Poslao: 18 Jul 2009 23:56
|
offline
- mirjanagb
- Građanin
- Pridružio: 24 Okt 2007
- Poruke: 122
|
ako sam dobro razumela to je ovo:
NDIS fix
C:\WINDOWS\system32\drivers\ndis.sys found 182912 bytes
C:\WINDOWS\system32\dllcache\ndis.sys not found
Backup C:\WINDOWS\system32\drivers\ndis.sys to C:\ndis_drivers.bak 212480 bytes
C:\WINDOWS\system32\drivers\ndis.sys deleted
New copy of C:\WINDOWS\system32\drivers\ndis.sys dropped
|
|
|
|
|
Poslao: 19 Jul 2009 08:29
|
offline
- mirjanagb
- Građanin
- Pridružio: 24 Okt 2007
- Poruke: 122
|
ComboFix 09-07-14.08 - Miki 07/19/2009 8:18.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1790.1354 [GMT 2:00]
Running from: c:\documents and settings\Miki\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Miki\Desktop\CFScript.txt
FILE ::
"C:\aqwiry.exe"
"C:\dbckb.exe"
"c:\windows\system32\drivers\4360a163.sys"
"c:\windows\system32\usbewt.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\aqwiry.exe
C:\dbckb.exe
c:\windows\system32\drivers\4360a163.sys
c:\windows\system32\usbewt.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_usbewt
-------\Service_4360a163
-------\Service_mailKmd
-------\Service_usbewt
((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.
2009-07-18 19:29 . 2009-07-18 19:29 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-07-18 19:07 . 2009-07-18 19:07 12328 ----a-w- c:\documents and settings\Miki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 19:07 . 2009-07-18 19:07 -------- d-----w- c:\documents and settings\Miki\Local Settings\Application Data\ATI
2009-07-18 19:07 . 2009-07-18 19:07 -------- d-----w- c:\documents and settings\Miki\Application Data\ATI
2009-07-18 19:07 . 2009-07-18 19:07 127 ----a-w- c:\documents and settings\Miki\Local Settings\Application Data\fusioncache.dat
2009-07-18 19:05 . 2009-07-18 19:05 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-07-18 19:03 . 2006-03-08 21:33 307200 ----a-r- c:\windows\system32\atiiiexx.dll
2009-07-18 19:03 . 2006-03-02 12:54 124376 ----a-r- c:\windows\system32\atiicdxx.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 21:50 . 2004-08-04 12:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-18 19:04 . 2009-07-18 17:32 -------- d-----w- c:\program files\ATI Technologies
2009-07-18 19:03 . 2009-07-18 17:06 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-18 19:03 . 2009-07-18 17:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 17:49 . 2009-07-18 17:49 134656 ----a-w- c:\windows\system32\mobsyn.exe
2009-07-18 17:35 . 2009-07-18 17:35 7280 ----a-w- c:\windows\system32\drivers\viamraid.PNF
2009-07-18 17:35 . 2009-07-18 17:35 6984 ----a-w- c:\windows\system32\drivers\SiSRaid.PNF
2009-07-18 17:35 . 2009-07-18 17:35 63240 ----a-w- c:\windows\system32\drivers\Si3112r.PNF
2009-07-18 17:35 . 2009-07-18 17:35 20152 ----a-w- c:\windows\system32\drivers\INFCACHE.1
2009-07-18 17:35 . 2009-07-18 17:35 9388 ----a-w- c:\windows\system32\drivers\iaStor.PNF
2009-07-18 17:35 . 2009-07-18 17:35 12432 ----a-w- c:\windows\system32\drivers\adpu320.PNF
2009-07-18 17:35 . 2009-07-18 17:35 12204 ----a-w- c:\windows\system32\drivers\nvraid.PNF
2009-07-18 17:35 . 2009-07-18 17:35 10828 ----a-w- c:\windows\system32\drivers\iaAHCI.PNF
2009-07-18 17:31 . 2009-07-18 17:31 -------- d-----w- c:\program files\Opera 10 Beta
2009-07-18 17:14 . 2009-07-18 17:14 -------- d-----w- c:\program files\Realtek
2009-07-18 17:11 . 2009-07-18 17:11 -------- d-----w- c:\program files\Launch Manager
2009-07-18 17:06 . 2009-07-18 17:06 -------- d-----w- c:\program files\Synaptics
2009-07-18 16:14 . 2009-07-18 15:43 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-18 15:51 . 2009-07-18 15:51 -------- d-----w- c:\program files\microsoft frontpage
2009-07-18 15:49 . 2009-07-18 15:49 -------- d-----w- c:\program files\Java
2009-07-18 15:49 . 2009-07-18 15:49 -------- d-----w- c:\program files\Common Files\Java
2009-07-18 15:41 . 2009-07-18 15:41 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.
------- Sigcheck -------
[-] 2009-07-18 21:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-18_18.04.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-08 21:43 . 2006-03-08 21:43 77824 c:\windows\system32\Oemdspif.dll
+ 2006-03-08 21:12 . 2006-03-08 21:12 40960 c:\windows\system32\drivers\ati2erec.dll
+ 2009-07-18 19:29 . 2009-07-18 21:25 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2009-07-18 18:19 . 2009-07-18 18:19 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2009-07-18 15:53 . 2009-07-18 21:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2001-11-09 10:01 . 2001-11-09 10:01 24064 c:\windows\system32\ativcoxx.dll
+ 2006-03-08 21:12 . 2006-03-08 21:12 17408 c:\windows\system32\atitvo32.dll
+ 2006-03-08 21:41 . 2006-03-08 21:41 53248 c:\windows\system32\ATIDDC.DLL
+ 2006-03-08 21:43 . 2006-03-08 21:43 26112 c:\windows\system32\Ati2mdxx.exe
+ 2006-03-08 21:43 . 2006-03-08 21:43 61440 c:\windows\system32\ati2evxx.dll
+ 2006-03-08 21:43 . 2006-03-08 21:43 40960 c:\windows\system32\ati2edxx.dll
+ 2009-07-18 19:05 . 2009-07-18 19:05 25214 c:\windows\Installer\{90437E5F-0A9E-4B63-AD8B-D232897D18BF}\ARPPRODUCTICON.exe
+ 2009-07-18 19:05 . 2009-07-18 19:05 9158 c:\windows\Installer\{B61CAD5A-6B93-4C52-83D9-F74853010C04}\NewShortcut5_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-07-18 19:05 . 2009-07-18 19:05 9158 c:\windows\Installer\{B61CAD5A-6B93-4C52-83D9-F74853010C04}\NewShortcut3_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-07-18 19:05 . 2009-07-18 19:05 9158 c:\windows\Installer\{B61CAD5A-6B93-4C52-83D9-F74853010C04}\NewShortcut22_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-07-18 19:05 . 2009-07-18 19:05 9158 c:\windows\Installer\{B61CAD5A-6B93-4C52-83D9-F74853010C04}\NewShortcut21_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-07-18 19:05 . 2009-07-18 19:05 9158 c:\windows\Installer\{B61CAD5A-6B93-4C52-83D9-F74853010C04}\NewShortcut2_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-07-18 19:05 . 2009-07-18 19:05 9158 c:\windows\Installer\{B61CAD5A-6B93-4C52-83D9-F74853010C04}\NewShortcut1_6E06A57A67284CFBAA9A5149F9C9ADB3.exe
+ 2009-07-18 19:05 . 2009-07-18 19:05 9158 c:\windows\Installer\{B61CAD5A-6B93-4C52-83D9-F74853010C04}\ARPPRODUCTICON.exe
+ 2006-03-08 21:26 . 2006-03-08 21:26 860640 c:\windows\system32\dllcache\ativvaxx.dll
+ 2006-03-08 21:49 . 2006-03-08 21:49 256512 c:\windows\system32\dllcache\ati2dvag.dll
+ 2006-03-08 21:07 . 2006-03-08 21:07 258048 c:\windows\system32\dllcache\ati2cqag.dll
+ 2009-07-18 15:53 . 2009-07-18 21:27 458752 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-18 15:54 . 2009-07-18 21:28 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009071820090719\index.dat
+ 2009-07-18 15:53 . 2009-07-18 21:27 229376 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-08 21:26 . 2006-03-08 21:26 860640 c:\windows\system32\ativvaxx.dll
+ 2006-03-08 21:43 . 2006-03-08 21:43 114688 c:\windows\system32\atipdlxx.dll
+ 2006-03-08 21:13 . 2006-03-08 21:13 151552 c:\windows\system32\atikvmag.dll
+ 2006-03-08 20:33 . 2006-03-08 20:33 282624 c:\windows\system32\ATIDEMGR.dll
+ 2006-03-08 21:42 . 2006-03-08 21:42 405504 c:\windows\system32\ati2evxx.exe
+ 2006-03-08 21:49 . 2006-03-08 21:49 256512 c:\windows\system32\ati2dvag.dll
+ 2006-03-08 21:07 . 2006-03-08 21:07 258048 c:\windows\system32\ati2cqag.dll
+ 2006-03-08 21:49 . 2006-03-08 21:49 1506816 c:\windows\system32\drivers\ati2mtag.sys
+ 2006-03-08 21:33 . 2006-03-08 21:33 2636672 c:\windows\system32\dllcache\ati3duag.dll
+ 2006-03-08 21:49 . 2006-03-08 21:49 1506816 c:\windows\system32\dllcache\ati2mtag.sys
+ 2006-03-08 21:17 . 2006-03-08 21:17 5124096 c:\windows\system32\atioglxx.dll
+ 2006-03-08 21:30 . 2006-03-08 21:30 6684672 c:\windows\system32\atioglx1.dll
+ 2006-03-08 21:33 . 2006-03-08 21:33 2636672 c:\windows\system32\ati3duag.dll
+ 2009-07-18 19:05 . 2009-07-18 19:05 3654144 c:\windows\Installer\3738a8.msi
+ 2009-07-18 19:05 . 2009-07-18 19:05 13135872 c:\windows\Installer\3738a1.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-20 761946]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-07-28 57344]
"LMgrVolOSD"="c:\program files\Launch Manager\OSD.exe" [2005-03-16 204800]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-07-25 81920]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-11-10 557056]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\fonts\\services.exe"=
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-07-19 08:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CtrlVol = c:\program files\Launch Manager\CtrlVol.exe?8???\??????|x??|????q??|?j?wQj?w????????,??? ???????????????d??????|????????p?????@?t??????????????s???????s???sx??s@??????????????|h??st??????????s?????????????????C?sc"?sx??s???????w??@?N'?st>???6@??>?????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(548-)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-07-19 8:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 06:24
ComboFix2.txt 2009-07-18 18:05
Pre-Run: 74,707,230,720 bytes free
Post-Run: 74,778,238,976 bytes free
156
|
|
|
|
|
|
|
Poslao: 19 Jul 2009 21:41
|
offline
- mirjanagb
- Građanin
- Pridružio: 24 Okt 2007
- Poruke: 122
|
Napisano: 19 Jul 2009 21:37
USBNoRisk 2.4 (1 June 2009) by bobby
Started at 7/19/2009 9:31:14 PM
Searching for connected USB Mass storage...
----------------------------------------
========================================
Searching for other storage...
----------------------------------------
C: {622bc09f-73b7-11de-ab5b-806d6172696f}
========================================
Scanning fixed storage...
----------------------------------------
No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 622bc09f-73b7-11de-ab5b-806d6172696f
No Desktop.ini files found on C:
----------------------------------------
========================================
Initial scan finished!
========================================
New device connected at 7/19/2009 9:31:36 PM
Scanning for connected USB mass storage...
----------------------------------------
E: {699510ff-7437-11de-81c7-00c0a8bb9012}
Added E:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
autorun.inf found on E:
----------------------------------------
File E:\autorun.inf renamed successfully
Content of E:\autorun.inf.blocked
----------------------------------------
[autorun]
open=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com
shell\open\default=1
----------------------------------------
Files referenced from E:\autorun.inf.blocked
----------------------------------------
E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com -r-hs 19968
----------------------------------------
Sanitized mountpoint for 699510ff-7437-11de-81c7-00c0a8bb9012
----------------------------------------
No Desktop.ini files found on E:
----------------------------------------
No mimics found on drive E:
========================================
========================================
Removed E:
========================================
New device connected at 7/19/2009 9:32:55 PM
Scanning for connected USB mass storage...
----------------------------------------
F: {ab833740-73e2-11de-81c4-00c0a8bb9012}
Added F:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
No Autorun.inf files found on F:
No mountpoint found for ab833740-73e2-11de-81c4-00c0a8bb9012
----------------------------------------
No Desktop.ini files found on F:
----------------------------------------
No mimics found on drive F:
========================================
========================================
Removed F:
========================================
New device connected at 7/19/2009 9:33:34 PM
Scanning for connected USB mass storage...
----------------------------------------
E: {721147c8-73c0-11de-81c1-00c0a8bb9012}
Added E:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
autorun.inf found on E:
----------------------------------------
File E:\autorun.inf renamed successfully
Content of E:\autorun.inf.blocked
----------------------------------------
[autorun]
open=RECYCLER\autorun.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\autorun.exe
shell\open\default=1
----------------------------------------
Files referenced from E:\autorun.inf.blocked
----------------------------------------
E:\RECYCLER\autorun.exe -rahs 100864
----------------------------------------
Sanitized mountpoint for 721147c8-73c0-11de-81c1-00c0a8bb9012
----------------------------------------
----------------------------------------
Desktop.ini found at E:\RECYCLER\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
No mimics found on drive E:
========================================
========================================
Removed E:
========================================
Dopuna: 19 Jul 2009 21:41
obraduj me i reci mi da je to sve u ovom zadnjem usb ...
da ga odmah formatiram!!!
da nije nesto drugo u pitanju!!!
|
|
|
|
Poslao: 20 Jul 2009 01:25
|
offline
- diarno
- Anti Malware Fighter
Rank 2
- Pridružio: 15 Jun 2007
- Poruke: 5572
|
U prvom i poslednjem ima malware-a..Ako ti nije problem formatiraj...
|
|
|
|
|
|