MyCity » Ambulanta -> Arhiva Ambulante » threat

threat

Napisano na dan: 6.12.2011
1

threat
Sledeća strana Pagination

Idi na vrh

Poslao: 06 Dec 2011 15:27
Idi na vrh
offline
  • Pridružio: 04 Sep 2011
  • Poruke: 21
  • Gde živiš: apatin

Avast antivirus program mi je kad sam skenirala nasao threat pise ovako: C:\WINDOWS\Sistem32\sfloppy.sys Threat:Rootkit:system modification i probam delet pise :action postponed until the next reboot probala sam i move to chest pise the reqest is not supported....i sad mi stalno iskace mali prozor igde pise da je avast uocio threat....imam32bitni windows....neznam sta da radim kako da unistim tog crva,virusa il stali je vec. ako neko moze da mi pomogne kako da resim ovaj problem ?

Poslao: 06 Dec 2011 15:35
Idi na vrh
offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Pozdrav,

Detaljno isprati upustvo u http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html i postavi potrebne izvještaje.

Poslao: 06 Dec 2011 16:32
Idi na vrh
offline
  • Pridružio: 04 Sep 2011
  • Poruke: 21
  • Gde živiš: apatin

Napisano: 06 Dec 2011 15:51

Pozdrav, evo sad cu izvestaje da postavim ako uspem



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Marijana at 15:46:31 on 2011-12-06
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1503.630 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\Windows7\RunMe\RunMe.exe
C:\Program Files\Windows7\VisualTaskTips\VisualTaskTips.exe
C:\Program Files\Windows7\Windows 7 Pie Dock\Windows 7 Pie Dock.exe
C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe
C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows7\Analog Clock\AnalogClock.exe
C:\Program Files\Windows7\TopDesk\topdesk.exe
C:\Program Files\Windows7\UberIcon\UberIcon Manager.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sistray.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [AnalogClock] c:\program files\windows7\analog clock\AnalogClock.exe
uRun: [TopDesk] c:\program files\windows7\topdesk\topdesk.exe
uRun: [TransBar] c:\program files\windows7\transbar\TransBar.exe /s
uRun: [UberIcon] "c:\program files\windows7\ubericon\UberIcon Manager.exe"
uRun: [CursorFX] "c:\program files\stardock\cursorfx\CursorFX.exe"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\marijana\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [KRun] c:\program files\windows7\runme\RunMe.exe
mRun: [Visual Task Tips] "c:\program files\windows7\visualtasktips\VisualTaskTips.exe"
mRun: [Pie Dock] "c:\program files\windows7\windows 7 pie dock\Windows 7 Pie Dock.exe"
mRun: [UFD Monitor] c:\program files\twinmos\mobile disk v3.0\MobMon.exe
mRun: [UFD Utility] c:\program files\twinmos\mobile disk v3.0\UsbTD.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SiSRaid] c:\program files\silicon integrated systems\sisraidpackage\SRaid.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\marijana\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 10.5.50.1 109.233.184.2 109.233.184.3
TCP: Interfaces\{7A4B324F-C76D-4F5A-91DE-10C3BFC9F66C} : DhcpNameServer = 10.5.50.1 109.233.184.2 109.233.184.3
TCP: Interfaces\{ACF57E3F-5126-4C37-94FA-766983AEE1DB} : NameServer = 109.233.184.2 109.233.184.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\marijana\application data\mozilla\firefox\profiles\7oxm0kz5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431400&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - MB2 Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2431400&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\marijana\application data\mozilla\firefox\profiles\7oxm0kz5.default\extensions\{013a635f-e3aa-4371-b682-ece95ca974b0}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\marijana\application data\mozilla\firefox\profiles\7oxm0kz5.default\extensions\maps@ovi.com\plugins\npNMapNPR.dll
FF - plugin: c:\documents and settings\marijana\application data\mozilla\firefox\profiles\7oxm0kz5.default\extensions\maps@ovi.com\plugins\npNMapNPRresources.dll
FF - plugin: c:\documents and settings\marijana\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [2010-10-27 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [2010-10-27 5248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-3 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-9-3 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-9-3 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-9-3 44768]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
S2 alzoxgryh;Server Config;c:\windows\system32\svchost.exe -k netsvcs [2008-4-13 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-26 136176]
S2 OxSer;PCI Serial Driver;c:\windows\system32\drivers\OxSer.sys [2010-10-27 54584]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 03:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 00:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 09:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-07 17:42:16 13312 ----a-w- c:\windows\system32\drivers\vdi5otkz.sys
.
============= FINISH: 15:47:33.21 ===============




mycity.rs/must-login.png

mycity.rs/must-login.png

Dopuna: 06 Dec 2011 16:13

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png
dok sam skenirala gmer2 pisalo je GMER has found system modification caused by ROOTKIT activity

Dopuna: 06 Dec 2011 16:32

mycity.rs/must-login.png

Poslao: 06 Dec 2011 17:49
Idi na vrh
offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Arrow

U toku riješavanja slučaja, zamolio bih te da se pridržavaš sledećeg:
Detaljno čitati moja uputstva ( ili uputstva kolega koji će me zamjenjivati) i raditi isključivo po njima;
Ne tražiti istovremeno pomoć na drugom mestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budeš dobio uputstvo;
U toku intervencije ne koristiti USB memorijske uređaje, dok to ne budem zatražio;
Ukoliko ne odgovorim u roku od 48h, osveži temu novim post-om;
Ukoliko se ne javiš u roku od 5 dana, zatvorićemo slučaj.
Za više informacija o pravilima Ambulante MyCity foruma: LINK




Arrow

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
preimenuj ComboFix.exe u iexplore.exe;
dvoklikom pokreni program ComboFix;
u prozoru koji se otvori klikni "I Agree".
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

Poslao: 06 Dec 2011 21:50
Idi na vrh
offline
  • Pridružio: 04 Sep 2011
  • Poruke: 21
  • Gde živiš: apatin

uradila sam sve kao sto ste rekli ali combo fix nemoze da izbaci izvestaj radio mi je vise od 2sata i pisalo je preparing log report do not run any programs until combofix has finished i tako mi je bilo i prosli put kada sam imala viruse i rekli su mi na ovom forumu da startujem combofix u SAFE MODU i onda mi je izbacio izvestaj...da probam sad da pokrenem combo u safemodu?

Poslao: 06 Dec 2011 23:03
Idi na vrh
offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Arrow

Pogledaj da li postoji fajl koji se nalazi na C:\ComboFix.txt. Ako postoji, kopiraj njegov sadržaj u poruku.

Poslao: 07 Dec 2011 11:25
Idi na vrh
offline
  • Pridružio: 04 Sep 2011
  • Poruke: 21
  • Gde živiš: apatin

Napisano: 07 Dec 2011 9:49

ComboFix 11-12-06.01 - Marijana 12/06/2011 21:23:38.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1503.1063 [GMT 1:00]
Running from: C:\Documents and Settings\Marijana\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


-- Previous Run --

C:\WINDOWS\system32\midimap.dll . . . is infected!!

--------

C:\WINDOWS\system32\midimap.dll . . . is infected!!


((((((((((((((((((((((((( Files Created from 2011-11-06 to 2011-12-06 )))))))))))))))))))))))))))))))


.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-11-28 18:01:25 . 2011-09-03 19:58:44 41184 ----a-w- C:\WINDOWS\avastSS.scr
2011-11-28 18:01:23 . 2011-09-03 19:58:44 199816 ----a-w- C:\WINDOWS\system32\aswBoot.exe
2011-11-28 17:53:53 . 2011-09-03 19:58:56 435032 ----a-w- C:\WINDOWS\system32\drivers\aswSnx.sys
2011-11-28 17:53:35 . 2011-09-03 19:58:57 314456 ----a-w- C:\WINDOWS\system32\drivers\aswSP.sys
2011-11-28 17:52:19 . 2011-09-03 19:58:56 34392 ----a-w- C:\WINDOWS\system32\drivers\aswRdr.sys
2011-11-28 17:52:16 . 2011-09-03 19:58:56 52952 ----a-w- C:\WINDOWS\system32\drivers\aswTdi.sys
2011-11-28 17:52:02 . 2011-09-03 19:58:56 111320 ----a-w- C:\WINDOWS\system32\drivers\aswmon2.sys
2011-11-28 17:51:59 . 2011-09-03 19:58:56 105176 ----a-w- C:\WINDOWS\system32\drivers\aswmon.sys
2011-11-28 17:51:50 . 2011-09-03 19:58:57 20568 ----a-w- C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011-11-28 17:48:49 . 2011-09-03 19:58:56 30808 ----a-w- C:\WINDOWS\system32\drivers\aavmker4.sys
2011-10-10 14:22:41 . 2010-10-27 04:03:56 692736 ----a-w- C:\WINDOWS\system32\inetcomm.dll
2011-10-03 03:06:03 . 2011-01-25 13:30:54 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2011-10-03 00:37:52 . 2011-01-25 13:30:54 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2011-09-28 07:06:50 . 2008-04-13 22:41:52 599040 ----a-w- C:\WINDOWS\system32\crypt32.dll
2011-09-26 09:41:20 . 2011-09-26 09:41:20 611328 ------w- C:\WINDOWS\system32\uiautomationcore.dll
2011-09-26 09:41:20 . 2004-08-04 12:00:00 220160 ----a-w- C:\WINDOWS\system32\oleacc.dll
2011-09-26 09:41:14 . 2004-08-04 12:00:00 20480 ----a-w- C:\WINDOWS\system32\oleaccrc.dll
2011-09-09 08:35:41 . 2011-09-09 08:35:41 388096 ----a-r- C:\Documents and Settings\Marijana\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-10 22:09:19 . 2011-09-03 02:09:11 134104 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2008-04-28 09:18:38 . CB75214525D36F923D3948DA3CD1562D . 1390080 . . [2001.12.4414.700] . . C:\WINDOWS\system32\comres.dll

[-] 2008-04-28 09:24:10 . A55B8899D2EA2E800061BCFD456E34DC . 547328 . . [5.1.2600.5512 (xpsp.080413-2113)] . . C:\WINDOWS\system32\winlogon.exe

[7] 2008-04-13 22:42:52 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
[-] 2008-03-20 18:36:10 . 1CA39C7E1423FF8821664E0E06FEA55E . 343040 . . [7.0.2600.5508 (xpsp.080320-1628-)] . . C:\WINDOWS\system32\msvcrt.dll
[7] 2004-08-04 12:00:00 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0 (xpclient.010817-1148-)] . . C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll

[-] 2008-03-20 18:36:16 . F92D8964B5286DE225BD2B6BF89764BE . 578560 . . [5.1.2600.5508 (xpsp.080320-1622)] . . C:\WINDOWS\system32\user32.dll

[-] 2008-08-18 18:17:14 . 4A90F51B778FA0157F60D206E8B37D2A . 1616384 . . [6.00.2900.5512 (xpsp.080413-2105)] . . C:\WINDOWS\explorer.exe

[-] 2008-04-13 22:42:34 . 18B0915F58A5342AB0F3D01D57261E32 . 267264 . . [5.1.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\regedit.exe

[-] 2008-04-28 09:22:50 . B5E8782D4AF1B3756F38E11E7C157BBE . 25088 . . [5.1.2600.5512 (xpsp.080413-2105)] . . C:\WINDOWS\system32\ctfmon.exe

[-] 2008-04-26 03:58:34 . BC298B78B311397B421D4D52B44B49EC . 1614848 . . [5.1.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\system32\sfcfiles.dll

[-] 2008-04-28 09:19:18 . A913E1FF4C0BDA15FC542430182EB7B6 . 368640 . . [5.1.2600.5512 (xpsp.080413-0852)] . . C:\WINDOWS\system32\hnetcfg.dll

[-] 2008-04-28 09:19:42 . 66620EE56B0FFB1B267BD24ECF942A9B . 42496 . . [5.1.2600.5512 (xpsp.080413-0845)] . . C:\WINDOWS\system32\midimap.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01:17 122512 ----a-w- C:\Program Files\AVAST Software\Avast\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 06:58:52 495616]
"AnalogClock"="C:\Program Files\Windows7\Analog Clock\AnalogClock.exe" [2005-11-05 06:10:06 480256]
"TopDesk"="C:\Program Files\Windows7\TopDesk\topdesk.exe" [2007-06-20 08:21:06 1912832]
"TransBar"="C:\Program Files\Windows7\TransBar\TransBar.exe" [2005-06-01 15:41:18 65536]
"UberIcon"="C:\Program Files\Windows7\UberIcon\UberIcon Manager.exe" [2006-05-21 03:43:08 180224]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-07-07 15:46:45 416768]
"Advanced SystemCare 3"="C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 15:19:34 2402512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KRun"="C:\Program Files\Windows7\RunMe\RunMe.exe" [2007-04-06 14:15:40 518656]
"Visual Task Tips"="C:\Program Files\Windows7\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 17:20:12 36352]
"Pie Dock"="C:\Program Files\Windows7\Windows 7 Pie Dock\Windows 7 Pie Dock.exe" [2007-09-02 06:12:18 586240]
"UFD Monitor"="C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe" [2002-11-28 07:41:14 45056]
"UFD Utility"="C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe" [2002-12-04 03:37:20 413696]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 08:22:04 577536]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 22:22:22 35328]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 17:47:42 31016]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 10:15:12 106496]
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-05-18 07:44:08 905216]
"avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2011-11-28 18:01:24 3744552]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 11:06:06 254696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-28 09:22:50 25088]

C:\Documents and Settings\Marijana\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2010-12-21 593920]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2010-10-27 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Opera\\opera.exe"=
"C:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7684:TCP"= 7684:TCP:kxtbs

R0 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [10/27/2010 6:01:01 AM 685816]
R0 Vax347b;Vax347b;C:\WINDOWS\system32\drivers\Vax347b.sys [10/27/2010 5:52:59 AM 159616]
R0 Vax347s;Vax347s;C:\WINDOWS\system32\drivers\Vax347s.sys [10/27/2010 5:52:59 AM 5248]
R1 aswSnx;aswSnx;C:\WINDOWS\system32\drivers\aswSnx.sys [9/3/2011 8:58:56 PM 435032]
R1 aswSP;aswSP;C:\WINDOWS\system32\drivers\aswSP.sys [9/3/2011 8:58:57 PM 314456]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [9/3/2011 8:58:57 PM 20568]
S2 alzoxgryh;Server Config;C:\WINDOWS\system32\svchost.exe -k netsvcs [4/13/2008 11:42:38 PM 14336]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [12/26/2010 10:16:51 AM 136176]
S2 OxSer;PCI Serial Driver;C:\WINDOWS\system32\drivers\OxSer.sys [10/27/2010 8:02:41 AM 54584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
alzoxgryh

Contents of the 'Scheduled Tasks' folder

2011-12-06 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-12-26 09:16:51 . 2010-12-26 09:16:47]

2011-12-06 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-12-26 09:16:51 . 2010-12-26 09:16:47]

2011-12-06 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1343024091-1417001333-1003Core.job
- C:\Documents and Settings\Marijana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-03 01:53:19 . 2011-08-05 15:48:49]

2011-12-06 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1343024091-1417001333-1003UA.job
- C:\Documents and Settings\Marijana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-03 01:53:19 . 2011-08-05 15:48:49]

2011-12-06 C:\WINDOWS\Tasks\User_Feed_Synchronization-{578B29E4-648E-4140-82DC-CD9AB335F645}.job
- C:\WINDOWS\system32\msfeedssync.exe [2008-04-26 03:44:58 . 2009-03-08 02:31:54]

Dopuna: 07 Dec 2011 11:25

samo da napomenem sinoc sam 2 puta pokretala combofix prvi put mi je dugo radio i onda sam ga pokrenula 2 put tad sam ga prekinula posle pola sata jer sam imala obaveza....evo jutros sam opet pokrenula i opet je pisalo Preparing Log Report.....i tako nekih sat vremena je stajalo evo opet izvestaj od tog skeniranja ComboFix 11-12-06.01 - Marijana 12/07/2011 9:56:55.11.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1503.1124 [GMT 1:00]
Running from: C:\Documents and Settings\Marijana\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\CSC\d6
C:\WINDOWS\pkunzip.pif
C:\WINDOWS\pkzip.pif

-- Previous Run --

C:\WINDOWS\system32\midimap.dll . . . is infected!!

-- Previous Run --

C:\WINDOWS\system32\midimap.dll . . . is infected!!

--------

C:\WINDOWS\system32\midimap.dll . . . is infected!!

--------

C:\WINDOWS\system32\midimap.dll . . . is infected!!


((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))


.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-11-28 18:01:25 . 2011-09-03 19:58:44 41184 ----a-w- C:\WINDOWS\avastSS.scr
2011-11-28 18:01:23 . 2011-09-03 19:58:44 199816 ----a-w- C:\WINDOWS\system32\aswBoot.exe
2011-11-28 17:53:53 . 2011-09-03 19:58:56 435032 ----a-w- C:\WINDOWS\system32\drivers\aswSnx.sys
2011-11-28 17:53:35 . 2011-09-03 19:58:57 314456 ----a-w- C:\WINDOWS\system32\drivers\aswSP.sys
2011-11-28 17:52:19 . 2011-09-03 19:58:56 34392 ----a-w- C:\WINDOWS\system32\drivers\aswRdr.sys
2011-11-28 17:52:16 . 2011-09-03 19:58:56 52952 ----a-w- C:\WINDOWS\system32\drivers\aswTdi.sys
2011-11-28 17:52:02 . 2011-09-03 19:58:56 111320 ----a-w- C:\WINDOWS\system32\drivers\aswmon2.sys
2011-11-28 17:51:59 . 2011-09-03 19:58:56 105176 ----a-w- C:\WINDOWS\system32\drivers\aswmon.sys
2011-11-28 17:51:50 . 2011-09-03 19:58:57 20568 ----a-w- C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011-11-28 17:48:49 . 2011-09-03 19:58:56 30808 ----a-w- C:\WINDOWS\system32\drivers\aavmker4.sys
2011-10-10 14:22:41 . 2010-10-27 04:03:56 692736 ----a-w- C:\WINDOWS\system32\inetcomm.dll
2011-10-03 03:06:03 . 2011-01-25 13:30:54 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2011-10-03 00:37:52 . 2011-01-25 13:30:54 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2011-09-28 07:06:50 . 2008-04-13 22:41:52 599040 ----a-w- C:\WINDOWS\system32\crypt32.dll
2011-09-26 09:41:20 . 2011-09-26 09:41:20 611328 ------w- C:\WINDOWS\system32\uiautomationcore.dll
2011-09-26 09:41:20 . 2004-08-04 12:00:00 220160 ----a-w- C:\WINDOWS\system32\oleacc.dll
2011-09-26 09:41:14 . 2004-08-04 12:00:00 20480 ----a-w- C:\WINDOWS\system32\oleaccrc.dll
2011-09-09 08:35:41 . 2011-09-09 08:35:41 388096 ----a-r- C:\Documents and Settings\Marijana\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-10 22:09:19 . 2011-09-03 02:09:11 134104 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2008-04-28 09:18:38 . CB75214525D36F923D3948DA3CD1562D . 1390080 . . [2001.12.4414.700] . . C:\WINDOWS\system32\comres.dll

[-] 2008-04-28 09:24:10 . A55B8899D2EA2E800061BCFD456E34DC . 547328 . . [5.1.2600.5512 (xpsp.080413-2113)] . . C:\WINDOWS\system32\winlogon.exe

[7] 2008-04-13 22:42:52 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
[-] 2008-03-20 18:36:10 . 1CA39C7E1423FF8821664E0E06FEA55E . 343040 . . [7.0.2600.5508 (xpsp.080320-1628-)] . . C:\WINDOWS\system32\msvcrt.dll
[7] 2004-08-04 12:00:00 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0 (xpclient.010817-1148-)] . . C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll

[-] 2008-03-20 18:36:16 . F92D8964B5286DE225BD2B6BF89764BE . 578560 . . [5.1.2600.5508 (xpsp.080320-1622)] . . C:\WINDOWS\system32\user32.dll

[-] 2008-08-18 18:17:14 . 4A90F51B778FA0157F60D206E8B37D2A . 1616384 . . [6.00.2900.5512 (xpsp.080413-2105)] . . C:\WINDOWS\explorer.exe

[-] 2008-04-13 22:42:34 . 18B0915F58A5342AB0F3D01D57261E32 . 267264 . . [5.1.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\regedit.exe

[-] 2008-04-28 09:22:50 . B5E8782D4AF1B3756F38E11E7C157BBE . 25088 . . [5.1.2600.5512 (xpsp.080413-2105)] . . C:\WINDOWS\system32\ctfmon.exe

[-] 2008-04-26 03:58:34 . BC298B78B311397B421D4D52B44B49EC . 1614848 . . [5.1.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\system32\sfcfiles.dll

[-] 2008-04-28 09:19:18 . A913E1FF4C0BDA15FC542430182EB7B6 . 368640 . . [5.1.2600.5512 (xpsp.080413-0852)] . . C:\WINDOWS\system32\hnetcfg.dll

[-] 2008-04-28 09:19:42 . 66620EE56B0FFB1B267BD24ECF942A9B . 42496 . . [5.1.2600.5512 (xpsp.080413-0845)] . . C:\WINDOWS\system32\midimap.dll

((((((((((((((((((((((((((((( SnapShot_2011-12-06_20.01.16 )))))))))))))))))))))))))))))))))))))))))

+ 2011-12-07 09:07:21 . 2011-12-07 09:07:21 16384 C:\WINDOWS\temp\Perflib_Perfdata_54c.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01:17 122512 ----a-w- C:\Program Files\AVAST Software\Avast\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 06:58:52 495616]
"AnalogClock"="C:\Program Files\Windows7\Analog Clock\AnalogClock.exe" [2005-11-05 06:10:06 480256]
"TopDesk"="C:\Program Files\Windows7\TopDesk\topdesk.exe" [2007-06-20 08:21:06 1912832]
"TransBar"="C:\Program Files\Windows7\TransBar\TransBar.exe" [2005-06-01 15:41:18 65536]
"UberIcon"="C:\Program Files\Windows7\UberIcon\UberIcon Manager.exe" [2006-05-21 03:43:08 180224]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-07-07 15:46:45 416768]
"Advanced SystemCare 3"="C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 15:19:34 2402512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KRun"="C:\Program Files\Windows7\RunMe\RunMe.exe" [2007-04-06 14:15:40 518656]
"Visual Task Tips"="C:\Program Files\Windows7\VisualTaskTips\VisualTaskTips.exe" [2007-09-05 17:20:12 36352]
"Pie Dock"="C:\Program Files\Windows7\Windows 7 Pie Dock\Windows 7 Pie Dock.exe" [2007-09-02 06:12:18 586240]
"UFD Monitor"="C:\Program Files\TwinMOS\Mobile Disk V3.0\MobMon.exe" [2002-11-28 07:41:14 45056]
"UFD Utility"="C:\Program Files\TwinMOS\Mobile Disk V3.0\UsbTD.exe" [2002-12-04 03:37:20 413696]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 08:22:04 577536]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 22:22:22 35328]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 17:47:42 31016]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 10:15:12 106496]
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-05-18 07:44:08 905216]
"avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2011-11-28 18:01:24 3744552]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 11:06:06 254696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-28 09:22:50 25088]

C:\Documents and Settings\Marijana\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2010-12-21 593920]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2010-10-27 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Opera\\opera.exe"=
"C:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7684:TCP"= 7684:TCP:kxtbs

R0 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [10/27/2010 6:01:01 AM 685816]
R0 Vax347b;Vax347b;C:\WINDOWS\system32\drivers\Vax347b.sys [10/27/2010 5:52:59 AM 159616]
R0 Vax347s;Vax347s;C:\WINDOWS\system32\drivers\Vax347s.sys [10/27/2010 5:52:59 AM 5248]
R1 aswSnx;aswSnx;C:\WINDOWS\system32\drivers\aswSnx.sys [9/3/2011 8:58:56 PM 435032]
R1 aswSP;aswSP;C:\WINDOWS\system32\drivers\aswSP.sys [9/3/2011 8:58:57 PM 314456]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [9/3/2011 8:58:57 PM 20568]
S2 alzoxgryh;Server Config;C:\WINDOWS\system32\svchost.exe -k netsvcs [4/13/2008 11:42:38 PM 14336]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [12/26/2010 10:16:51 AM 136176]
S2 OxSer;PCI Serial Driver;C:\WINDOWS\system32\drivers\OxSer.sys [10/27/2010 8:02:41 AM 54584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
alzoxgryh

Contents of the 'Scheduled Tasks' folder

2011-12-07 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-12-26 09:16:51 . 2010-12-26 09:16:47]

2011-12-06 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-12-26 09:16:51 . 2010-12-26 09:16:47]

2011-12-06 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1343024091-1417001333-1003Core.job
- C:\Documents and Settings\Marijana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-03 01:53:19 . 2011-08-05 15:48:49]

2011-12-07 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1343024091-1417001333-1003UA.job
- C:\Documents and Settings\Marijana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-03 01:53:19 . 2011-08-05 15:48:49]

2011-12-07 C:\WINDOWS\Tasks\User_Feed_Synchronization-{578B29E4-648E-4140-82DC-CD9AB335F645}.job
- C:\WINDOWS\system32\msfeedssync.exe [2008-04-26 03:44:58 . 2009-03-08 02:31:54]

Poslao: 07 Dec 2011 11:45
Idi na vrh
offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Arrow

Pošalji fajl C:\WINDOWS\system32\midimap.dll preko sljedećeg linka

http://www.mycity.rs/ambulanta-upload.php

Poslao: 07 Dec 2011 12:49
Idi na vrh
offline
  • Pridružio: 04 Sep 2011
  • Poruke: 21
  • Gde živiš: apatin

poslala sam fajl.

Poslao: 07 Dec 2011 13:44
Idi na vrh
offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Arrow

Otvoriti Notepad i iskopirati sledeći tekst:

KillAll::

Driver::
alzoxgryh

NetSvc::
alzoxgryh

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7684:TCP"=-

FCopy::
C:\Documents and Settings\Marijana\Desktop\midimap.dll|C:\WINDOWS\system32\midimap.dll


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledećoj poruci log koji bude bio napravljen na kraju čišćenja/skeniranja.

MyCity » Ambulanta -> Arhiva Ambulante » threat

Ko je trenutno na forumu
 

Ukupno su 1083 korisnika na forumu :: 45 registrovanih, 6 sakrivenih i 1032 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., bankulen, bigfoot, bojanM84, bojcistv, Bokiboks, Boris BM, BORUTUS, cifra, CikaKURE, dane007, darkangel, darkojbn, debeli, dushan, Fog of War, Frunze, ginjica, hologram, ikan, Još malo pa deda, kikisp, kybonacci, milanovic, Millennium, Milos ZA, milutin134, mrav pesadinac, nikoli_ca, panzerwaffe, procesor, Sass Drake, shone34, Stanlio, Sumadija34, suton, Trpe Grozni, vathra, Vatreni Zmaj, Vlada1389, wizzardone, x9, zdrebac, Zoca, šumar bk2