Adware.virtumonde.fp application

2

Adware.virtumonde.fp application

offline
  • Pridružio: 04 Apr 2008
  • Poruke: 15

fajl sam uspešno aploudao!

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Privremeno iskljuciti antivirus program dok odradimo ovo (AMON modul u NOD32 postaviti na Disabled).

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\uvaltsqf.exe
C:\WINDOWS\system32\ovyvnuoi.ini
C:\WINDOWS\system32\rppxungf.ini
C:\WINDOWS\system32\cbehcrqlonmpsj.bmp
C:\WINDOWS\system32\mmax_goog.ini
C:\WINDOWS\system32\mlsnqpobihsj.bmp
C:\WINDOWS\system32\doralsfilgfih.bmp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\wujfoqmm.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\Drivers\Btg18.sys
C:\WINDOWS\system32\Drivers\Cua13.sys
C:\WINDOWS\system32\Drivers\Cvb63.sys
C:\WINDOWS\system32\Drivers\Icy85.sys
C:\WINDOWS\system32\Drivers\Mjp17.sys
C:\WINDOWS\system32\Drivers\Nbl18.sys
C:\WINDOWS\system32\Drivers\Tey86.sys
C:\WINDOWS\system32\Drivers\Uhd85.sys
C:\WINDOWS\system32\Drivers\Wxh31.sys
C:\WINDOWS\system32\Drivers\Xrl86.sys
C:\WINDOWS\system32\Drivers\Xtq74.sys
C:\WINDOWS\system32\Drivers\Yqf53.sys

Driver::
Btg18.sys
Cua13.sys
Cvb63.sys
Icy85.sys
Mjp17.sys
Nbl18.sys
Tey86.sys
Uhd85.sys
Wxh31.sys
Xrl86.sys
Xtq74.sys
Yqf53.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16CD11C4-B6E8-40DC-B005-E25B4D770B88}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM835d6043"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxuvv]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Btg18.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cua13.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cvb63.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Icy85.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mjp17.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nbl18.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tey86.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uhd85.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wxh31.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xrl86.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xtq74.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yqf53.sys]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 04 Apr 2008
  • Poruke: 15

ComboFix 08-04-08.10 - XP 2008-04-11 8:19:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.526 [GMT 2:00]
Running from: C:\Documents and Settings\XP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\XP\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\cbehcrqlonmpsj.bmp
C:\WINDOWS\system32\doralsfilgfih.bmp
C:\WINDOWS\system32\Drivers\Btg18.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\Drivers\Cua13.sys
C:\WINDOWS\system32\Drivers\Cvb63.sys
C:\WINDOWS\system32\Drivers\Icy85.sys
C:\WINDOWS\system32\Drivers\Mjp17.sys
C:\WINDOWS\system32\Drivers\Nbl18.sys
C:\WINDOWS\system32\Drivers\Tey86.sys
C:\WINDOWS\system32\Drivers\Uhd85.sys
C:\WINDOWS\system32\Drivers\Wxh31.sys
C:\WINDOWS\system32\Drivers\Xrl86.sys
C:\WINDOWS\system32\Drivers\Xtq74.sys
C:\WINDOWS\system32\Drivers\Yqf53.sys
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\mlsnqpobihsj.bmp
C:\WINDOWS\system32\mmax_goog.ini
C:\WINDOWS\system32\ovyvnuoi.ini
C:\WINDOWS\system32\rppxungf.ini
C:\WINDOWS\system32\uvaltsqf.exe
C:\WINDOWS\system32\wujfoqmm.dll
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\XP\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\cbehcrqlonmpsj.bmp
C:\WINDOWS\system32\doralsfilgfih.bmp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\mlsnqpobihsj.bmp
C:\WINDOWS\system32\mmax_goog.ini
C:\WINDOWS\system32\ovyvnuoi.ini
C:\WINDOWS\system32\rppxungf.ini
C:\WINDOWS\system32\uvaltsqf.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 07:54 . 2008-04-11 07:54 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-09 15:06 . 2008-04-09 15:06 <DIR> d-------- C:\VundoFix Backups
2008-04-09 14:15 . 2008-04-09 14:15 <DIR> d-------- C:\WINDOWS\system32\sl-SI
2008-04-09 13:53 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-09 13:53 . 2007-07-01 05:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-09 13:53 . 2007-07-01 05:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-09 13:53 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-09 13:53 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-09 13:53 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-09 13:53 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-09 13:53 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-09 13:53 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-04 13:10 . 2008-04-04 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 09:44 . 2008-04-04 09:44 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-04 08:55 . 2008-04-04 08:55 1,823 --a------ C:\WINDOWS\mozver.dat
2008-04-04 08:09 . 2008-04-04 08:13 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-01 10:44 . 2008-04-01 10:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 10:44 . 2008-04-01 10:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 10:44 . 2008-04-01 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-28 10:43 . 2008-03-31 09:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-26 15:24 . 2008-04-09 15:04 16 --a------ C:\WINDOWS\popcinfo.dat
2008-03-26 14:54 . 2008-03-26 14:57 <DIR> d-------- C:\Program Files\Bejeweled 2 Deluxe
2008-03-26 14:54 . 2008-03-26 14:54 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2008-03-26 14:27 . 2008-03-26 14:54 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-26 11:30 . 2008-03-26 11:30 <DIR> d-------- C:\Documents and Settings\XP\Application Data\GRETECH
2008-03-26 11:30 . 2008-03-26 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-26 08:57 . 2008-04-09 09:18 564 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-26 08:56 . 2008-03-26 08:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-25 15:07 . 2008-03-25 15:07 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2008-03-25 14:54 . 2008-03-25 14:54 <DIR> d-------- C:\Program Files\ESET
2008-03-25 14:54 . 2008-03-25 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-25 11:29 . 2008-03-25 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-25 11:11 . 2008-03-25 11:11 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-03-25 11:09 . 2008-03-25 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-03-25 10:56 . 2008-03-25 10:56 <DIR> d-------- C:\Program Files\QuickTime
2008-03-25 10:48 . 2007-02-20 17:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-03-25 10:48 . 2007-02-20 17:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-03-25 10:41 . 2008-03-25 10:41 <DIR> d-------- C:\Program Files\Bonjour
2008-03-25 10:37 . 2008-03-25 10:37 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-25 10:27 . 2008-03-25 10:27 <DIR> d-------- C:\Documents and Settings\XP\Application Data\Nero
2008-03-25 10:23 . 2008-03-25 10:23 <DIR> d-------- C:\Program Files\Nero
2008-03-25 10:23 . 2008-03-28 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-25 10:01 . 2008-03-25 10:03 <DIR> d-------- C:\Program Files\TIS 2008
2008-03-20 14:26 . 2008-03-20 14:26 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-03-25 09:13 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-22 08:05 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-22 08:05 --------- d-----w C:\Program Files\Autodesk
2008-02-22 08:05 --------- d-----w C:\Program Files\AutoCAD 2005
2008-02-22 08:04 --------- d-----w C:\Program Files\AnswerWorks 4.0
2008-02-22 08:00 --------- d-----w C:\Documents and Settings\XP\Application Data\Autodesk
2008-02-22 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-02-20 10:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 10:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 10:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\SET9B76.tmp
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\SETC3E7.tmp
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\SET9B05.tmp
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\SETC3DF.tmp
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\SET9B06.tmp
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\SETC3E0.tmp
2008-02-16 22:29 3,059,712 ----a-w C:\WINDOWS\system32\SET9B93.tmp
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\SETC3F5.tmp
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\SET9B8A.tmp
2008-02-16 08:59 659,456 ------w C:\WINDOWS\system32\SETC3F1.tmp
2008-02-16 08:59 615,936 ----a-w C:\WINDOWS\system32\SET9B8B.tmp
2008-02-16 08:59 615,936 ------w C:\WINDOWS\system32\SETC3F2.tmp
2008-02-16 08:59 474,112 ----a-w C:\WINDOWS\system32\SET9B8C.tmp
2008-02-16 08:59 474,112 ------w C:\WINDOWS\system32\SETC3F3.tmp
2008-02-16 08:59 1,494,528 ----a-w C:\WINDOWS\system32\SET9B8D.tmp
2008-02-16 08:59 1,494,528 ------w C:\WINDOWS\system32\SETC3F4.tmp
2008-02-16 08:59 1,023,488 ----a-w C:\WINDOWS\system32\SET9B9D.tmp
2008-02-16 08:59 1,023,488 ------w C:\WINDOWS\system32\SETC3F7.tmp
2008-02-15 09:06 351,744 ----a-w C:\WINDOWS\system32\SETC3F8.tmp
2008-02-15 09:06 351,744 ----a-w C:\WINDOWS\system32\SET9BA0.tmp
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_14.42.10.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-14 01:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2007-08-14 01:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2006-09-07 00:43:16 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 14:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 12:12 90112]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 12:06 1443072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-27 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 12:11]
S0 Btg18;Btg18;C:\WINDOWS\system32\Drivers\Btg18.sys []
S0 Cua13;Cua13;C:\WINDOWS\system32\Drivers\Cua13.sys []
S0 Cvb63;Cvb63;C:\WINDOWS\system32\Drivers\Cvb63.sys []
S0 Icy85;Icy85;C:\WINDOWS\system32\Drivers\Icy85.sys []
S0 Mjp17;Mjp17;C:\WINDOWS\system32\Drivers\Mjp17.sys []
S0 Nbl18;Nbl18;C:\WINDOWS\system32\Drivers\Nbl18.sys []
S0 Tey86;Tey86;C:\WINDOWS\system32\Drivers\Tey86.sys []
S0 Uhd85;Uhd85;C:\WINDOWS\system32\Drivers\Uhd85.sys []
S0 Wxh31;Wxh31;C:\WINDOWS\system32\Drivers\Wxh31.sys []
S0 Xrl86;Xrl86;C:\WINDOWS\system32\Drivers\Xrl86.sys []
S0 Xtq74;Xtq74;C:\WINDOWS\system32\Drivers\Xtq74.sys []
S0 Yqf53;Yqf53;C:\WINDOWS\system32\Drivers\Yqf53.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 05:56:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-11 08:21:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 8:21:59
ComboFix-quarantined-files.txt 2008-04-11 06:21:53
ComboFix2.txt 2008-04-09 12:42:24
Pre-Run: 230,222,049,280 bytes free
Post-Run: 230,205,587,456 bytes free
.
2008-04-11 05:55:18 --- E O F ---

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:


Driver::
Btg18
Cua13
Cvb63
Icy85
Mjp17
Nbl18
Tey86
Uhd85
Wxh31
Xrl86
Xtq74
Yqf53



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 04 Apr 2008
  • Poruke: 15

ComboFix 08-04-08.10 - XP 2008-04-14 8:59:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.533 [GMT 2:00]
Running from: C:\Documents and Settings\XP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\XP\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XRL86
-------\Legacy_XTQ74
-------\Service_Cua13
-------\Service_Cvb63
-------\Service_Icy85
-------\Service_Mjp17
-------\Service_Nbl18
-------\Service_Tey86
-------\Service_Uhd85
-------\Service_Wxh31
-------\Service_Xrl86
-------\Service_Xtq74
-------\Service_Yqf53


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-09 15:06 . 2008-04-09 15:06 <DIR> d-------- C:\VundoFix Backups
2008-04-09 14:15 . 2008-04-09 14:15 <DIR> d-------- C:\WINDOWS\system32\sl-SI
2008-04-09 13:53 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-09 13:53 . 2007-07-01 05:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-09 13:53 . 2007-07-01 05:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-09 13:53 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-09 13:53 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-09 13:53 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-09 13:53 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-09 13:53 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-09 13:53 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-04 13:10 . 2008-04-04 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 09:44 . 2008-04-04 09:44 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-04 08:55 . 2008-04-04 08:55 1,823 --a------ C:\WINDOWS\mozver.dat
2008-04-04 08:09 . 2008-04-04 08:13 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-01 10:44 . 2008-04-01 10:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 10:44 . 2008-04-01 10:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 10:44 . 2008-04-01 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-28 10:43 . 2008-03-31 09:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-26 15:24 . 2008-04-14 08:47 16 --a------ C:\WINDOWS\popcinfo.dat
2008-03-26 14:54 . 2008-03-26 14:57 <DIR> d-------- C:\Program Files\Bejeweled 2 Deluxe
2008-03-26 14:54 . 2008-03-26 14:54 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2008-03-26 14:27 . 2008-03-26 14:54 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-26 11:30 . 2008-03-26 11:30 <DIR> d-------- C:\Documents and Settings\XP\Application Data\GRETECH
2008-03-26 11:30 . 2008-03-26 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-26 08:57 . 2008-04-09 09:18 564 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-26 08:56 . 2008-03-26 08:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-25 15:07 . 2008-03-25 15:07 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2008-03-25 14:54 . 2008-03-25 14:54 <DIR> d-------- C:\Program Files\ESET
2008-03-25 14:54 . 2008-03-25 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-25 11:29 . 2008-03-25 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-25 11:11 . 2008-03-25 11:11 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-03-25 11:09 . 2008-03-25 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-03-25 10:56 . 2008-03-25 10:56 <DIR> d-------- C:\Program Files\QuickTime
2008-03-25 10:48 . 2007-02-20 17:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-03-25 10:48 . 2007-02-20 17:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-03-25 10:41 . 2008-03-25 10:41 <DIR> d-------- C:\Program Files\Bonjour
2008-03-25 10:37 . 2008-03-25 10:37 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-25 10:27 . 2008-03-25 10:27 <DIR> d-------- C:\Documents and Settings\XP\Application Data\Nero
2008-03-25 10:23 . 2008-03-25 10:23 <DIR> d-------- C:\Program Files\Nero
2008-03-25 10:23 . 2008-03-28 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-25 10:01 . 2008-03-25 10:03 <DIR> d-------- C:\Program Files\TIS 2008
2008-03-20 14:26 . 2008-03-20 14:26 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-03-25 09:13 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-22 08:05 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-22 08:05 --------- d-----w C:\Program Files\Autodesk
2008-02-22 08:05 --------- d-----w C:\Program Files\AutoCAD 2005
2008-02-22 08:04 --------- d-----w C:\Program Files\AnswerWorks 4.0
2008-02-22 08:00 --------- d-----w C:\Documents and Settings\XP\Application Data\Autodesk
2008-02-22 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-02-20 10:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 10:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 10:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_14.42.10.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-14 01:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2007-08-14 01:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2006-09-07 00:43:16 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 14:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 12:12 90112]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 12:06 1443072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-27 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 12:11]
S0 Btg18;Btg18;C:\WINDOWS\system32\Drivers\Btg18.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 05:59:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-14 09:03:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-04-14 9:06:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 07:06:08
ComboFix2.txt 2008-04-11 06:21:59
ComboFix3.txt 2008-04-09 12:42:24
Pre-Run: 230,214,127,616 bytes free
Post-Run: 230,203,351,040 bytes free
.
2008-04-14 05:58:12 --- E O F ---

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:


Driver::
Btg18



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 04 Apr 2008
  • Poruke: 15

ComboFix 08-04-08.10 - XP 2008-04-15 8:35:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.531 [GMT 2:00]
Running from: C:\Documents and Settings\XP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\XP\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-09 15:06 . 2008-04-09 15:06 <DIR> d-------- C:\VundoFix Backups
2008-04-09 14:15 . 2008-04-09 14:15 <DIR> d-------- C:\WINDOWS\system32\sl-SI
2008-04-09 13:53 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-09 13:53 . 2007-07-01 05:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-09 13:53 . 2007-07-01 05:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-09 13:53 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-09 13:53 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-09 13:53 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-09 13:53 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-09 13:53 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-09 13:53 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-04 13:10 . 2008-04-04 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 09:44 . 2008-04-04 09:44 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-04 08:55 . 2008-04-04 08:55 1,823 --a------ C:\WINDOWS\mozver.dat
2008-04-04 08:09 . 2008-04-04 08:13 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-01 10:44 . 2008-04-01 10:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 10:44 . 2008-04-01 10:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 10:44 . 2008-04-01 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-28 10:43 . 2008-03-31 09:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-26 15:24 . 2008-04-14 14:40 16 --a------ C:\WINDOWS\popcinfo.dat
2008-03-26 14:54 . 2008-03-26 14:57 <DIR> d-------- C:\Program Files\Bejeweled 2 Deluxe
2008-03-26 14:54 . 2008-03-26 14:54 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2008-03-26 14:27 . 2008-03-26 14:54 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-26 11:30 . 2008-03-26 11:30 <DIR> d-------- C:\Documents and Settings\XP\Application Data\GRETECH
2008-03-26 11:30 . 2008-03-26 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-26 08:57 . 2008-04-09 09:18 564 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-26 08:56 . 2008-03-26 08:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-25 15:07 . 2008-03-25 15:07 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2008-03-25 14:54 . 2008-03-25 14:54 <DIR> d-------- C:\Program Files\ESET
2008-03-25 14:54 . 2008-03-25 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-25 11:29 . 2008-03-25 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-25 11:11 . 2008-03-25 11:11 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-03-25 11:09 . 2008-03-25 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-03-25 10:56 . 2008-03-25 10:56 <DIR> d-------- C:\Program Files\QuickTime
2008-03-25 10:48 . 2007-02-20 17:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-03-25 10:48 . 2007-02-20 17:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-03-25 10:41 . 2008-03-25 10:41 <DIR> d-------- C:\Program Files\Bonjour
2008-03-25 10:37 . 2008-03-25 10:37 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-25 10:27 . 2008-03-25 10:27 <DIR> d-------- C:\Documents and Settings\XP\Application Data\Nero
2008-03-25 10:23 . 2008-03-25 10:23 <DIR> d-------- C:\Program Files\Nero
2008-03-25 10:23 . 2008-03-28 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-25 10:01 . 2008-03-25 10:03 <DIR> d-------- C:\Program Files\TIS 2008
2008-03-20 14:26 . 2008-03-20 14:26 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-03-25 09:13 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-22 08:05 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-22 08:05 --------- d-----w C:\Program Files\Autodesk
2008-02-22 08:05 --------- d-----w C:\Program Files\AutoCAD 2005
2008-02-22 08:04 --------- d-----w C:\Program Files\AnswerWorks 4.0
2008-02-22 08:00 --------- d-----w C:\Documents and Settings\XP\Application Data\Autodesk
2008-02-22 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-02-20 10:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 10:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 10:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\SET9B76.tmp
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\SETC3E7.tmp
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\SET9B05.tmp
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\SETC3DF.tmp
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\SET9B06.tmp
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\SETC3E0.tmp
2008-02-16 22:29 3,059,712 ----a-w C:\WINDOWS\system32\SET9B93.tmp
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\SETC3F5.tmp
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\SET9B8A.tmp
2008-02-16 08:59 659,456 ------w C:\WINDOWS\system32\SETC3F1.tmp
2008-02-16 08:59 615,936 ----a-w C:\WINDOWS\system32\SET9B8B.tmp
2008-02-16 08:59 615,936 ------w C:\WINDOWS\system32\SETC3F2.tmp
2008-02-16 08:59 474,112 ----a-w C:\WINDOWS\system32\SET9B8C.tmp
2008-02-16 08:59 474,112 ------w C:\WINDOWS\system32\SETC3F3.tmp
2008-02-16 08:59 1,494,528 ----a-w C:\WINDOWS\system32\SET9B8D.tmp
2008-02-16 08:59 1,494,528 ------w C:\WINDOWS\system32\SETC3F4.tmp
2008-02-16 08:59 1,023,488 ----a-w C:\WINDOWS\system32\SET9B9D.tmp
2008-02-16 08:59 1,023,488 ------w C:\WINDOWS\system32\SETC3F7.tmp
2008-02-15 09:06 351,744 ----a-w C:\WINDOWS\system32\SETC3F8.tmp
2008-02-15 09:06 351,744 ----a-w C:\WINDOWS\system32\SET9BA0.tmp
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_14.42.10.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-14 01:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2007-08-14 01:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2006-09-07 00:43:16 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:44:58 282,624 ----a-w C:\WINDOWS\system32\spool\drivers\color\MXF_SDK_GenericContainer_DV_r.4.1.1.223.dll
+ 2007-11-30 12:44:58 151,552 ----a-w C:\WINDOWS\system32\spool\drivers\color\MXF_SDK_GenericContainer_MPEG_ESAudio_r.4.1.1.223.dll
+ 2007-11-30 12:44:56 401,408 ----a-w C:\WINDOWS\system32\spool\drivers\color\MXF_SDK_GenericContainer_Wave_r.4.1.1.223.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 14:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 12:12 90112]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 12:06 1443072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-27 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 12:11]
S0 Btg18;Btg18;C:\WINDOWS\system32\Drivers\Btg18.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 05:56:49 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-15 08:37:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-15 8:38:29
ComboFix-quarantined-files.txt 2008-04-15 06:38:24
ComboFix2.txt 2008-04-14 07:06:16
ComboFix3.txt 2008-04-11 06:21:59
ComboFix4.txt 2008-04-09 12:42:24
Pre-Run: 229,611,831,296 bytes free
Post-Run: 229,600,989,184 bytes free
.
2008-04-14 05:58:12 --- E O F ---

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Skeniraj komp sa GMER-om i postavi log da proverimo da nema nekih rootkitova...

Uradi sledeće:
Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Prikaci nam fajlove uz poruku.

offline
  • Pridružio: 04 Apr 2008
  • Poruke: 15

Evo uradio sam sledeče scan-ove.

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Preuzmi RegASSASSIN.

Dvoklikom pokreni program i u polje za unos teksta iskopiraj sledeće:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Btg18

Klikni na Delete taster.

Ko je trenutno na forumu
 

Ukupno su 1105 korisnika na forumu :: 36 registrovanih, 2 sakrivenih i 1067 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 8u47, bobomicek, Bojan5150, bojan_t, bufanje, cikadeda, Denaya, draganl, havoc995, Istman, JimmyNapoli, Joja, Karla, Kubovac, ljuba, Lošmi, Mi lao shu, mile23, milenko crazy north, miodrag, Niko Bitan, Povratak1912, Prašinar, procesor, Romibrat, Srky Boy, tubular, vathra, voja64, wizzardone, Wrangler, YugoSlav, yuklll, zziko, Žrnov, šumar bk2