Poslao: 24 Jun 2009 14:16
|
offline
- Pridružio: 19 Dec 2008
- Poruke: 89
|
ComboFix 09-06-23.01 - SERVIS 06/24/2009 14:01.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1587 [GMT 2:00]
Running from: c:\documents and settings\SERVIS\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ctfmon.exe.tmp
c:\windows\system32\Y45a7ra7.exe.a_a
.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.
2009-06-24 12:01 . 2009-06-24 12:01 -------- d-----w- C:\QUARANTINE
2009-06-24 11:49 . 2009-06-24 11:49 -------- d-----w- c:\documents and settings\SERVIS\Local Settings\Application Data\Help
2009-06-24 11:40 . 2009-06-24 11:40 -------- d-----w- c:\program files\CCleaner
2009-06-24 08:57 . 2009-06-24 08:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-19 09:04 . 2009-06-19 09:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2009-06-19 09:00 . 2009-06-19 12:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\TDI
2009-06-19 07:24 . 2009-06-19 07:24 208898 ----a-w- c:\windows\system32\Y45a7ra7.exe
2009-06-19 07:09 . 2009-06-19 07:09 74752 ----a-w- c:\windows\system32\B12c4tc4.dll
2009-06-11 07:32 . 2009-06-11 07:32 152576 ----a-w- c:\documents and settings\SERVIS\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 14:33 . 2009-06-04 07:47 -------- d-----w- c:\program files\XP Repair Pro 2007
2009-06-03 14:33 . 2009-06-03 14:33 -------- d-----w- c:\documents and settings\SERVIS\Local Settings\Application Data\{C82FE1BB-5140-4F7D-8DBF-56A85573BD49}
2009-06-03 13:53 . 2009-06-03 13:53 -------- d-----w- c:\documents and settings\SERVIS\Local Settings\Application Data\Google
2009-06-03 13:51 . 2009-06-03 13:51 -------- d-----w- c:\program files\Google
2009-05-30 09:35 . 2009-05-30 09:35 -------- d-----w- c:\documents and settings\SERVIS\Local Settings\Application Data\WMTools Downloaded Files
2009-05-28 08:52 . 2009-05-28 08:52 -------- d--h--w- c:\windows\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 11:46 . 2009-04-21 14:05 -------- d-----w- c:\program files\Yahoo!
2009-06-24 11:46 . 2009-05-06 12:26 -------- d-----w- c:\program files\InstantFileRecovery
2009-06-24 11:46 . 2009-05-06 12:36 -------- d-----w- c:\program files\Runtime Software
2009-06-23 08:52 . 2009-04-06 09:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-17 07:12 . 2009-03-28 09:12 -------- d-----w- c:\program files\USB Disk Security
2009-06-11 07:33 . 2009-03-14 08:42 -------- d-----w- c:\program files\Java
2009-05-22 07:08 . 2009-03-18 11:50 -------- d-----w- c:\program files\TDI
2009-05-21 09:33 . 2009-03-14 08:42 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-18 07:45 . 2009-03-13 10:12 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-05-18 07:44 . 2009-05-18 07:44 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-18 07:44 . 2009-05-18 07:44 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-05-14 12:24 . 2009-03-18 10:43 -------- d-----w- c:\program files\nLite
2009-05-14 12:08 . 2009-03-13 21:43 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-04-27 12:21 . 2009-05-18 07:44 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2009-04-09 10:50 . 2009-04-09 10:50 152576 ----a-w- c:\documents and settings\SERVIS\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.
------- Sigcheck -------
[-] 2009-01-16 07:19 1614848 362BC5AF8EAF712832C58CC13AE05750 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7957FD21-C584-4476-B26B-4691A7AC4E5D}]
2009-06-19 07:09 74752 ----a-w- c:\windows\system32\B12c4tc4.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{964ed5ed-9595-43a1-bd83-9f831b5dbe7f}]
2009-05-22 07:08 2094616 ----a-w- c:\program files\TDI\tbTD1.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-06-17 25100]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2009-06-24 25100]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\My Documents\\Valve\\hl.exe"=
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [9/29/2008 9:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/3/2002 11:30 PM 67904]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [5/18/2009 9:44 AM 604416]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/3/2002 11:30 PM 64432]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2009-06-24 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]
2009-06-19 c:\windows\Tasks\At1.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At10.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-24 c:\windows\Tasks\At11.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-24 c:\windows\Tasks\At12.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-24 c:\windows\Tasks\At13.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-24 c:\windows\Tasks\At14.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-24 c:\windows\Tasks\At15.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-23 c:\windows\Tasks\At16.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-22 c:\windows\Tasks\At17.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-22 c:\windows\Tasks\At18.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At19.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At2.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At20.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At21.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At22.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At23.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At24.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At3.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At4.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At5.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At6.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At7.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At8.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
2009-06-19 c:\windows\Tasks\At9.job
- c:\windows\system32\Y45a7ra7.exe [2009-06-19 07:24]
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
mStart Page = [Link mogu videti samo ulogovani korisnici]
mWindow Title = Microsoft Internet Explorer
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-06-24 14:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-24 14:11
ComboFix-quarantined-files.txt 2009-06-24 12:11
ComboFix2.txt 2009-05-18 08:13
Pre-Run: 16,268,976,128 bytes free
Post-Run: 16,409,706,496 bytes free
181
|
|
|
|
Poslao: 24 Jun 2009 16:37
|
offline
- dr_Bora

- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
Pozdrav...
Idući put kada ne ispratiš uputstvo za otvaranje teme, ista će biti obrisana.
Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder
Dvoklikom pokreni avenger.exe
Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:
Files to delete:
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\system32\Y45a7ra7.exe
c:\windows\system32\B12c4tc4.dll
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7957FD21-C584-4476-B26B-4691A7AC4E5D}
Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti
Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja
Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u
Iskopiraj sadržaj dobijenog loga u temu na forumu.
Nakon toga upload-uj file: C:\Avenger\backup.zip
preko ovog linka: [Link mogu videti samo ulogovani korisnici]
|
|
|
|
Poslao: 25 Jun 2009 13:42
|
offline
- Pridružio: 19 Dec 2008
- Poruke: 89
|
Logfile of The Avenger Version 2.0, (c) by Swandog46
[Link mogu videti samo ulogovani korisnici]
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\windows\Tasks\At1.job" deleted successfully.
File "c:\windows\Tasks\At10.job" deleted successfully.
File "c:\windows\Tasks\At11.job" deleted successfully.
File "c:\windows\Tasks\At12.job" deleted successfully.
File "c:\windows\Tasks\At13.job" deleted successfully.
File "c:\windows\Tasks\At14.job" deleted successfully.
File "c:\windows\Tasks\At15.job" deleted successfully.
File "c:\windows\Tasks\At16.job" deleted successfully.
File "c:\windows\Tasks\At17.job" deleted successfully.
File "c:\windows\Tasks\At18.job" deleted successfully.
File "c:\windows\Tasks\At19.job" deleted successfully.
File "c:\windows\Tasks\At2.job" deleted successfully.
File "c:\windows\Tasks\At20.job" deleted successfully.
File "c:\windows\Tasks\At21.job" deleted successfully.
File "c:\windows\Tasks\At22.job" deleted successfully.
File "c:\windows\Tasks\At23.job" deleted successfully.
File "c:\windows\Tasks\At24.job" deleted successfully.
File "c:\windows\Tasks\At3.job" deleted successfully.
File "c:\windows\Tasks\At4.job" deleted successfully.
File "c:\windows\Tasks\At5.job" deleted successfully.
File "c:\windows\Tasks\At6.job" deleted successfully.
File "c:\windows\Tasks\At7.job" deleted successfully.
File "c:\windows\Tasks\At8.job" deleted successfully.
File "c:\windows\Tasks\At9.job" deleted successfully.
File "c:\windows\system32\Y45a7ra7.exe" deleted successfully.
File "c:\windows\system32\B12c4tc4.dll" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7957FD21-C584-4476-B26B-4691A7AC4E5D}" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Ubacio sam onaj backup file
|
|
|
|
|