Poslao: 07 Sep 2009 11:50
|
offline
- Stekss
- Novi MyCity građanin
- Pridružio: 07 Sep 2009
- Poruke: 13
|
Cistio sam racunar sa Malwarebytes i on je pronasao 60 fajlova koje je obrisao ali posle restarta racunara sve se vratilo ponovo. Combofix je takodje obrisao gomilu fajlova ali posle restarta isto. Saljem log Hijackthis inace non-stop iskace prozor Antivirus Pro 2010. Molim za pomoc
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:14, on 7.9.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3S CoDeSys\GatewayPLC\GatewayService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe
C:\Program Files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe
C:\Program Files\3S CoDeSys\GatewayPLC\GatewaySysTray.exe
C:\WINDOWS\system32\S3Trayp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\sys32_nov.exe
C:\Program Files\KillSoft\FtpDrive\FtpDrive.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Siemens\Sqlany\dbsrv7.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Odrzavanje\Desktop\123.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] "VTTimer.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [S7UB Start] "C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" -StartDB
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GatewaySysTray] "C:\Program Files\3S CoDeSys\GatewayPLC\GatewaySysTray.exe"
O4 - HKLM\..\Run: [S3Trayp] "S3Trayp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [sys32_nov] C:\WINDOWS\system32\sys32_nov.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [Antivirus Pro 2010] "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [FtpDrive] "C:\Program Files\KillSoft\FtpDrive\FtpDrive.exe"
O4 - HKCU\..\Run: [sys32_nov] C:\Documents and Settings\Odrzavanje\sys32_nov.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Procitaj.txt
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com/windowsupdate/v6/V5Con.....9297038328
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0C53F1F-B894-4187-8C88-E30165556C08}: NameServer = 192.168.2.1
O23 - Service: Automation License Manager Service (almservice) - SIEMENS AG - C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CoDeSys Gateway V3 Version 3.1.3.1 (CoDeSys Gateway V3) - 3S-Smart Software Solutions GmbH - C:\Program Files\3S CoDeSys\GatewayPLC\GatewayService.exe
O23 - Service: CoDeSys SP Win V3 Version 3.1.3.0 (CoDeSys SP Win V3) - Unknown owner - C:\Program Files\3S CoDeSys\GatewayPLC\CoDeSysSPService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MCT10 Service - Unknown owner - C:\Program Files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe
O23 - Service: Visibroker Activation Daemon (oad) - Unknown owner - C:\PROGRA~1\Borland\vbroker\bin\oad.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: VisiBroker Smart Agent (osagent) - Unknown owner - C:\PROGRA~1\Borland\vbroker\bin\osagent.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: S7 Global Services (s7asysvx) - SIEMENS AG - C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
O23 - Service: SIMATIC IEPG Help Service (s7oiehsx) - SIEMENS AG - C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
O23 - Service: S7TraceServiceX - SIEMENS AG - C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
O23 - Service: stunnel - Unknown owner - E:\LUKIC\stunnel-4.11.exe (file missing)
--
End of file - 7466 bytes
|
|
|
|
|
|
Poslao: 07 Sep 2009 14:15
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8620
- Gde živiš: Novi Beograd
|
Postavi mi taj log od ComboFixa ako ga jos imas?
|
|
|
|
Poslao: 07 Sep 2009 14:26
|
offline
- Stekss
- Novi MyCity građanin
- Pridružio: 07 Sep 2009
- Poruke: 13
|
Ostalo mi je ovo u c:\Combofix posto nisam uradio combofix \u
ComboFix 09-09-06.04 - Odrzavanje 07.09.2009 11:12:34.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.188 [GMT 2:00]
Running from: C:\Documents and Settings\Odrzavanje\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\dllcache\figaro.sys
C:\WINDOWS\system32\wisdstr.exe
C:\WINDOWS\system32\drivers\beep.sys . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.
2009-09-07 09:21:21 . 2006-02-28 12:00:00 4224 ----a-w- C:\WINDOWS\system32\drivers\beep.sys
2009-09-02 04:57:49 . 2009-09-02 04:57:49 29216 ----a-w- C:\WINDOWS\system32\sys32_nov.exe
2009-08-10 12:52:27 . 2009-08-10 12:52:27 0 d-----w- C:\WINDOWS\Sun
2009-08-10 12:50:55 . 2009-08-10 12:50:36 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-08-10 12:50:28 . 2009-08-10 12:50:28 0 d-----w- C:\Program Files\Java
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 07:37:15 . 2007-05-16 10:59:27 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 06:19:10 . 2008-02-21 07:54:30 0 d-----w- C:\Program Files\FreeCommander
2009-07-30 11:05:31 . 2009-07-30 11:05:31 0 d-----w- C:\Program Files\TrebingHimstedt
2009-07-30 11:05:19 . 2009-07-30 11:05:19 0 d-----w- C:\Program Files\Common Files\Softing
2009-07-30 11:04:38 . 2009-07-30 11:04:38 0 d-----w- C:\Program Files\PF_Activation_Tool
2009-07-30 11:04:38 . 2009-07-30 11:03:56 0 d-----w- C:\Program Files\Common Files\CWGenericFDT
2009-07-30 11:04:38 . 2009-07-30 11:03:07 0 d-----w- C:\Program Files\Common Files\DTMstudioPB
2009-07-30 11:04:36 . 2009-07-30 11:04:36 0 d-----w- C:\Program Files\Common Files\Pepperl+Fuchs GmbH
2009-07-30 11:04:34 . 2009-07-30 11:04:34 0 d-----w- C:\Program Files\Pepperl+Fuchs
2009-07-30 11:03:45 . 2009-07-30 11:03:45 0 d-----w- C:\Program Files\Common Files\OPC Foundation
2009-07-30 11:03:43 . 2009-07-30 11:00:05 0 d-----w- C:\Program Files\Endress+Hauser
2009-07-30 11:03:09 . 2009-07-30 11:03:09 0 d-----w- C:\Program Files\Common Files\DTMstudio
2009-07-30 11:03:09 . 2009-07-30 11:03:09 0 d-----w- C:\Program Files\Common Files\CWLicServer
2009-07-30 11:02:51 . 2009-07-30 11:02:51 0 d-----w- C:\Program Files\Common Files\_is Common
2009-07-30 11:02:46 . 2009-07-30 11:02:46 0 d-----w- C:\Program Files\Common Files\CodeWrights
2009-07-30 11:01:02 . 2009-07-30 11:01:02 86016 ----a-w- C:\WINDOWS\system32\OdbcJdbcSetup.dll
2009-07-30 11:01:02 . 2009-07-30 11:01:02 225280 ----a-w- C:\WINDOWS\system32\IscDbc.dll
2009-07-30 11:01:02 . 2009-07-30 11:01:02 200704 ----a-w- C:\WINDOWS\system32\OdbcJdbc.dll
2009-07-20 12:26:38 . 2009-07-20 12:24:29 0 d-----w- C:\Program Files\MSI Card Reader
2009-07-20 12:24:27 . 2007-05-16 06:09:23 0 d--h--w- C:\Program Files\InstallShield Installation Information
2009-07-20 12:05:53 . 2009-07-20 12:05:53 0 d-----w- C:\Program Files\MUP RS
2009-07-17 11:47:47 . 2009-07-17 11:47:47 0 d-----w- C:\Program Files\Common Files\Business Objects
2009-07-17 11:47:43 . 2009-07-17 11:47:43 0 d-----w- C:\Program Files\Fluke
2009-07-17 11:44:09 . 2009-07-17 11:44:09 0 d-----w- C:\Program Files\Microsoft SQL Server
2009-07-16 07:52:59 . 2009-07-16 07:52:59 0 d-----w- C:\Program Files\Compaq
2009-06-03 21:52:57 . 2009-06-03 21:52:57 18180 ----a-w- C:\Program Files\Common Files\somezyh.exe
2009-06-03 21:48:49 . 2009-06-03 21:48:49 18084 ----a-w- C:\Program Files\Common Files\otez.exe
2009-06-03 21:48:49 . 2009-06-03 21:48:49 13677 ----a-w- C:\Program Files\Common Files\sasaluko.db
2009-06-03 15:20:03 . 2009-06-03 15:20:03 18732 ----a-w- C:\Program Files\Common Files\amihiv.lib
2009-06-03 14:31:08 . 2009-06-03 14:31:08 19892 ----a-w- C:\Program Files\Common Files\uvico.lib
2009-06-03 14:31:08 . 2009-06-03 14:31:08 13152 ----a-w- C:\Program Files\Common Files\ihuborehyp.dat
2009-06-03 14:31:08 . 2009-06-03 14:31:08 12913 ----a-w- C:\Program Files\Common Files\ulusecevak.db
2008-03-03 07:05:27 . 2008-03-03 07:05:27 14290 ----a-w- C:\Program Files\settings.dat
2007-06-21 11:33:31 . 2007-06-21 11:33:31 35328 ----a-w- C:\Program Files\winbox.exe
2008-02-02 10:07:52 . 2008-02-21 11:25:44 67696 ----a-w- C:\Program Files\mozilla firefox\components\jar50.dll
2008-02-02 10:07:52 . 2008-02-21 11:25:44 54376 ----a-w- C:\Program Files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07:53 . 2008-02-21 11:25:44 34952 ----a-w- C:\Program Files\mozilla firefox\components\myspell.dll
2008-02-02 10:07:54 . 2008-02-21 11:25:44 46720 ----a-w- C:\Program Files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07:55 . 2008-02-21 11:25:44 172144 ----a-w- C:\Program Files\mozilla firefox\components\xpinstal.dll
.
------- Sigcheck -------
[-] 5FD32526EDA7ED3ADB2E077B8255A566 [------] C:\WINDOWS\system32\dllcache\beep.sys
[-] 5FD32526EDA7ED3ADB2E077B8255A566 [------] C:\WINDOWS\system32\drivers\beep.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-07_07.25.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 09:23:45 . 2009-09-07 09:23:45 16384 C:\WINDOWS\temp\Perflib_Perfdata_234.dat
+ 2009-09-07 09:23:42 . 2009-09-07 09:23:42 16384 C:\WINDOWS\temp\Perflib_Perfdata_1b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 14:07:20 2260480]
"FtpDrive"="C:\Program Files\KillSoft\FtpDrive\FtpDrive.exe" [2006-11-05 23:44:48 300653]
"sys32_nov"="C:\Documents and Settings\Odrzavanje\sys32_nov.exe" [BU]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-04-16 15:08:00 172032]
"S7UB Start"="C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2003-12-17 22:20:12 110645]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16:38 39792]
"GatewaySysTray"="C:\Program Files\3S CoDeSys\GatewayPLC\GatewaySysTray.exe" [2007-12-13 18:46:34 311409]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-08-10 12:50:37 149280]
"sys32_nov"="C:\WINDOWS\system32\sys32_nov.exe" [2009-09-02 04:57:49 29216]
"VTTimer"="VTTimer.exe" - C:\WINDOWS\system32\VTTimer.exe [2006-08-03 12:53:02 53248]
"S3Trayp"="S3Trayp.exe" - C:\WINDOWS\system32\S3Trayp.exe [2006-07-11 00:33:16 176128]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 12:00:00 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Procitaj.txt [2009-6-4 199]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
|
|
|
|
Poslao: 07 Sep 2009 14:30
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8620
- Gde živiš: Novi Beograd
|
Ovo nije ceo log. Kopiraj mi ga lepo.
|
|
|
|
|
Poslao: 07 Sep 2009 15:08
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8620
- Gde živiš: Novi Beograd
|
Ne radi vise nista sto ti ja ne kazem.
Skeniraj jos jednom sa ComboFixom u Normal Modu.
Postavi mi log i onda cekaj.
|
|
|
|
Poslao: 07 Sep 2009 16:57
|
offline
- Stekss
- Novi MyCity građanin
- Pridružio: 07 Sep 2009
- Poruke: 13
|
Morao sam da preimenujem Combofix.exe u 1234.exe jer nije hteo da se startuje. Evo ga log
ComboFix 09-09-06.04 - Odrzavanje 07.09.2009 16:21.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.113 [GMT 2:00]
Running from: c:\documents and settings\Odrzavanje\Desktop\1234.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Documents\emet.dl
c:\documents and settings\Odrzavanje\Application Data\juripir.pif
c:\documents and settings\Odrzavanje\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Odrzavanje\Cookies\itimohise.bin
c:\documents and settings\Odrzavanje\Cookies\ivub.pif
c:\documents and settings\Odrzavanje\Cookies\zicerad.bin
c:\documents and settings\Odrzavanje\Local Settings\Application Data\ipew.ban
c:\documents and settings\Odrzavanje\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\program files\Common Files\enacapefyd.reg
c:\program files\Common Files\ihygavyfe.bat
c:\windows\amyd.reg
c:\windows\aqizitasot.bat
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\qerico.inf
c:\windows\system32\_scui.cpl
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\purewuviqu.reg
c:\windows\system32\wisdstr.exe
c:\windows\system32\ypyser.bin
c:\windows\xesis.vbs
.
---- Previous Run -------
.
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\wisdstr.exe
c:\windows\system32\drivers\beep.sys . . . is infected!!
Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{6EE2268B-AB94-4A1D-8654-7F7088B2CBF8}\RP2\A0000279.sys
.
((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.
2009-09-07 09:28 . 2009-09-07 09:30 -------- d-----w- c:\program files\AntivirusPro_2010
2009-09-07 09:21 . 2006-02-28 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-07 09:08 . 2009-09-07 14:20 -------- d-s---w- C:\ComboFix
2009-09-02 04:57 . 2009-09-02 04:57 29216 ----a-w- c:\windows\system32\sys32_nov.exe
2009-08-10 12:52 . 2009-08-10 12:52 -------- d-----w- c:\windows\Sun
2009-08-10 12:50 . 2009-08-10 12:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-10 12:50 . 2009-08-10 12:50 -------- d-----w- c:\program files\Java
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 09:28 . 2009-09-07 09:28 14960 ----a-w- c:\documents and settings\All Users\Application Data\ocodac.dat
2009-09-07 07:37 . 2007-05-16 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 06:19 . 2008-02-21 07:54 -------- d-----w- c:\program files\FreeCommander
2009-07-30 11:05 . 2009-07-30 11:05 -------- d-----w- c:\program files\TrebingHimstedt
2009-07-30 11:05 . 2009-07-30 11:05 -------- d-----w- c:\program files\Common Files\Softing
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\PF_Activation_Tool
2009-07-30 11:04 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\CWGenericFDT
2009-07-30 11:04 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\DTMstudioPB
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\Common Files\Pepperl+Fuchs GmbH
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\Pepperl+Fuchs
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\OPC Foundation
2009-07-30 11:03 . 2009-07-30 11:00 -------- d-----w- c:\program files\Endress+Hauser
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\DTMstudio
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\CWLicServer
2009-07-30 11:02 . 2009-07-30 11:02 -------- d-----w- c:\program files\Common Files\_is Common
2009-07-30 11:02 . 2009-07-30 11:02 -------- d-----w- c:\program files\Common Files\CodeWrights
2009-07-30 11:01 . 2009-07-30 11:01 86016 ----a-w- c:\windows\system32\OdbcJdbcSetup.dll
2009-07-30 11:01 . 2009-07-30 11:01 225280 ----a-w- c:\windows\system32\IscDbc.dll
2009-07-30 11:01 . 2009-07-30 11:01 200704 ----a-w- c:\windows\system32\OdbcJdbc.dll
2009-07-20 12:26 . 2009-07-20 12:24 -------- d-----w- c:\program files\MSI Card Reader
2009-07-20 12:24 . 2007-05-16 06:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-20 12:05 . 2009-07-20 12:05 -------- d-----w- c:\program files\MUP RS
2009-07-17 11:47 . 2009-07-17 11:47 -------- d-----w- c:\program files\Common Files\Business Objects
2009-07-17 11:47 . 2009-07-17 11:47 -------- d-----w- c:\program files\Fluke
2009-07-17 11:44 . 2009-07-17 11:44 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-16 07:52 . 2009-07-16 07:52 -------- d-----w- c:\program files\Compaq
2009-06-03 21:52 . 2009-06-03 21:52 18180 ----a-w- c:\program files\Common Files\somezyh.exe
2009-06-03 21:48 . 2009-06-03 21:48 18084 ----a-w- c:\program files\Common Files\otez.exe
2009-06-03 21:48 . 2009-06-03 21:48 13677 ----a-w- c:\program files\Common Files\sasaluko.db
2009-06-03 15:20 . 2009-06-03 15:20 18732 ----a-w- c:\program files\Common Files\amihiv.lib
2009-06-03 14:31 . 2009-06-03 14:31 19892 ----a-w- c:\program files\Common Files\uvico.lib
2009-06-03 14:31 . 2009-06-03 14:31 13152 ----a-w- c:\program files\Common Files\ihuborehyp.dat
2009-06-03 14:31 . 2009-06-03 14:31 12913 ----a-w- c:\program files\Common Files\ulusecevak.db
2008-03-03 07:05 . 2008-03-03 07:05 14290 ----a-w- c:\program files\settings.dat
2007-06-21 11:33 . 2007-06-21 11:33 35328 ----a-w- c:\program files\winbox.exe
2008-02-02 10:07 . 2008-02-21 11:25 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2008-02-21 11:25 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2008-02-21 11:25 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2008-02-21 11:25 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2008-02-21 11:25 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
------- Sigcheck -------
[-] 5FD32526EDA7ED3ADB2E077B8255A566 [------] c:\windows\system32\dllcache\beep.sys
[-] 5FD32526EDA7ED3ADB2E077B8255A566 [------] c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-07_07.25.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 14:33 . 2009-09-07 14:33 16384 c:\windows\temp\Perflib_Perfdata_25c.dat
+ 2009-09-07 14:33 . 2009-09-07 14:33 16384 c:\windows\temp\Perflib_Perfdata_164.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"FtpDrive"="c:\program files\KillSoft\FtpDrive\FtpDrive.exe" [2006-11-05 300653]
"sys32_nov"="c:\documents and settings\Odrzavanje\sys32_nov.exe" [BU]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"braviax"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-04-16 172032]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2003-12-17 110645]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GatewaySysTray"="c:\program files\3S CoDeSys\GatewayPLC\GatewaySysTray.exe" [2007-12-13 311409]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-10 149280]
"sys32_nov"="c:\windows\system32\sys32_nov.exe" [2009-09-02 29216]
"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" [2009-09-06 589312]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-08-03 53248]
"S3Trayp"="S3Trayp.exe" - c:\windows\system32\S3Trayp.exe [2006-07-11 176128]
"braviax"="" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Procitaj.txt [2009-6-4 199]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv7.exe"=
"c:\\Program Files\\Siemens\\Step7\\S7BIN\\S7tgtopx.exe"=
"c:\\Program Files\\Siemens\\Step7\\S7INF\\S7usiapx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1005MC.EXE"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\CoDeSys.exe"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\RepTool.exe"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\IPMCLI.exe"=
"c:\\Program Files\\3S CoDeSys\\GatewayPLC\\GatewayService.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [21.7.2005 12:40 622654]
R2 CoDeSys Gateway V3;CoDeSys Gateway V3 Version 3.1.3.1;c:\program files\3S CoDeSys\GatewayPLC\GatewayService.exe [13.12.2007 20:43 843897]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [14.1.2008 12:03 30224]
R2 MCT10 Service;MCT10 Service;c:\program files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe [5.12.2008 13:04 192512]
R2 MSSQL$FLUKE;MSSQL$FLUKE;c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe -sFLUKE --> c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe -sFLUKE [?]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 22:22 34064]
R2 PROFIbrd;PROFIBUS V5 Hardware Driver (Softing);c:\windows\system32\drivers\PROFIbrd.sys [30.7.2009 13:05 184832]
R2 PROFIprt;PROFIBUS Protocol Driver (Softing);c:\windows\system32\drivers\PROFIprt.sys [30.7.2009 13:05 35968]
R2 PROFIstack;PROFIBUS V6 Hardware Driver (Softing);c:\windows\system32\drivers\PROFIstack.sys [30.7.2009 13:05 250112]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [26.7.2004 21:13 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [5.10.2007 11:40 78408]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [5.10.2007 11:51 208968]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [5.10.2007 11:44 194120]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [30.7.2007 12:06 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [31.8.2007 11:32 163840]
R2 scpdrv;scpdrv;c:\program files\Common Files\Siemens\SWS\plugins\scp\scpdrv.sys [14.10.2003 2:44 26944]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [12.9.2006 10:43 659456]
S2 CoDeSys SP Win V3;CoDeSys SP Win V3 Version 3.1.3.0;c:\program files\3S CoDeSys\GatewayPLC\CoDeSysSPService.exe --> c:\program files\3S CoDeSys\GatewayPLC\CoDeSysSPService.exe [?]
S3 AIDA32Driver;AIDA32Driver;\??\e:\ aaaaaaaaaaaa\aida32.sys --> e:\ aaaaaaaaaaaa\aida32.sys [?]
S3 IRIMAGER;Fluke Ti30, IR-Imager USB Driver (irimager.sys);c:\windows\system32\drivers\irimager.sys [21.4.2006 16:48 19263]
S3 oad;Visibroker Activation Daemon;c:\progra~1\Borland\vbroker\bin\oad.exe [31.5.2007 13:41 1781248]
S3 osagent;VisiBroker Smart Agent;c:\progra~1\Borland\vbroker\bin\osagent.exe [31.5.2007 13:41 193536]
S3 PROFIpnp;PROFIBUS PnP Hardware Driver (Softing);c:\windows\system32\drivers\PROFIpnp.sys [30.7.2009 13:05 12416]
S3 PROFIusb;PROFIusb Device Driver (Softing AG);c:\windows\system32\drivers\PROFIusb.sys [30.7.2009 13:05 30464]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [3.9.2008 20:03 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [3.9.2008 20:03 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [18.10.2002 2:34 30512]
S3 s7oupc2x;SIMATIC PC Adapter USB Driver;c:\windows\system32\drivers\s7oupc2x.sys [28.5.2008 9:55 12333]
S3 SQLAgent$FLUKE;SQLAgent$FLUKE;c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlagent.EXE -i FLUKE --> c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlagent.EXE -i FLUKE [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
iguafxuz
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Regedit32 - c:\windows\system32\regedit.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {C0C53F1F-B894-4187-8C88-E30165556C08} = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Odrzavanje\Application Data\Mozilla\Firefox\Profiles\ydhnp2au.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-09-07 16:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\braviax.exe 11264 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2600)
c:\program files\KillSoft\FtpDrive\FtpDrive.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\logonui.exe
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe
c:\windows\system32\rdpclip.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Siemens\SQLANY\dbsrv7.exe
c:\windows\system32\braviax.exe
.
**************************************************************************
.
Completion time: 2009-09-07 16:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 14:41
ComboFix2.txt 2009-09-07 07:28
ComboFix3.txt 2009-06-03 15:14
Pre-Run: 24.279.076.864 bytes free
Post-Run: 24.240.381.952 bytes free
265
|
|
|
|
|