 21:41 . 2008-10-16 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-09-29 21:38 . 2008-09-25 16:08 86,169,440 --a------ C:\temp\PC-Protection-Plus-700-387.exe
2008-09-25 14:04 . 2008-04-14 00:24 22,016 --a------ C:\WINDOWS\system32\drivers\MSIRCOMM.sys
2008-09-25 14:04 . 2008-04-14 00:24 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-09-24 15:47 . 2008-09-24 15:47 <DIR> d-------- C:\Program Files\Cambridge
2008-09-24 15:46 . 2008-09-24 15:46 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\cld3-lookup
2008-09-24 15:45 . 2008-09-24 15:45 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-09-24 15:45 . 2008-10-03 23:25 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\EssentialGrammarInUse
2008-09-20 10:41 . 2008-09-20 10:41 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 09:18 --------- d-----w C:\Documents and Settings\Zoki\Application Data\uTorrent
2008-10-17 18:11 11,270 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-10-15 18:51 494 ----a-w C:\Program Files\Professional
2008-10-15 18:51 --------- d-----w C:\Program Files\Professional §©®ÎŢt v.4 Black
2008-10-15 17:10 --------- d-----w C:\Documents and Settings\Zoki\Application Data\XnView
2008-10-14 06:42 --------- d-----w C:\Documents and Settings\Zoki\Application Data\skypePM
2008-10-14 06:42 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Skype
2008-10-13 18:35 --------- d-----w C:\Program Files\QuickTime
2008-10-13 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-10-10 18:54 --------- d-----w C:\Documents and Settings\Zoki\Application Data\dvdcss
2008-10-08 19:24 --------- d-----w C:\Program Files\Achilles-Script 5.0 Black
2008-10-07 15:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-29 12:29 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Wildfire
2008-09-28 06:39 --------- d-----w C:\Program Files\GIMPPortable
2008-09-26 12:07 --------- d-----w C:\Program Files\EA Sports
2008-09-23 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-22 17:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-20 07:46 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-09-20 07:45 88 --sh--r C:\Documents and Settings\All Users\Application Data\B7CBA65A96.sys
2008-09-17 18:25 --------- d-----w C:\Documents and Settings\Zoki\Application Data\FarStone
2008-09-17 18:12 --------- d-----w C:\Program Files\FarStone
2008-09-17 18:11 81,920 ----a-w C:\WINDOWS\system32\Dversion.dll
2008-09-17 18:11 61,440 ----a-w C:\WINDOWS\system32\RDrvNTInterface.dll
2008-09-17 18:11 61,440 ----a-w C:\WINDOWS\system32\RDrv2KInterface.dll
2008-09-17 18:11 28,672 ----a-w C:\WINDOWS\system32\RDrv9xInterface.dll
2008-09-17 18:11 24,576 ----a-w C:\WINDOWS\system32\RDrvInterface.dll
2008-09-17 18:11 114,688 ----a-w C:\WINDOWS\system32\DVC.dll
2008-09-15 17:28 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Corel
2008-09-15 17:27 --------- d-----w C:\Program Files\Common Files\Protexis
2008-09-15 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-09-15 17:25 --------- d-----w C:\Program Files\Corel
2008-09-15 17:25 --------- d-----w C:\Program Files\Common Files\Corel
2008-09-15 09:43 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-15 09:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-09-14 07:53 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-09-13 21:23 --------- d-----w C:\Program Files\Pristy Utils
2008-09-11 12:54 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-09-10 16:47 --------- d-----w C:\Program Files\Games-Masters.com
2008-09-06 10:21 --------- d-----w C:\Documents and Settings\Zoki\Application Data\U3
2008-09-06 05:53 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Bret Taylor
2008-09-05 14:46 --------- d-----w C:\Program Files\Google
2008-09-02 18:56 --------- d-----w C:\Program Files\Sierra On-Line
2008-09-02 18:49 --------- d-----w C:\Program Files\cstrike
2008-09-02 18:44 --------- d-----w C:\Program Files\D-Tools
2008-09-01 08:47 --------- d-----w C:\Program Files\TeamViewer3
2008-09-01 08:47 --------- d-----w C:\Documents and Settings\Zoki\Application Data\TeamViewer
2008-08-26 16:23 --------- d-----w C:\Program Files\Mv2Player
2008-08-26 15:40 --------- d-----w C:\Program Files\The Simpsons Hit 'n' run
2008-08-25 17:21 --------- d-----w C:\Program Files\registracija.programa
2008-08-25 17:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-25 17:06 --------- d-----w C:\Program Files\InstallShield
2008-08-25 17:05 --------- d-----w C:\Program Files\InstallShield Express - Borland Limited Edition
2008-08-20 08:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\U3
2008-08-19 18:21 --------- d-----w C:\Program Files\NotesSQL
2008-08-19 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-19 18:20 --------- d-----w C:\Program Files\Crystal Decisions
2008-08-19 18:20 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-08-19 18:20 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-08-19 14:35 --------- d-----w C:\Program Files\MSXML 4.0
2008-08-19 10:05 --------- d-----w C:\Program Files\NBA 2008
2008-08-18 11:19 --------- d-----w C:\Program Files\Sony Ericsson
2008-08-18 11:19 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-08-18 11:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-08-03 15:06 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-01 10:21 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-07-31 19:51 14,290 ----a-w C:\Program Files\settings.dat
2008-07-31 17:20 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-07-29 18:21 218,376 ----a-w C:\WINDOWS\system32\klogon.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-04-14 03:42 933,888 --sh--r C:\WINDOWS\system32\sbthost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"openvpn-gui"="C:\Program Files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"ciko"="C:\WINDOWS\system32\nydooryt.exe" [2008-10-03 230400]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ciko"="C:\WINDOWS\system32\nydooryt.exe" [2008-10-03 230400]
"Speed Driver"="sbthost.exe" [2008-04-14 C:\WINDOWS\system32\sbthost.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
R3 FVDSCSI;FVDSCSI;C:\WINDOWS\system32\DRIVERS\fvdscsi.sys [2003-08-09 60008]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-04-09 12039552]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S2 zaefnat7zy4jy;Blue Coat K9 Web Protection;C:\WINDOWS\system32\quaryhoobou.exe [2008-10-03 230400]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Games-Masters.com\CABAL Online (Europe)\GameGuard\dump_wmimmc.sys [ ]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 98568]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys [ ]
S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2da133c1-612c-11dd-9f72-0021851090d7}]
\Shell\AutoRun\command - ta2.cmd
\Shell\explore\Command - ta2.cmd
\Shell\open\Command - ta2.cmd
.
Contents of the 'Scheduled Tasks' folder

2008-10-18 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Zoki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 16:46]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Zoki\Application Data\Mozilla\Firefox\Profiles\242yqlac.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - C:\Documents and Settings\Zoki\Local Settings\Application Data\Google\Update\1.2.131.19\npGoogleOneClick6.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava12.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava13.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJava32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPJPI141_02.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-18 11:32:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-18 11:34:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-18 09:34:42

Pre-Run: 171.087.126.528 bytes free
Post-Run: 170,982,637,568 bytes free

253 --- E O F --- 2008-09-10 16:40:07

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

1. Posalji mi sledeci fajl na proveru:
C:\WINDOWS\system32\rtclmg32.dll

Upload uradi preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php


2. Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\quaryhoobou.exe
C:\WINDOWS\system32\nydooryt.exe

Driver::
zaefnat7zy4jy


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ima jos nakon toga da se uradi, ali odradi prvo ovo sto sam gore napisao.

offline
  • Pridružio: 02 Jul 2008
  • Poruke: 125

Poslao sam fajl C:\WINDOWS\system32\rtclmg32.dll

Dopuna: 18 Okt 2008 12:24

ComboFix 08-10-17.01 - Zoki 2008-10-18 12:13:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.2545 [GMT 2:00]
Running from: C:\Documents and Settings\Zoki\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zoki\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\nydooryt.exe
C:\WINDOWS\system32\quaryhoobou.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nydooryt.exe
C:\WINDOWS\system32\quaryhoobou.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZAEFNAT7ZY4JY
-------\Service_zaefnat7zy4jy


((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.

2063-09-19 07:50 . 2063-09-19 07:50 5,501 --a------ C:\WINDOWS\system32\rtclmg32.dll
2008-10-17 19:08 . 2008-10-18 08:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-17 19:08 . 2008-10-17 19:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-16 19:05 . 2008-10-16 19:25 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-10-16 19:05 . 2008-10-16 19:05 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-10-16 19:04 . 2008-10-16 19:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-10-16 19:04 . 2008-10-18 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-10-16 19:04 . 2008-10-18 12:14 6,583,840 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-16 19:04 . 2008-10-18 12:14 450,592 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-10-16 19:04 . 2008-10-18 12:14 55,660 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-16 19:04 . 2008-10-18 12:14 4,716 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-10-13 20:35 . 2008-10-17 19:10 9,221 --a------ C:\WINDOWS\system32\QuickTimeFavorites.qtr
2008-10-13 20:34 . 2008-10-13 20:35 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-10-13 20:34 . 2004-03-22 07:52 12,276,904 --a------ C:\temp\QuickTimeInstaller.exe
2008-10-13 20:34 . 2008-10-17 19:11 10,308 --a------ C:\WINDOWS\system32\QuickTime.qtp
2008-10-13 20:31 . 2008-10-13 20:32 <DIR> d-------- C:\temp\QT6
2008-10-13 20:15 . 2008-10-13 20:15 <DIR> d-------- C:\Program Files\TEXTware
2008-10-13 20:15 . 2003-09-24 20:24 327,680 --a------ C:\WINDOWS\system32\QFClient2.dll
2008-10-13 20:10 . 2008-10-13 20:10 <DIR> d-------- C:\Program Files\Longman
2008-10-11 15:37 . 2008-10-11 15:37 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-07 18:05 . 2008-10-07 18:05 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\Ahead
2008-10-07 17:46 . 2008-10-07 17:46 <DIR> d-------- C:\Program Files\Valve
2008-10-07 17:45 . 2008-10-16 19:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-07 13:39 . 2008-10-07 13:39 <DIR> d-------- C:\Program Files\MSN Messenger
2008-10-04 21:29 . 2002-04-01 17:53 102,400 --a------ C:\WINDOWS\system32\TrackerNET.dll
2008-10-04 21:27 . 2001-07-31 10:55 217,088 --a------ C:\WINDOWS\system32\libmySQL.dll
2008-10-03 16:41 . 1996-11-08 02:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-10-03 16:41 . 2006-08-23 14:00 163,840 --a------ C:\WINDOWS\system32\egusound.ocx
2008-10-03 16:41 . 1999-03-13 00:00 127,488 --a------ C:\WINDOWS\system32\Ccrpsld.ocx
2008-09-29 22:19 . 2008-09-29 22:19 134 --a------ C:\WINDOWS\system32\CTSTATUS.FCS
2008-09-29 22:10 . 2008-10-03 17:09 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\F-Secure
2008-09-29 21:41 . 2008-10-16 19:02 <DIR> d-------- C:\Program Files\PC Protection Plus
2008-09-29 21:41 . 2008-09-29 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-09-29 21:41 . 2008-10-16 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-09-29 21:38 . 2008-09-25 16:08 86,169,440 --a------ C:\temp\PC-Protection-Plus-700-387.exe
2008-09-25 14:04 . 2008-04-14 00:24 22,016 --a------ C:\WINDOWS\system32\drivers\MSIRCOMM.sys
2008-09-25 14:04 . 2008-04-14 00:24 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-09-24 15:47 . 2008-09-24 15:47 <DIR> d-------- C:\Program Files\Cambridge
2008-09-24 15:46 . 2008-09-24 15:46 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\cld3-lookup
2008-09-24 15:45 . 2008-09-24 15:45 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-09-24 15:45 . 2008-10-03 23:25 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\EssentialGrammarInUse
2008-09-20 10:41 . 2008-09-20 10:41 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 09:18 --------- d-----w C:\Documents and Settings\Zoki\Application Data\uTorrent
2008-10-17 18:11 11,270 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-10-15 18:51 494 ----a-w C:\Program Files\Professional
2008-10-15 18:51 --------- d-----w C:\Program Files\Professional §©®ÎŢt v.4 Black
2008-10-15 17:10 --------- d-----w C:\Documents and Settings\Zoki\Application Data\XnView
2008-10-14 06:42 --------- d-----w C:\Documents and Settings\Zoki\Application Data\skypePM
2008-10-14 06:42 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Skype
2008-10-13 18:35 --------- d-----w C:\Program Files\QuickTime
2008-10-13 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-10-10 18:54 --------- d-----w C:\Documents and Settings\Zoki\Application Data\dvdcss
2008-10-08 19:24 --------- d-----w C:\Program Files\Achilles-Script 5.0 Black
2008-10-07 15:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-29 12:29 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Wildfire
2008-09-28 06:39 --------- d-----w C:\Program Files\GIMPPortable
2008-09-26 12:07 --------- d-----w C:\Program Files\EA Sports
2008-09-23 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-22 17:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-20 07:46 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-09-20 07:45 88 --sh--r C:\Documents and Settings\All Users\Application Data\B7CBA65A96.sys
2008-09-17 18:25 --------- d-----w C:\Documents and Settings\Zoki\Application Data\FarStone
2008-09-17 18:12 --------- d-----w C:\Program Files\FarStone
2008-09-17 18:11 81,920 ----a-w C:\WINDOWS\system32\Dversion.dll
2008-09-17 18:11 61,440 ----a-w C:\WINDOWS\system32\RDrvNTInterface.dll
2008-09-17 18:11 61,440 ----a-w C:\WINDOWS\system32\RDrv2KInterface.dll
2008-09-17 18:11 28,672 ----a-w C:\WINDOWS\system32\RDrv9xInterface.dll
2008-09-17 18:11 24,576 ----a-w C:\WINDOWS\system32\RDrvInterface.dll
2008-09-17 18:11 114,688 ----a-w C:\WINDOWS\system32\DVC.dll
2008-09-15 17:28 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Corel
2008-09-15 17:27 --------- d-----w C:\Program Files\Common Files\Protexis
2008-09-15 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-09-15 17:25 --------- d-----w C:\Program Files\Corel
2008-09-15 17:25 --------- d-----w C:\Program Files\Common Files\Corel
2008-09-15 09:43 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-15 09:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-09-14 07:53 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-09-13 21:23 --------- d-----w C:\Program Files\Pristy Utils
2008-09-11 12:54 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-09-10 16:47 --------- d-----w C:\Program Files\Games-Masters.com
2008-09-06 10:21 --------- d-----w C:\Documents and Settings\Zoki\Application Data\U3
2008-09-06 05:53 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Bret Taylor
2008-09-05 14:46 --------- d-----w C:\Program Files\Google
2008-09-02 18:56 --------- d-----w C:\Program Files\Sierra On-Line
2008-09-02 18:49 --------- d-----w C:\Program Files\cstrike
2008-09-02 18:44 --------- d-----w C:\Program Files\D-Tools
2008-09-01 08:47 --------- d-----w C:\Program Files\TeamViewer3
2008-09-01 08:47 --------- d-----w C:\Documents and Settings\Zoki\Application Data\TeamViewer
2008-08-26 16:23 --------- d-----w C:\Program Files\Mv2Player
2008-08-26 15:40 --------- d-----w C:\Program Files\The Simpsons Hit 'n' run
2008-08-25 17:21 --------- d-----w C:\Program Files\registracija.programa
2008-08-25 17:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-25 17:06 --------- d-----w C:\Program Files\InstallShield
2008-08-25 17:05 --------- d-----w C:\Program Files\InstallShield Express - Borland Limited Edition
2008-08-20 08:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\U3
2008-08-19 18:21 --------- d-----w C:\Program Files\NotesSQL
2008-08-19 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-19 18:20 --------- d-----w C:\Program Files\Crystal Decisions
2008-08-19 18:20 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-08-19 18:20 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-08-19 14:35 --------- d-----w C:\Program Files\MSXML 4.0
2008-08-19 10:05 --------- d-----w C:\Program Files\NBA 2008
2008-08-18 11:19 --------- d-----w C:\Program Files\Sony Ericsson
2008-08-18 11:19 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-08-18 11:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-08-03 15:06 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-01 10:21 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-07-31 19:51 14,290 ----a-w C:\Program Files\settings.dat
2008-07-31 17:20 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-07-29 18:21 218,376 ----a-w C:\WINDOWS\system32\klogon.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-04-14 03:42 933,888 --sh--r C:\WINDOWS\system32\sbthost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"openvpn-gui"="C:\Program Files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Speed Driver"="sbthost.exe" [2008-04-14 C:\WINDOWS\system32\sbthost.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
R3 FVDSCSI;FVDSCSI;C:\WINDOWS\system32\DRIVERS\fvdscsi.sys [2003-08-09 60008]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-04-09 12039552]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Games-Masters.com\CABAL Online (Europe)\GameGuard\dump_wmimmc.sys [ ]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 98568]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys [ ]
S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2da133c1-612c-11dd-9f72-0021851090d7}]
\Shell\AutoRun\command - ta2.cmd
\Shell\explore\Command - ta2.cmd
\Shell\open\Command - ta2.cmd
.
Contents of the 'Scheduled Tasks' folder

2008-10-18 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Zoki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 16:46]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ciko - C:\WINDOWS\system32\nydooryt.exe
HKLM-RunServices-ciko - C:\WINDOWS\system32\nydooryt.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-18 12:16:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-18 12:18:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-18 10:18:00

Pre-Run: 170.956.677.120 bytes free
Post-Run: 170,944,479,232 bytes free

232 --- E O F --- 2008-09-10 16:40:07

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

zorane, cekamo jos uvek na analizu onog fajla koji si poslao. Ja nisam uspeo sam da dodjem do bilo kakvog zakljucka u vezi njega, pa sam morao da ga posaljem dalje nekim ljudima da ga pogledaju.

Dopuna: 19 Okt 2008 0:54

Otvori Notepad i unesi sledeci tekst:
attrib -S -H C:\WINDOWS\system32\sbthost.exe

Fajl snimi negde kao Look.bat
Startuj taj programcic duplim klikom. Samo ce na trenutak da se pojavi prozor programa, i odmah ce nestati.
Sada bi sledeci fajl trebao da bude vidljiv u exploreru:
C:\WINDOWS\system32\sbthost.exe

Uploaduj ga na proveru preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

Sto se tice onog fajla na ciju analizu cekamo, dobio sam informaciju da je kriptovan i da nije pravi DLL. Jos uvek cekam na info kojem programu pripada. Tip mi kaze da mozda pripada Zone Alarmu, ali ti nemas instaliran Zone Alarm, tako da to otpada.

offline
  • Pridružio: 02 Jul 2008
  • Poruke: 125

Uploadoovao sam traženi fajl.

Pozdrav

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\sbthost.exe
C:\WINDOWS\system32\rtclmg32.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Speed Driver"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2da133c1-612c-11dd-9f72-0021851090d7}]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ovaj zadnji fajl sto si mi poslao, to je bot i upao je sam na tvoj komp zato sto nemas instaliran firewall. Porazmisli o instaliranju nekog firewalla.

Javi da li ima jos nekih vidljivih simptoma.

offline
  • Pridružio: 02 Jul 2008
  • Poruke: 125

ComboFix 08-10-18.03 - Zoki 2008-10-19 18:20:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.2580 [GMT 2:00]
Running from: C:\Documents and Settings\Zoki\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zoki\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\rtclmg32.dll
C:\WINDOWS\system32\sbthost.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rtclmg32.dll
C:\WINDOWS\system32\sbthost.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.

2008-10-19 17:06 . 2008-10-19 17:25 13,030 --a------ C:\PDOXUSRS.NET
2008-10-17 19:08 . 2008-10-19 09:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-17 19:08 . 2008-10-17 19:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-16 19:05 . 2008-10-16 19:25 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-10-16 19:05 . 2008-10-16 19:05 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-10-16 19:04 . 2008-10-16 19:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-10-16 19:04 . 2008-10-19 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-10-16 19:04 . 2008-10-18 22:03 6,583,840 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-16 19:04 . 2008-10-19 17:07 466,976 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-10-16 19:04 . 2008-10-18 22:03 55,660 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-16 19:04 . 2008-10-19 17:07 5,820 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-10-13 20:35 . 2008-10-17 19:10 9,221 --a------ C:\WINDOWS\system32\QuickTimeFavorites.qtr
2008-10-13 20:34 . 2008-10-13 20:35 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-10-13 20:34 . 2004-03-22 07:52 12,276,904 --a------ C:\temp\QuickTimeInstaller.exe
2008-10-13 20:34 . 2008-10-17 19:11 10,308 --a------ C:\WINDOWS\system32\QuickTime.qtp
2008-10-13 20:31 . 2008-10-13 20:32 <DIR> d-------- C:\temp\QT6
2008-10-13 20:15 . 2008-10-13 20:15 <DIR> d-------- C:\Program Files\TEXTware
2008-10-13 20:15 . 2003-09-24 20:24 327,680 --a------ C:\WINDOWS\system32\QFClient2.dll
2008-10-13 20:10 . 2008-10-13 20:10 <DIR> d-------- C:\Program Files\Longman
2008-10-11 15:37 . 2008-10-11 15:37 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-07 18:05 . 2008-10-07 18:05 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\Ahead
2008-10-07 17:46 . 2008-10-07 17:46 <DIR> d-------- C:\Program Files\Valve
2008-10-07 17:45 . 2008-10-16 19:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-07 13:39 . 2008-10-07 13:39 <DIR> d-------- C:\Program Files\MSN Messenger
2008-10-04 21:29 . 2002-04-01 17:53 102,400 --a------ C:\WINDOWS\system32\TrackerNET.dll
2008-10-04 21:27 . 2001-07-31 10:55 217,088 --a------ C:\WINDOWS\system32\libmySQL.dll
2008-10-03 16:41 . 1996-11-08 02:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-10-03 16:41 . 2006-08-23 14:00 163,840 --a------ C:\WINDOWS\system32\egusound.ocx
2008-10-03 16:41 . 1999-03-13 00:00 127,488 --a------ C:\WINDOWS\system32\Ccrpsld.ocx
2008-09-29 22:19 . 2008-09-29 22:19 134 --a------ C:\WINDOWS\system32\CTSTATUS.FCS
2008-09-29 22:10 . 2008-10-03 17:09 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\F-Secure
2008-09-29 21:41 . 2008-10-16 19:02 <DIR> d-------- C:\Program Files\PC Protection Plus
2008-09-29 21:41 . 2008-09-29 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-09-29 21:41 . 2008-10-16 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-09-29 21:38 . 2008-09-25 16:08 86,169,440 --a------ C:\temp\PC-Protection-Plus-700-387.exe
2008-09-25 14:04 . 2008-04-14 00:24 22,016 --a------ C:\WINDOWS\system32\drivers\MSIRCOMM.sys
2008-09-25 14:04 . 2008-04-14 00:24 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-09-24 15:47 . 2008-09-24 15:47 <DIR> d-------- C:\Program Files\Cambridge
2008-09-24 15:46 . 2008-09-24 15:46 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\cld3-lookup
2008-09-24 15:45 . 2008-09-24 15:45 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-09-24 15:45 . 2008-10-03 23:25 <DIR> d-------- C:\Documents and Settings\Zoki\Application Data\EssentialGrammarInUse
2008-09-20 10:41 . 2008-09-20 10:41 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 15:03 --------- d-----w C:\Documents and Settings\Zoki\Application Data\uTorrent
2008-10-18 14:11 495 ----a-w C:\Program Files\Professional
2008-10-18 14:11 --------- d-----w C:\Program Files\Professional §©®ÎŢt v.4 Black
2008-10-18 10:32 11,270 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-10-15 17:10 --------- d-----w C:\Documents and Settings\Zoki\Application Data\XnView
2008-10-14 06:42 --------- d-----w C:\Documents and Settings\Zoki\Application Data\skypePM
2008-10-14 06:42 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Skype
2008-10-13 18:35 --------- d-----w C:\Program Files\QuickTime
2008-10-13 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-10-10 18:54 --------- d-----w C:\Documents and Settings\Zoki\Application Data\dvdcss
2008-10-08 19:24 --------- d-----w C:\Program Files\Achilles-Script 5.0 Black
2008-10-07 15:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-29 12:29 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Wildfire
2008-09-28 06:39 --------- d-----w C:\Program Files\GIMPPortable
2008-09-26 12:07 --------- d-----w C:\Program Files\EA Sports
2008-09-23 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-22 17:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-20 07:46 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-09-20 07:45 88 --sh--r C:\Documents and Settings\All Users\Application Data\B7CBA65A96.sys
2008-09-17 18:25 --------- d-----w C:\Documents and Settings\Zoki\Application Data\FarStone
2008-09-17 18:12 --------- d-----w C:\Program Files\FarStone
2008-09-17 18:11 81,920 ----a-w C:\WINDOWS\system32\Dversion.dll
2008-09-17 18:11 61,440 ----a-w C:\WINDOWS\system32\RDrvNTInterface.dll
2008-09-17 18:11 61,440 ----a-w C:\WINDOWS\system32\RDrv2KInterface.dll
2008-09-17 18:11 28,672 ----a-w C:\WINDOWS\system32\RDrv9xInterface.dll
2008-09-17 18:11 24,576 ----a-w C:\WINDOWS\system32\RDrvInterface.dll
2008-09-17 18:11 114,688 ----a-w C:\WINDOWS\system32\DVC.dll
2008-09-15 17:28 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Corel
2008-09-15 17:27 --------- d-----w C:\Program Files\Common Files\Protexis
2008-09-15 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-09-15 17:25 --------- d-----w C:\Program Files\Corel
2008-09-15 17:25 --------- d-----w C:\Program Files\Common Files\Corel
2008-09-15 09:43 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-15 09:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-09-14 07:53 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-09-13 21:23 --------- d-----w C:\Program Files\Pristy Utils
2008-09-11 12:54 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-09-10 16:47 --------- d-----w C:\Program Files\Games-Masters.com
2008-09-06 10:21 --------- d-----w C:\Documents and Settings\Zoki\Application Data\U3
2008-09-06 05:53 --------- d-----w C:\Documents and Settings\Zoki\Application Data\Bret Taylor
2008-09-05 14:46 --------- d-----w C:\Program Files\Google
2008-09-02 18:56 --------- d-----w C:\Program Files\Sierra On-Line
2008-09-02 18:49 --------- d-----w C:\Program Files\cstrike
2008-09-02 18:44 --------- d-----w C:\Program Files\D-Tools
2008-09-01 08:47 --------- d-----w C:\Program Files\TeamViewer3
2008-09-01 08:47 --------- d-----w C:\Documents and Settings\Zoki\Application Data\TeamViewer
2008-08-26 16:23 --------- d-----w C:\Program Files\Mv2Player
2008-08-26 15:40 --------- d-----w C:\Program Files\The Simpsons Hit 'n' run
2008-08-25 17:21 --------- d-----w C:\Program Files\registracija.programa
2008-08-25 17:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-25 17:06 --------- d-----w C:\Program Files\InstallShield
2008-08-25 17:05 --------- d-----w C:\Program Files\InstallShield Express - Borland Limited Edition
2008-08-20 08:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\U3
2008-08-19 18:21 --------- d-----w C:\Program Files\NotesSQL
2008-08-19 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-19 18:20 --------- d-----w C:\Program Files\Crystal Decisions
2008-08-19 18:20 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-08-19 18:20 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2008-08-19 14:35 --------- d-----w C:\Program Files\MSXML 4.0
2008-08-19 10:05 --------- d-----w C:\Program Files\NBA 2008
2008-08-03 15:06 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-01 10:21 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-07-31 19:51 14,290 ----a-w C:\Program Files\settings.dat
2008-07-31 17:20 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-07-29 18:21 218,376 ----a-w C:\WINDOWS\system32\klogon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"openvpn-gui"="C:\Program Files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
R3 FVDSCSI;FVDSCSI;C:\WINDOWS\system32\DRIVERS\fvdscsi.sys [2003-08-09 60008]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-04-09 12039552]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Games-Masters.com\CABAL Online (Europe)\GameGuard\dump_wmimmc.sys [ ]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 98568]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys [ ]
S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
.
Contents of the 'Scheduled Tasks' folder

2008-10-19 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Zoki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 16:46]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-19 18:21:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-19 18:22:12
ComboFix-quarantined-files.txt 2008-10-19 16:22:10

Pre-Run: 171.033.223.168 bytes free
Post-Run: 171,017,646,080 bytes free

196 --- E O F --- 2008-09-10 16:40:07

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Nisi mi odgovorio na pitanje da li jos ima vidljivih simptoma (posto je log sada cist)?

Ko je trenutno na forumu
 

Ukupno su 1294 korisnika na forumu :: 25 registrovanih, 8 sakrivenih i 1261 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: amaterSRB, bojank, Botovac, Brana01, cikadeda, DeerHunter, dragoljub11987, FileFinder, Fog of War, Georgius, ILGromovnik, Ivica1102, janbo, JOntra, Još malo pa deda, Kubovac, ladro, Lucije Kvint, Mcdado, Milos ZA, raptorsi, Srle993, Trpe Grozni, vladulns, voja64