Poslao: 20 Avg 2011 20:58
|
offline
- thefamous
- Novi MyCity građanin
- Pridružio: 20 Avg 2011
- Poruke: 8
|
Dobro vece...Malo mi je lakse sto nisam jedina kojoj se ovo desilo. Juce mi je prijatelj na fb poslao poruku Hi i kasnije link, na koji sam naravno otisla i skinula Flash Player, u tom trenutku mi je McAfree registrovao Trojan virus i restartovao se komp. Uspela sam nakon toga da odem na fb i tad su mi svi prijatelji koji su bili online poceli da salju poruke na chatu, al na srpskom, tipa Cao, sta ima, gde si? A ja njima svima "odgovaram" sa Hi. Odmah sam se izlogovala i od tad ne mogu da udjem na fb stranicu. Otisla sam sa mobilnog i uspela sam da udjem al sam videla u porukama da je nastavio da salje poruku Hi ostalim prijateljima, pa sam stavila na status Obavestenje...medjutim i dalje salje poruke iste sadrzine. Pokusala sam da instaliram antivirus Nod, Avg, Alvira u komp, ali bezuspesno, tako da su sad ostale ikonice koje nece da se izbrisu. Zato trazim pomoc.. Koristim Sbb internet, preko adaptera: Wireless G USB Adapter, TP-LINK, 54.0 Mbps. Sistem 32-bitni windows. Procitala sam uputstvo, ali ne snalazim se najbolje sa techom, ali cu dati sve od sebe!
Izvestaj dds.txt
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Personal Computer at 19:57:10 on 2011-08-20
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.247.38 [GMT 2:00]
.
AV: Avira AntiVir PersonalEdition *Enabled/Outdated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\update.7.1\svchostdriver.exe
C:\WINDOWS\update.5.0\svchost.exe srv
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
"C:\WINDOWS\update.tray-9-0\svchost.exe"
"C:\WINDOWS\update.tray-2-0\svchost.exe"
"C:\WINDOWS\update.tray-8-0\svchost.exe"
C:\WINDOWS\l1rezerv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\update.2\2259.exe
"C:\WINDOWS\update.5.0\svchost.exe" stand
C:\WINDOWS\sysdriver32.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\WINDOWS\update.1\svchost.exe srv
C:\WINDOWS\update.2\2259.exe
"C:\WINDOWS\update.tray-2-0-lnk\svchost.exe" tray 2-0 1
C:\WINDOWS\ufa\ufa.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\update.7.1\svchostdriver.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.jdownloader.com/
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.5\youtubedownloaderToolbarIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\bh\BabylonToolbar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.5\youtubedownloaderToolbarIE.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarTlbr.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.5\youtubedownloaderToolbarIE.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [BabylonToolbar] "c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarsrv.exe" /md I
mRun: [TWCU] "c:\program files\tp-link\tp-link wireless client utility\TWCU.exe" -nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [wxpdrv] c:\windows\services32.exe
mRun: [tray_ico]
mRun: [tray_ico0] c:\windows\update.tray-9-0\svchost.exe
mRun: [tray_ico1] c:\windows\update.tray-2-0\svchost.exe
mRun: [tray_ico2] c:\windows\update.tray-8-0\svchost.exe
mRun: [tray_ico3]
mRun: [tray_ico4]
mRun: [35595.exe] "c:\windows\temp\35595.exe"
mRun: [sysdriver32.exe] "c:\windows\sysdriver32.exe" rezerv
mRun: [sysdriver32_.exe] "c:\windows\sysdriver32_.exe" rezerv
mRun: [3556982.exe] "c:\docume~1\person~1\locals~1\temp\3556982.exe"
mRun: [5389775.exe] "c:\windows\temp\5389775.exe"
mRun: [9239863.exe] "c:\windows\temp\9239863.exe"
mRun: [l1rezerv.exe] "c:\windows\l1rezerv.exe"
mRun: [12839690-loader2.exe] "c:\windows\temp\12839690-loader2.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition premium\avgnt.exe" /min
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\person~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\gprs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.189\SSScheduler.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: avsda.dll
TCP: DhcpNameServer = 89.216.1.30 89.216.1.50
TCP: Interfaces\{C3A01B7C-E8F1-407C-B2A2-3D0C938F65FC} : DhcpNameServer = 89.216.1.30 89.216.1.50
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\Skype4COM.dll
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-12-21 94872]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-6-24 393112]
R2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2011-6-20 371349]
R2 ddservice;ddservice;c:\windows\update.7.1\svchostdriver.exe srv --> c:\windows\update.7.1\svchostdriver.exe srv [?]
R2 srvbtcclient;srvbtcclient;c:\windows\update.5.0\svchost.exe srv --> c:\windows\update.5.0\svchost.exe srv [?]
R2 srviecheck;srviecheck;c:\windows\update.2\2259.exe srv --> c:\windows\update.2\2259.exe srv [?]
R2 srvsysdriver32;srvsysdriver32;c:\windows\sysdriver32.exe srv --> c:\windows\sysdriver32.exe srv [?]
R2 Start BT in service;Start BT in service;c:\program files\ivt corporation\bluesoleil\StartSkysolSvc.exe [2007-12-27 51816]
R2 wxpdrivers;wxpdrivers;c:\windows\update.1\svchost.exe srv --> c:\windows\update.1\svchost.exe srv [?]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2011-6-20 1714176]
S1 avgio;avgio;\??\c:\program files\avira\antivir personaledition premium\avgio.sys --> c:\program files\avira\antivir personaledition premium\avgio.sys [?]
S2 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;"c:\program files\avira\antivir personaledition premium\avmailc.exe" --> c:\program files\avira\antivir personaledition premium\avmailc.exe [?]
S2 AntiVirScheduler;AntiVir PersonalEdition Premium Scheduler;"c:\program files\avira\antivir personaledition premium\sched.exe" --> c:\program files\avira\antivir personaledition premium\sched.exe [?]
S2 AntiVirService;AntiVir PersonalEdition Premium Guard;"c:\program files\avira\antivir personaledition premium\avguard.exe" --> c:\program files\avira\antivir personaledition premium\avguard.exe [?]
S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\windows\temp\avsetup_4e4fac9d\avupgsvc.exe" /tempstart:""c:\windows\temp\avsetup_4e4fac9d\setup.exe" /notempcleanup /crossupgrade" --> c:\windows\temp\avsetup_4e4fac9d\avupgsvc.exe [?]
S2 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;"c:\program files\avira\antivir personaledition premium\avesvc.exe" --> c:\program files\avira\antivir personaledition premium\avesvc.exe [?]
S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]
S3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition premium\avgntflt.sys --> c:\program files\avira\antivir personaledition premium\avgntflt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.189\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.189\McCHSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-08-20 10:31:23 -------- d--h--w- c:\windows\update.tray-8-0-lnk
2011-08-20 10:31:23 -------- d--h--w- c:\windows\update.tray-8-0
2011-08-20 10:10:10 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-08-20 10:09:41 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-08-19 17:39:23 -------- d--h--w- c:\windows\update.tray-2-0-lnk
2011-08-19 17:39:23 -------- d--h--w- c:\windows\update.tray-2-0
2011-08-19 14:19:40 232960 ----a-w- c:\windows\l1rezerv.exe
2011-08-19 14:18:50 -------- d-----w- c:\windows\ufa
2011-08-19 14:18:50 -------- d-----w- c:\windows\rpcminer
2011-08-19 14:18:50 -------- d-----w- c:\windows\phoenix
2011-08-19 14:16:35 -------- d--h--w- c:\windows\update.5.0
2011-08-19 14:15:07 -------- d--h--w- c:\windows\update.2
2011-08-19 14:14:40 246272 ----a-w- c:\windows\unrar.exe
2011-08-19 14:14:38 -------- d--h--w- c:\windows\update.7.1
2011-08-19 14:13:45 258048 ----a-w- c:\windows\sysdriver32_.exe
2011-08-19 14:13:30 258048 ----a-w- c:\windows\sysdriver32.exe
2011-08-19 14:13:03 -------- d-----w- c:\windows\av_ico
2011-08-19 14:11:51 -------- d--h--w- c:\windows\update.1
2011-08-19 14:11:50 -------- d--h--w- c:\windows\update.tray-9-0-lnk
2011-08-19 14:11:50 -------- d--h--w- c:\windows\update.tray-9-0
2011-08-19 14:01:14 1215488 ----a-w- c:\windows\services32.exe
2011-08-01 12:08:25 -------- d-----w- c:\program files\common files\Adobe Systems Shared
2011-07-31 15:39:01 -------- d-----w- c:\program files\GstarCAD2011Professional
.
==================== Find3M ====================
.
2011-06-27 00:53:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-06-20 19:08:59 371349 ----a-w- c:\windows\system32\drivers\BT848.sys
.
============= FINISH: 19:57:44,03 ===============
Attach
mycity.rs/must-login.png
Gmer1
mycity.rs/must-login.png
Gmer2
mycity.rs/must-login.png
Gmer3
mycity.rs/must-login.png
Nadam se da je sve u redu?
|
|
|
|
|
Poslao: 20 Avg 2011 22:53
|
offline
- thefamous
- Novi MyCity građanin
- Pridružio: 20 Avg 2011
- Poruke: 8
|
Napisano: 20 Avg 2011 22:48
Imam ikonicu Avira, McAfree u taskbaru, ali sam danas izbrisala iz Control Panela, tako da ih tamo vise nema. Eset nod antivirus 4.2 sam pokusala preko Start da isljucim al se pojavi "The application failed to initialize property (0x000012d). Click on Ok to terminate the application." Kad sam kliknula na Ok nista se nije pokazalo.A danas sam pokusala par puta da izbrisem Eset i nije htelo. Pokrenula sam ComboFix, neko vreme je skenirao i prikazao neko obavestenje i nestao. Potrazila sam u Local C izvestaj, al se pojavilo u medjuvremenu prozorce "Warning! ComboFix has detected folowing real time scanner(s) to be active. Avira Profesional i Eset nod32 anivirus. ... Please disable these scanners before clicking Ok" Tako da ja jos nisam kliknula Ok, stoji mi prozorce i sta sad da radim?
Dopuna: 20 Avg 2011 22:53
A da, a kad kliknem na bilo koju ikonicu na taskbaru od ta tri antivirusa, pojavi mi se crveno prozorce gde pise
"Enhanced protection mode
Attention! Antivir operates under enhaced protection mode. This is a temporary measure necessary for immediate response to the threat from virus. No action is required from you."
|
|
|
|
|
Poslao: 21 Avg 2011 01:41
|
offline
- thefamous
- Novi MyCity građanin
- Pridružio: 20 Avg 2011
- Poruke: 8
|
Napisano: 21 Avg 2011 1:08
Uradila sam Safe mode with Networking, prethodno sam skinula oba fajla za virus. Komp je bio par sekundi u Safe mode i onda se restartovao i vratio u normalan. Medjutim ikonice su i dalje tu i crveno obavestenje..da li da ipak zapocnem Combofix? Pokusala sam bila prosli put i opet mi je izaslo upozorenje da radim na sopstvenu odgovornost, tj.da su antivirusi tu.
Dopuna: 21 Avg 2011 1:20
Zbunjuje me iz prosle poruke "uklonicemo", to znaci vi, ne ja? Izvinite, rekla sam da se ne razumem bas najbolje..ali zelim da ocistim komp, pre dva meseca sam obarala sistem...ako treba, ponovo cu.
Dopuna: 21 Avg 2011 1:41
Eset je izbrisan, Combofix me obavestava da je ostala Avira, ali nju ne mogu nigde da nadjem, ni u Control Panel, ni u Start..jedino ikonica na taskbaru koja nista ne znaci...
|
|
|
|
Poslao: 21 Avg 2011 02:07
|
offline
- Fil
- Legendarni građanin
- Pridružio: 11 Jun 2009
- Poruke: 16586
|
Pozdrav,
Možeš li mi detaljno objasniti šta se sve izdešavalo na računaru? Konkretno sledeće:
- Da li ti se računar ponaša stabilno u Safe Modu? Napisala si da se restartovao posle 3 sekunde. Da li je to bilo odmah po startovanju Safe Moda ili po pokretanju nekog od alata za uklanjanje antivirusa? Da li se računar restartuje uvek kada uđeš u Safe Mode?
- Da ne bi bilo zabune, ti zapravo uklanjaš antiviruse sa alatima koje ti dam da preuzmeš (dao sam linkove)
Dakle, Eset si obrisala sa alatom koji sam ti dao iz Normalnog moda?
Da li si pokušala obrisati Aviru sa programom koji sam ti dao u prethodnoj poruci?
|
|
|
|
Poslao: 21 Avg 2011 03:25
|
offline
- thefamous
- Novi MyCity građanin
- Pridružio: 20 Avg 2011
- Poruke: 8
|
Eset sam uklonila preko Control panela u Normalnom modu.
Nakon toga sam restartovala komp, nije se odmah prikazao Windows Advanced options, nego sam morala da izaberem boot: floppy, nesto sa brojevima, cdrom nesto.., cdrom nesto jos.. i network. Izabrala sam to sa brojevima i nakon toga se pojavio Safe mode. Otvorio windows i restartovao za 3 sekunde i vratio u Normalan mod.
Onda sam usla u Normalan mod i sa linka koji sam skinula za Aviru usla u RegCleaner.exe izabrala opciju Scan..pronasao je 47 objekata i to sam izbrisala, izaslo je obavestenje da vise nema key. Pokrenula Combofix i opet je detektovao Aviru.
Restartovala sam da ponovo udjem u Safe mode, ovaj put sam se zadrzala minut, toliko da sam uspela da otvorim RegCleaner.exe, kliknem Scan i onda je izaslo prozorce da nije pronadjen nijedan key. Combofix je opet objavio Aviru.
|
|
|
|
Poslao: 21 Avg 2011 09:19
|
offline
- Fil
- Legendarni građanin
- Pridružio: 11 Jun 2009
- Poruke: 16586
|
S obzirom da si koristila Avirin RegCleaner.exe, ignoriši poruku koju ti Combofix daje o prisustvu Avire.
Dakle, pokreni Combofix prema već datom uputstvu i bez obzira što može iskočiti obaveštenje "Warning! ComboFix has detected folowing real time scanner(s) to be active. Avira Profesional. Please disable these scanners before clicking Ok", ti ipak klikni na dugme OK.
Po završetku, naravno, okači izveštaj.
|
|
|
|
Poslao: 21 Avg 2011 12:51
|
offline
- thefamous
- Novi MyCity građanin
- Pridružio: 20 Avg 2011
- Poruke: 8
|
Evo izvestaja Combofix. A za Aviru, Windows Security Alerts je postavio obavestece "maybe out of date"
ComboFix 11-08-21.01 - Personal Computer 21.08.2011 12:29:15.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.247.119 [GMT 2:00]
Running from: c:\documents and settings\Personal Computer\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *Enabled/Outdated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\PERSON~1\LOCALS~1\Temp\3556982.exe
c:\program files\RelevantKnowledge
c:\windows\btc_client_iplist.txt
c:\windows\front_ip_list.txt
c:\windows\geoiplist
c:\windows\geoiplist.rar
c:\windows\iecheck_iplist.txt
c:\windows\info1
c:\windows\iplist.txt
c:\windows\l1rezerv.exe
c:\windows\loader2.exe_ok
c:\windows\phoenix
c:\windows\phoenix.rar
c:\windows\phoenix\kernels\phatk\__init__.py
c:\windows\phoenix\kernels\phatk\__init__.pyc
c:\windows\phoenix\kernels\phatk\BFIPatcher.py
c:\windows\phoenix\kernels\phatk\kernel.cl
c:\windows\phoenix\kernels\poclbm\__init__.py
c:\windows\phoenix\kernels\poclbm\__init__.pyc
c:\windows\phoenix\kernels\poclbm\BFIPatcher.py
c:\windows\phoenix\kernels\poclbm\kernel.cl
c:\windows\phoenix\phoenix.exe
c:\windows\proc_list1.log
c:\windows\rpcminer
c:\windows\rpcminer.rar
c:\windows\rpcminer\bitcoinminercuda_10.cubin
c:\windows\rpcminer\bitcoinminercuda_11.cubin
c:\windows\rpcminer\bitcoinminercuda_20.cubin
c:\windows\rpcminer\bitcoinmineropencl.cl
c:\windows\rpcminer\cudart32_32_16.dll
c:\windows\rpcminer\curllib.dll
c:\windows\rpcminer\libeay32.dll
c:\windows\rpcminer\libsasl.dll
c:\windows\rpcminer\openldap.dll
c:\windows\rpcminer\rpcminer-4way.exe
c:\windows\rpcminer\rpcminer-cpu.exe
c:\windows\rpcminer\rpcminer-cuda.exe
c:\windows\rpcminer\rpcminer-opencl.exe
c:\windows\rpcminer\ssleay32.dll
c:\windows\services32.exe
c:\windows\sysdriver32.exe
c:\windows\sysdriver32_.exe
c:\windows\system32\drivers\etc\HSTS~1
c:\windows\TEMP\12839690-loader2.exe
c:\windows\TEMP\35595.exe
c:\windows\TEMP\9239863.exe
c:\windows\ufa.rar
c:\windows\update.1
c:\windows\update.1\svchost.exe
c:\windows\update.2
c:\windows\update.2\2259.exe
c:\windows\update.2\svchost.exe
c:\windows\update.5.0
c:\windows\update.5.0\svchost.exe
c:\windows\update.tray-2-0\svchost.exe
c:\windows\update.tray-8-0\svchost.exe
c:\windows\update.tray-9-0\svchost.exe
c:\windows\winlog-dirs.txt
c:\windows\winlog-ids.txt
c:\windows\winsetupapi.log
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SRVBTCCLIENT
-------\Legacy_SRVIECHECK
-------\Legacy_SRVSYSDRIVER32
-------\Legacy_WXPDRIVERS
-------\Service_srvbtcclient
-------\Service_srviecheck
-------\Service_srvsysdriver32
-------\Service_wxpdrivers
.
.
((((((((((((((((((((((((( Files Created from 2011-07-21 to 2011-08-21 )))))))))))))))))))))))))))))))
.
.
2011-08-20 10:31 . 2011-08-21 10:36 -------- d--h--w- c:\windows\update.tray-8-0
2011-08-20 10:31 . 2011-08-20 10:31 -------- d--h--w- c:\windows\update.tray-8-0-lnk
2011-08-20 10:27 . 2007-08-09 11:04 40768 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-08-20 10:27 . 2007-07-18 12:22 21312 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-08-20 10:27 . 2007-09-07 10:05 62016 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-20 10:10 . 2011-08-20 10:10 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-20 10:09 . 2011-08-20 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-19 17:39 . 2011-08-21 10:36 -------- d--h--w- c:\windows\update.tray-2-0
2011-08-19 17:39 . 2011-08-19 17:39 -------- d--h--w- c:\windows\update.tray-2-0-lnk
2011-08-19 14:18 . 2011-08-19 14:18 -------- d-----w- c:\windows\ufa
2011-08-19 14:14 . 2011-08-19 14:18 246272 ----a-w- c:\windows\unrar.exe
2011-08-19 14:14 . 2011-08-19 14:14 -------- d--h--w- c:\windows\update.7.1
2011-08-19 14:13 . 2011-08-20 10:32 -------- d-----w- c:\windows\av_ico
2011-08-19 14:11 . 2011-08-21 10:36 -------- d--h--w- c:\windows\update.tray-9-0
2011-08-19 14:11 . 2011-08-19 14:11 -------- d--h--w- c:\windows\update.tray-9-0-lnk
2011-08-01 12:11 . 2011-08-01 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2011-08-01 12:08 . 2011-08-01 12:08 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2011-07-31 15:39 . 2011-07-31 15:43 -------- d-----w- c:\program files\GstarCAD2011Professional
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-27 00:53 . 2011-06-27 00:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-06-20 19:08 . 2011-06-20 19:08 371349 ----a-w- c:\windows\system32\drivers\BT848.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-06-24 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BabylonToolbar"="c:\program files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe" [2010-11-07 286720]
"TWCU"="c:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2010-05-21 561263]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-06-24 534880]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
c:\documents and settings\Personal Computer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\gprs.exe [2007-12-27 43608]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.189\SSScheduler.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [12/21/2010 3:04 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2010 1:47 PM 94872]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [6/24/2011 5:30 PM 393112]
R2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [6/20/2011 9:08 PM 371349]
R2 ddservice;ddservice;c:\windows\update.7.1\svchostdriver.exe srv --> c:\windows\update.7.1\svchostdriver.exe srv [?]
R2 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [12/27/2007 3:39 PM 51816]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [6/20/2011 1:28 PM 1714176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.jdownloader.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: avsda.dll
TCP: DhcpNameServer = 89.216.1.30 89.216.1.50
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-wxpdrv - c:\windows\services32.exe
HKLM-Run-tray_ico - (no file)
HKLM-Run-tray_ico0 - c:\windows\update.tray-9-0\svchost.exe
HKLM-Run-tray_ico1 - c:\windows\update.tray-2-0\svchost.exe
HKLM-Run-tray_ico2 - c:\windows\update.tray-8-0\svchost.exe
HKLM-Run-tray_ico3 - (no file)
HKLM-Run-tray_ico4 - (no file)
HKLM-Run-l1rezerv.exe - c:\windows\l1rezerv.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-08-21 12:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1292)
c:\windows\system32\avsda.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\windows\update.7.1\svchostdriver.exe
c:\windows\update.7.1\svchostdriver.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RunDll32.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
c:\program files\Skype\Phone\Skype.exe
.
**************************************************************************
.
Completion time: 2011-08-21 12:47:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-21 10:47
.
Pre-Run: 28.362.817.536 bytes free
Post-Run: 29.362.511.872 bytes free
.
- - End Of File - - 439CD9495A1E49AB7B73C3FAA6D9914A
|
|
|
|
|