MyCity » Ambulanta -> Arhiva Ambulante » Antichrist problem

Antichrist problem

Napisano na dan: 3.6.2008
1

Antichrist problem
Sledeća strana Pagination

Idi na vrh

Poslao: 03 Jun 2008 20:24
Idi na vrh
offline
  • Pridružio: 03 Jun 2008
  • Poruke: 18

Logfile of HijackThis v1.99.1
Scan saved at 8:16:52 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Conexant\Adsl\dslstat.exe
C:\Program Files\Conexant\Adsl\dslagent.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Korisnik\Desktop\New Folder\TR3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer [Day of judgment]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe shell.exe
F2 - REG:system.ini: UserInit=userinit.exe,sys.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vxds] C:\WINDOWS\vxds.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Conexant\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Conexant\Adsl\dslagent.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [blank] C:\WINDOWS\system32\blank.htm
O4 - HKCU\..\Run: [hlps] C:\WINDOWS\Help\hlps.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F5F163C-C64E-49AE-9A1D-C395C8E2679F}: NameServer = 77.105.0.18 77.105.0.19
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


Isti problem kao i kod ostalih sa antichrist virusom....procitao sam ih sve ali ne bih se zajebavao sam jer mi je komp. vrlo potreban sa svim informacijama koje su na njemu tako da bih Vas zamolio za pomoc oko ovoga........

Poslao: 03 Jun 2008 20:32
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Poslao: 03 Jun 2008 21:23
Idi na vrh
offline
  • Pridružio: 03 Jun 2008
  • Poruke: 18

ComboFix 08-06-01.6 - Korisnik 2008-06-03 20:41:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014 [GMT 2:00]
Running from: C:\Documents and Settings\Korisnik\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Korisnik\ravmonlog
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\ssprs.dll

----- BITS: Possible infected sites -----

hxxp://www.hhdsoftware.com
.
((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-03 20:00 . 2008-06-03 20:00 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-03 19:31 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-03 19:31 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-03 19:31 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-03 19:31 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-03 19:30 . 2008-06-03 19:31 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-03 19:30 . 2008-06-03 19:30 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\Simply Super Software
2008-06-03 19:30 . 2008-06-03 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-03 19:05 . 2008-06-03 19:05 <DIR> d-------- C:\Program Files\Conexant
2008-06-03 19:05 . 2005-09-06 17:10 173,494 --a------ C:\WINDOWS\system32\drivers\mon_ac_w.bin
2008-06-03 19:05 . 2005-09-21 19:31 158,592 --a------ C:\WINDOWS\system32\drivers\gwausb.sys
2008-06-03 19:05 . 2005-08-24 20:48 25,600 --a------ C:\WINDOWS\system32\CoInst.dll
2008-06-03 19:05 . 2008-02-18 20:08 17,886 --------- C:\WINDOWS\wwdslcfg.ini
2008-06-03 19:05 . 2006-12-17 20:05 12,288 --------- C:\WINDOWS\system32\CplEng.dll
2008-06-03 13:28 . 2008-06-03 13:28 4,190 --ahs---- C:\WINDOWS\system32\OEMLOGO.BMP
2008-06-03 13:28 . 2008-06-03 13:28 392 --ahs---- C:\WINDOWS\system32\OEMINFO.INI
2008-06-02 18:04 . 2004-08-03 23:10 25,600 --a------ C:\WINDOWS\system32\drivers\hidbth.sys
2008-05-24 14:13 . 2008-05-24 14:14 <DIR> d-------- C:\Program Files\Boxen Die Championship Simulation
2008-05-23 18:54 . 2008-05-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Program Files\ACD Systems
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\ACD Systems
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-13 22:59 . 2008-05-13 22:59 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-05-13 20:45 . 2008-05-13 23:05 <DIR> d-------- C:\Program Files\802.11g USB Wireless Network Driver and Utility HW.14 V1.0.0
2008-05-13 00:13 . 2008-05-13 00:13 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{1A2B4670-D00A-4921-BC0C-6CFF2B944097}
2008-05-12 22:21 . 2008-05-23 19:00 <DIR> d-------- C:\Program Files\Folder Lock
2008-05-12 22:21 . 2004-05-10 12:42 110,592 --a------ C:\WINDOWS\system32\suppdll.dll
2008-05-12 22:21 . 2007-02-07 19:50 77,824 --a------ C:\WINDOWS\system32\FLKill.exe
2008-05-12 22:21 . 2008-05-12 22:22 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-05-12 22:15 . 2008-05-12 22:15 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\URSoft
2008-05-12 22:15 . 2008-05-12 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 22:01 . 2008-05-12 22:01 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{F4A8BB08-ED05-438D-AFC9-7B712C1296DF}
2008-05-12 00:59 . 2008-05-12 00:59 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2008-05-12 00:59 . 2008-05-12 00:59 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\IDMComp
2008-05-11 23:44 . 2008-05-11 23:44 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-05-11 22:57 . 2008-05-11 22:57 <DIR> d-------- C:\Program Files\HHD Software
2008-05-11 22:52 . 2001-05-11 13:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-05-11 22:52 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2008-05-10 18:13 . 2008-05-10 18:13 <DIR> d-------- C:\Program Files\Nero
2008-05-10 18:08 . 2008-05-10 18:09 <DIR> d-------- C:\Program Files\Ahead
2008-05-10 17:04 . 2008-05-12 21:35 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{14801787-DD4C-44EB-AB8A-863A7FF9E8B2}
2008-05-07 13:23 . 2008-05-07 13:23 268 --ah----- C:\sqmdata09.sqm
2008-05-07 13:23 . 2008-05-07 13:23 244 --ah----- C:\sqmnoopt09.sqm
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-05-05 16:16 . 2008-05-05 16:16 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-05-05 16:16 . 2008-05-05 16:16 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-05-05 16:14 . 2008-05-05 16:14 <DIR> d-------- C:\WINDOWS\Rainbow Technologies
2008-05-05 16:14 . 2008-05-05 16:18 <DIR> d-------- C:\Program Files\InfinaDyne
2008-05-05 16:14 . 2002-12-26 14:20 28,672 --a------ C:\WINDOWS\system32\CALAUNCH.EXE
2008-05-05 16:14 . 2002-12-26 14:20 24,576 --a------ C:\WINDOWS\system32\CAITF32.DLL
2008-05-03 01:37 . 2008-05-03 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 13:19 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\U3
2008-05-22 13:32 1,708 ----a-w C:\Program Files\uninstal.log
2008-05-13 21:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 19:29 --------- d-----w C:\Program Files\Waves
2008-05-13 19:29 --------- d-----w C:\Program Files\vanBasco's Karaoke Player
2008-05-13 19:29 --------- d-----w C:\Program Files\PC Konfigurator
2008-05-13 19:29 --------- d-----w C:\Program Files\Nexus
2008-05-13 19:29 --------- d-----w C:\Program Files\JetAudio
2008-05-13 19:29 --------- d-----w C:\Program Files\CDBurnerXP
2008-05-11 20:24 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\Sonic Foundry
2008-05-10 16:13 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-07 19:26 --------- d-----w C:\Program Files\WinASO
2008-04-21 12:01 --------- d-----w C:\Program Files\ChangeIt!
2008-04-20 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-20 12:27 --------- d-----w C:\Program Files\DVD Shrink
2008-04-13 16:05 --------- d-----w C:\Program Files\Microsoft Games
2008-04-08 18:42 --------- d-----w C:\Program Files\D-Link
2008-04-04 20:22 --------- d-----w C:\Program Files\YAMAHA
2008-02-26 21:47 0 ---ha-w C:\Documents and Settings\Korisnik\Application Data\.CAA735D26659B183.sys
2008-02-26 21:34 0 ---ha-w C:\Documents and Settings\Korisnik\Application Data\.CAA735D2ABB8C36B.sys
2008-02-26 21:33 0 ---ha-w C:\Documents and Settings\Korisnik\Application Data\.CAA735D2EEEA39DE.sys
.

------- Sigcheck -------

2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-10-13 22:36 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\system32\user32.dll
2005-10-13 22:36 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 01:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 01:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2006-02-19 02:06 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 00:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 00:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 00:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 00:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 17:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$NtUninstallKB909095$\ntkrnlpa.exe
2005-10-12 01:54 2057344 ddbfa4eae9251712f20193dd47b361bd C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2006-03-17 12:22 2057344 bc4cfdd59698904f8a34762ecc7570b4 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-02 03:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$NtUninstallKB909095$\ntoskrnl.exe
2005-10-12 02:20 2180096 7b69ea89c7b9966bf552a070d97c5013 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2006-02-19 01:47 2180096 c767dcbe9df621f249776c7cf2af47ff C:\WINDOWS\system32\ntoskrnl.exe

2005-10-15 10:07 1032192 45757077a47c68a603a79b03a1a836ab C:\WINDOWS\explorer.exe
2005-10-15 10:07 1032192 45757077a47c68a603a79b03a1a836ab C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 01:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 01:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

2004-08-04 01:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 01:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

2004-08-04 01:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 01:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 21:27 1658592]
"blank"="C:\WINDOWS\system32\blank.htm" [ ]
"hlps"="C:\WINDOWS\Help\hlps.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 16:10 271360]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NWEReboot"="" []
"vxds"="C:\WINDOWS\vxds.exe" [ ]
"DSLSTATEXE"="C:\Program Files\Conexant\Adsl\dslstat.exe" [2006-12-17 20:05 376832]
"DSLAGENTEXE"="C:\Program Files\Conexant\Adsl\dslagent.exe" [2006-12-17 19:50 90112]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-10-15 14:41 169984]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-05-21 14:00 877136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 11:17 1241088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2008-05-23 18:54:54 1078]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"LegalNoticeCaption"="[Antichrist]"
"LegalNoticeText"="[Day of judgment]"
"LogonPrompt"="[Day of judgment]"
"Welcome"="[Antichrist]"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g USB Wireless Network Utility .lnk]
backup=C:\WINDOWS\pss\802.11g USB Wireless Network Utility .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Empty.pif]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerMenu.lnk]
backup=C:\WINDOWS\pss\PowerMenu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^windows.pif]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-16 13:24 167368 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\media\wma.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2005-08-31 21:27 1658592 C:\Program Files\Messenger\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2006-07-29 20:34 5354792 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 16:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-09-07 16:51 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-22 02:32 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13476:TCP"= 13476:TCP:NortonAV
"14044:TCP"= 14044:TCP:NortonAV
"12210:TCP"= 12210:TCP:NortonAV

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-12-13 21:13]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 12:20]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
S0 d343port;d343port;C:\WINDOWS\system32\DRIVERS\d343port.sys []
S0 NVStrap;NVStrap;C:\WINDOWS\system32\drivers\NVStrap.sys [2007-10-30 20:05]
S3 cpuz128;cpuz128;C:\DOCUME~1\Korisnik\LOCALS~1\Temp\pcwiz32.sys []
S3 RTLWUSB;802.11g USB2.0 WLAN Dongle;C:\WINDOWS\system32\DRIVERS\RTL8187.sys []
S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2005-11-03 13:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5aa56c3-d58d-11dc-840f-b16994d92e73}]
\Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C0\KB915866.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C0\KB915866.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af71831d-28b6-11dd-a268-e1a36688570a}]
\Shell\AutoRun\command - I:\tfk8.exe
\Shell\explore\Command - I:\tfk8.exe
\Shell\open\Command - I:\tfk8.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 09:39:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-03 17:10:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-06-03 20:46:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


disk error: C:\WINDOWS\system32\drivers\
disk error: C:\DOCUME~1\Korisnik\LOCALS~1\Temp\
disk error: C:\WINDOWS\TEMP\
disk error: C:\WINDOWS\system32\
disk error: C:\WINDOWS\
disk error: C:\WINDOWS\system32\wbem\
disk error: C:\Program Files\Common Files\
disk error: C:\Documents and Settings\Korisnik\Application Data\
disk error: C:\
disk error: C:\Program Files\
disk error: C:\Documents and Settings\Korisnik\Local Settings\Application Data\
disk error: C:\WINDOWS\Fonts\
disk error: C:\WINDOWS\Downloaded Program Files\
disk error: C:\Documents and Settings\Korisnik\Start Menu\Programs\Startup\
disk error: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-06-03 20:46:37
ComboFix-quarantined-files.txt 2008-06-03 18:46:35

Pre-Run: 1,162,305,536 bytes free
Post-Run: 1,922,023,424 bytes free

270

Dopuna: 03 Jun 2008 21:23

ComboFix 08-06-01.6 - Korisnik 2008-06-03 21:13:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.999 [GMT 2:00]
Running from: C:\Documents and Settings\Korisnik\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-03 20:00 . 2008-06-03 20:00 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-03 19:31 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-03 19:31 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-03 19:31 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-03 19:31 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-03 19:30 . 2008-06-03 19:31 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-03 19:30 . 2008-06-03 19:30 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\Simply Super Software
2008-06-03 19:30 . 2008-06-03 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-03 19:05 . 2008-06-03 19:05 <DIR> d-------- C:\Program Files\Conexant
2008-06-03 19:05 . 2005-09-06 17:10 173,494 --a------ C:\WINDOWS\system32\drivers\mon_ac_w.bin
2008-06-03 19:05 . 2005-09-21 19:31 158,592 --a------ C:\WINDOWS\system32\drivers\gwausb.sys
2008-06-03 19:05 . 2005-08-24 20:48 25,600 --a------ C:\WINDOWS\system32\CoInst.dll
2008-06-03 19:05 . 2008-02-18 20:08 17,886 --------- C:\WINDOWS\wwdslcfg.ini
2008-06-03 19:05 . 2006-12-17 20:05 12,288 --------- C:\WINDOWS\system32\CplEng.dll
2008-06-03 13:28 . 2008-06-03 13:28 4,190 --ahs---- C:\WINDOWS\system32\OEMLOGO.BMP
2008-06-03 13:28 . 2008-06-03 13:28 392 --ahs---- C:\WINDOWS\system32\OEMINFO.INI
2008-06-02 18:04 . 2004-08-03 23:10 25,600 --a------ C:\WINDOWS\system32\drivers\hidbth.sys
2008-05-24 14:13 . 2008-05-24 14:14 <DIR> d-------- C:\Program Files\Boxen Die Championship Simulation
2008-05-23 18:54 . 2008-05-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Program Files\ACD Systems
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\ACD Systems
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-13 22:59 . 2008-05-13 22:59 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-05-13 20:45 . 2008-05-13 23:05 <DIR> d-------- C:\Program Files\802.11g USB Wireless Network Driver and Utility HW.14 V1.0.0
2008-05-13 00:13 . 2008-05-13 00:13 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{1A2B4670-D00A-4921-BC0C-6CFF2B944097}
2008-05-12 22:21 . 2008-05-23 19:00 <DIR> d-------- C:\Program Files\Folder Lock
2008-05-12 22:21 . 2004-05-10 12:42 110,592 --a------ C:\WINDOWS\system32\suppdll.dll
2008-05-12 22:21 . 2007-02-07 19:50 77,824 --a------ C:\WINDOWS\system32\FLKill.exe
2008-05-12 22:21 . 2008-05-12 22:22 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-05-12 22:15 . 2008-05-12 22:15 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\URSoft
2008-05-12 22:15 . 2008-05-12 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 22:01 . 2008-05-12 22:01 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{F4A8BB08-ED05-438D-AFC9-7B712C1296DF}
2008-05-12 00:59 . 2008-05-12 00:59 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2008-05-12 00:59 . 2008-05-12 00:59 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\IDMComp
2008-05-11 23:44 . 2008-05-11 23:44 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-05-11 22:57 . 2008-05-11 22:57 <DIR> d-------- C:\Program Files\HHD Software
2008-05-11 22:52 . 2001-05-11 13:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-05-11 22:52 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2008-05-10 18:13 . 2008-05-10 18:13 <DIR> d-------- C:\Program Files\Nero
2008-05-10 18:08 . 2008-05-10 18:09 <DIR> d-------- C:\Program Files\Ahead
2008-05-10 17:04 . 2008-05-12 21:35 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{14801787-DD4C-44EB-AB8A-863A7FF9E8B2}
2008-05-07 13:23 . 2008-05-07 13:23 268 --ah----- C:\sqmdata09.sqm
2008-05-07 13:23 . 2008-05-07 13:23 244 --ah----- C:\sqmnoopt09.sqm
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-05-05 16:16 . 2008-05-05 16:16 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-05-05 16:16 . 2008-05-05 16:16 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-05-05 16:14 . 2008-05-05 16:14 <DIR> d-------- C:\WINDOWS\Rainbow Technologies
2008-05-05 16:14 . 2008-05-05 16:18 <DIR> d-------- C:\Program Files\InfinaDyne
2008-05-05 16:14 . 2002-12-26 14:20 28,672 --a------ C:\WINDOWS\system32\CALAUNCH.EXE
2008-05-05 16:14 . 2002-12-26 14:20 24,576 --a------ C:\WINDOWS\system32\CAITF32.DLL
2008-05-03 01:37 . 2008-05-03 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 13:19 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\U3
2008-05-22 13:32 1,708 ----a-w C:\Program Files\uninstal.log
2008-05-13 21:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 19:29 --------- d-----w C:\Program Files\Waves
2008-05-13 19:29 --------- d-----w C:\Program Files\vanBasco's Karaoke Player
2008-05-13 19:29 --------- d-----w C:\Program Files\PC Konfigurator
2008-05-13 19:29 --------- d-----w C:\Program Files\Nexus
2008-05-13 19:29 --------- d-----w C:\Program Files\JetAudio
2008-05-13 19:29 --------- d-----w C:\Program Files\CDBurnerXP
2008-05-11 20:24 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\Sonic Foundry
2008-05-10 16:13 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-07 19:26 --------- d-----w C:\Program Files\WinASO
2008-04-21 12:01 --------- d-----w C:\Program Files\ChangeIt!
2008-04-20 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-20 12:27 --------- d-----w C:\Program Files\DVD Shrink
2008-04-13 16:05 --------- d-----w C:\Program Files\Microsoft Games
2008-04-08 18:42 --------- d-----w C:\Program Files\D-Link
2008-04-04 20:22 --------- d-----w C:\Program Files\YAMAHA
2008-02-26 21:47 0 ---ha-w C:\Documents and Settings\Korisnik\Application Data\.CAA735D26659B183.sys
2008-02-26 21:34 0 ---ha-w C:\Documents and Settings\Korisnik\Application Data\.CAA735D2ABB8C36B.sys
2008-02-26 21:33 0 ---ha-w C:\Documents and Settings\Korisnik\Application Data\.CAA735D2EEEA39DE.sys
.

------- Sigcheck -------

2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-10-13 22:36 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\system32\user32.dll
2005-10-13 22:36 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 01:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 01:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2006-02-19 02:06 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 00:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 00:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 00:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 00:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 17:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$NtUninstallKB909095$\ntkrnlpa.exe
2005-10-12 01:54 2057344 ddbfa4eae9251712f20193dd47b361bd C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2006-03-17 12:22 2057344 bc4cfdd59698904f8a34762ecc7570b4 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-02 03:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$NtUninstallKB909095$\ntoskrnl.exe
2005-10-12 02:20 2180096 7b69ea89c7b9966bf552a070d97c5013 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2006-02-19 01:47 2180096 c767dcbe9df621f249776c7cf2af47ff C:\WINDOWS\system32\ntoskrnl.exe

2005-10-15 10:07 1032192 45757077a47c68a603a79b03a1a836ab C:\WINDOWS\explorer.exe
2005-10-15 10:07 1032192 45757077a47c68a603a79b03a1a836ab C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 01:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 01:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

2004-08-04 01:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 01:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

2004-08-04 01:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 01:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 21:27 1658592]
"blank"="C:\WINDOWS\system32\blank.htm" [ ]
"hlps"="C:\WINDOWS\Help\hlps.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 16:10 271360]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NWEReboot"="" []
"vxds"="C:\WINDOWS\vxds.exe" [ ]
"DSLSTATEXE"="C:\Program Files\Conexant\Adsl\dslstat.exe" [2006-12-17 20:05 376832]
"DSLAGENTEXE"="C:\Program Files\Conexant\Adsl\dslagent.exe" [2006-12-17 19:50 90112]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-10-15 14:41 169984]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-05-21 14:00 877136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 11:17 1241088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2008-05-23 18:54:54 1078]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"LegalNoticeCaption"="[Antichrist]"
"LegalNoticeText"="[Day of judgment]"
"LogonPrompt"="[Day of judgment]"
"Welcome"="[Antichrist]"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g USB Wireless Network Utility .lnk]
backup=C:\WINDOWS\pss\802.11g USB Wireless Network Utility .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Empty.pif]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerMenu.lnk]
backup=C:\WINDOWS\pss\PowerMenu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^windows.pif]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-16 13:24 167368 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\media\wma.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2005-08-31 21:27 1658592 C:\Program Files\Messenger\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2006-07-29 20:34 5354792 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 16:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-09-07 16:51 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-22 02:32 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13476:TCP"= 13476:TCP:NortonAV
"14044:TCP"= 14044:TCP:NortonAV
"12210:TCP"= 12210:TCP:NortonAV

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-12-13 21:13]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 12:20]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
S0 d343port;d343port;C:\WINDOWS\system32\DRIVERS\d343port.sys []
S0 NVStrap;NVStrap;C:\WINDOWS\system32\drivers\NVStrap.sys [2007-10-30 20:05]
S3 cpuz128;cpuz128;C:\DOCUME~1\Korisnik\LOCALS~1\Temp\pcwiz32.sys []
S3 RTLWUSB;802.11g USB2.0 WLAN Dongle;C:\WINDOWS\system32\DRIVERS\RTL8187.sys []
S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2005-11-03 13:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5aa56c3-d58d-11dc-840f-b16994d92e73}]
\Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C0\KB915866.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C0\KB915866.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af71831d-28b6-11dd-a268-e1a36688570a}]
\Shell\AutoRun\command - I:\tfk8.exe
\Shell\explore\Command - I:\tfk8.exe
\Shell\open\Command - I:\tfk8.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 09:39:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-03 17:10:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-06-03 21:14:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


disk error: C:\DOCUME~1\Korisnik\LOCALS~1\Temp\
disk error: C:\WINDOWS\system32\drivers\
disk error: C:\WINDOWS\TEMP\
disk error: C:\WINDOWS\system32\
disk error: C:\WINDOWS\
disk error: C:\WINDOWS\system32\wbem\
disk error: C:\Program Files\Common Files\
disk error: C:\Documents and Settings\Korisnik\Application Data\
disk error: C:\
disk error: C:\Program Files\
disk error: C:\WINDOWS\Fonts\
disk error: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
disk error: C:\WINDOWS\Downloaded Program Files\
disk error: C:\Documents and Settings\Korisnik\Start Menu\Programs\Startup\
disk error: C:\Documents and Settings\Korisnik\Local Settings\Application Data\

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-06-03 21:14:57
ComboFix-quarantined-files.txt 2008-06-03 19:14:56
ComboFix2.txt 2008-06-03 18:46:37

Pre-Run: 1,910,751,232 bytes free
Post-Run: 1,898,815,488 bytes free

259

Poslao: 03 Jun 2008 21:35
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Nije bilo potrebe za ponovnim pokretanjem ComboFix-a.



U logu postoji tragovi infekcija koje se prenose putem USB flash drive-ova - ukoliko imaš neki takav uređaj, priključi ga u toku narednog postupka.


Arrow Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.



-------------------------------------------------------------------------------------



Arrow Zatim... Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\OEMLOGO.BMP
C:\WINDOWS\system32\OEMINFO.INI

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blank"=-
"hlps"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vxds"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"LegalNoticeCaption"=-
"LegalNoticeText"=-
"LogonPrompt"=-
"Welcome"=-
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Empty.pif]
[-HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^windows.pif]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13476:TCP"=-
"14044:TCP"=-
"12210:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5aa56c3-d58d-11dc-840f-b16994d92e73}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af71831d-28b6-11dd-a268-e1a36688570a}]




Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 03 Jun 2008 22:13
Idi na vrh
offline
  • Pridružio: 03 Jun 2008
  • Poruke: 18

ComboFix 08-06-01.6 - Korisnik 2008-06-03 22:05:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1010 [GMT 2:00]
Running from: C:\Documents and Settings\Korisnik\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Korisnik\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\OEMINFO.INI
C:\WINDOWS\system32\OEMLOGO.BMP
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\OEMINFO.INI
C:\WINDOWS\system32\OEMLOGO.BMP

.
((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-03 20:00 . 2008-06-03 20:00 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-03 19:31 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-03 19:31 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-03 19:31 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-03 19:31 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-03 19:30 . 2008-06-03 19:31 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-03 19:30 . 2008-06-03 19:30 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\Simply Super Software
2008-06-03 19:30 . 2008-06-03 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-03 19:05 . 2008-06-03 19:05 <DIR> d-------- C:\Program Files\Conexant
2008-06-03 19:05 . 2005-09-06 17:10 173,494 --a------ C:\WINDOWS\system32\drivers\mon_ac_w.bin
2008-06-03 19:05 . 2005-09-21 19:31 158,592 --a------ C:\WINDOWS\system32\drivers\gwausb.sys
2008-06-03 19:05 . 2005-08-24 20:48 25,600 --a------ C:\WINDOWS\system32\CoInst.dll
2008-06-03 19:05 . 2008-02-18 20:08 17,886 --------- C:\WINDOWS\wwdslcfg.ini
2008-06-03 19:05 . 2006-12-17 20:05 12,288 --------- C:\WINDOWS\system32\CplEng.dll
2008-06-02 18:04 . 2004-08-03 23:10 25,600 --a------ C:\WINDOWS\system32\drivers\hidbth.sys
2008-05-24 14:13 . 2008-05-24 14:14 <DIR> d-------- C:\Program Files\Boxen Die Championship Simulation
2008-05-23 18:54 . 2008-05-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Program Files\ACD Systems
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\ACD Systems
2008-05-13 23:00 . 2008-05-13 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-13 22:59 . 2008-05-13 22:59 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-05-13 20:45 . 2008-05-13 23:05 <DIR> d-------- C:\Program Files\802.11g USB Wireless Network Driver and Utility HW.14 V1.0.0
2008-05-13 00:13 . 2008-05-13 00:13 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{1A2B4670-D00A-4921-BC0C-6CFF2B944097}
2008-05-12 22:21 . 2008-05-23 19:00 <DIR> d-------- C:\Program Files\Folder Lock
2008-05-12 22:21 . 2004-05-10 12:42 110,592 --a------ C:\WINDOWS\system32\suppdll.dll
2008-05-12 22:21 . 2007-02-07 19:50 77,824 --a------ C:\WINDOWS\system32\FLKill.exe
2008-05-12 22:21 . 2008-05-12 22:22 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-05-12 22:15 . 2008-05-12 22:15 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\URSoft
2008-05-12 22:15 . 2008-05-12 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 22:01 . 2008-05-12 22:01 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{F4A8BB08-ED05-438D-AFC9-7B712C1296DF}
2008-05-12 00:59 . 2008-05-12 00:59 <DIR> d-------- C:\Program Files\IDM Computer Solutions
2008-05-12 00:59 . 2008-05-12 00:59 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\IDMComp
2008-05-11 23:44 . 2008-05-11 23:44 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-05-11 22:57 . 2008-05-11 22:57 <DIR> d-------- C:\Program Files\HHD Software
2008-05-11 22:52 . 2001-05-11 13:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2008-05-11 22:52 . 2001-03-26 04:41 245,760 --a------ C:\WINDOWS\system32\mp4sds32.ax
2008-05-10 18:13 . 2008-05-10 18:13 <DIR> d-------- C:\Program Files\Nero
2008-05-10 18:08 . 2008-05-10 18:09 <DIR> d-------- C:\Program Files\Ahead
2008-05-10 17:04 . 2008-05-12 21:35 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{14801787-DD4C-44EB-AB8A-863A7FF9E8B2}
2008-05-07 13:23 . 2008-05-07 13:23 268 --ah----- C:\sqmdata09.sqm
2008-05-07 13:23 . 2008-05-07 13:23 244 --ah----- C:\sqmnoopt09.sqm
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-05-05 16:16 . 2008-05-05 16:16 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-05-05 16:16 . 2008-05-05 16:16 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-05-05 16:16 . 2008-05-05 16:16 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-05-05 16:14 . 2008-05-05 16:14 <DIR> d-------- C:\WINDOWS\Rainbow Technologies
2008-05-05 16:14 . 2008-05-05 16:18 <DIR> d-------- C:\Program Files\InfinaDyne
2008-05-05 16:14 . 2002-12-26 14:20 28,672 --a------ C:\WINDOWS\system32\CALAUNCH.EXE
2008-05-05 16:14 . 2002-12-26 14:20 24,576 --a------ C:\WINDOWS\system32\CAITF32.DLL
2008-05-03 01:37 . 2008-05-03 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 13:19 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\U3
2008-05-22 13:32 1,708 ----a-w C:\Program Files\uninstal.log
2008-05-13 21:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 19:29 --------- d-----w C:\Program Files\Waves
2008-05-13 19:29 --------- d-----w C:\Program Files\vanBasco's Karaoke Player
2008-05-13 19:29 --------- d-----w C:\Program Files\PC Konfigurator
2008-05-13 19:29 --------- d-----w C:\Program Files\Nexus
2008-05-13 19:29 --------- d-----w C:\Program Files\JetAudio
2008-05-13 19:29 --------- d-----w C:\Program Files\CDBurnerXP
2008-05-11 20:24 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\Sonic Foundry
2008-05-10 16:13 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-07 19:26 --------- d-----w C:\Program Files\WinASO
2008-04-21 12:01 --------- d-----w C:\Program Files\ChangeIt!
2008-04-20 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-20 12:27 --------- d-----w C:\Program Files\DVD Shrink
2008-04-13 16:05 --------- d-----w C:\Program Files\Microsoft Games
2008-04-08 18:42 --------- d-----w C:\Program Files\D-Link
2008-04-04 20:22 --------- d-----w C:\Program Files\YAMAHA
2008-02-26 21:47 0 ---ha-w C:\Documents and Settings\Korisnik\Application Data\.CAA735D26659B183.sys
2008-02-26 21:34 0 ---ha-w C:\Documents and Settings\Korisnik\Application Data\.CAA735D2ABB8C36B.sys
2008-02-26 21:33 0 ---ha-w C:\Documents and Settings\Korisnik\Application Data\.CAA735D2EEEA39DE.sys
.

------- Sigcheck -------

2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

2005-10-13 22:36 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\system32\user32.dll
2005-10-13 22:36 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 01:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 01:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll

2006-02-19 02:06 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

2004-08-04 00:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 00:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 00:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 00:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 17:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$NtUninstallKB909095$\ntkrnlpa.exe
2005-10-12 01:54 2057344 ddbfa4eae9251712f20193dd47b361bd C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2006-03-17 12:22 2057344 bc4cfdd59698904f8a34762ecc7570b4 C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-02 03:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$NtUninstallKB909095$\ntoskrnl.exe
2005-10-12 02:20 2180096 7b69ea89c7b9966bf552a070d97c5013 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2006-02-19 01:47 2180096 c767dcbe9df621f249776c7cf2af47ff C:\WINDOWS\system32\ntoskrnl.exe

2005-10-15 10:07 1032192 45757077a47c68a603a79b03a1a836ab C:\WINDOWS\explorer.exe
2005-10-15 10:07 1032192 45757077a47c68a603a79b03a1a836ab C:\WINDOWS\system32\dllcache\explorer.exe

2004-08-04 01:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 01:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

2004-08-04 01:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 01:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

2004-08-04 01:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 01:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 21:27 1658592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 16:10 271360]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NWEReboot"="" []
"DSLSTATEXE"="C:\Program Files\Conexant\Adsl\dslstat.exe" [2006-12-17 20:05 376832]
"DSLAGENTEXE"="C:\Program Files\Conexant\Adsl\dslagent.exe" [2006-12-17 19:50 90112]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-10-15 14:41 169984]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-05-21 14:00 877136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 11:17 1241088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2008-05-23 18:54:54 1078]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g USB Wireless Network Utility .lnk]
backup=C:\WINDOWS\pss\802.11g USB Wireless Network Utility .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerMenu.lnk]
backup=C:\WINDOWS\pss\PowerMenu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-16 13:24 167368 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2005-08-31 21:27 1658592 C:\Program Files\Messenger\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2006-07-29 20:34 5354792 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 16:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-09-07 16:51 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-22 02:32 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-12-13 21:13]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 12:20]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
S0 d343port;d343port;C:\WINDOWS\system32\DRIVERS\d343port.sys []
S0 NVStrap;NVStrap;C:\WINDOWS\system32\drivers\NVStrap.sys [2007-10-30 20:05]
S3 cpuz128;cpuz128;C:\DOCUME~1\Korisnik\LOCALS~1\Temp\pcwiz32.sys []
S3 RTLWUSB;802.11g USB2.0 WLAN Dongle;C:\WINDOWS\system32\DRIVERS\RTL8187.sys []
S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2005-11-03 13:17]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 09:39:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-03 17:10:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-06-03 22:07:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


disk error: C:\WINDOWS\system32\drivers\
disk error: C:\DOCUME~1\Korisnik\LOCALS~1\Temp\
disk error: C:\WINDOWS\TEMP\
disk error: C:\WINDOWS\
disk error: C:\WINDOWS\system32\wbem\
disk error: C:\Program Files\Common Files\
disk error: C:\Documents and Settings\Korisnik\Application Data\
disk error: C:\WINDOWS\system32\
disk error: C:\
disk error: C:\Program Files\
disk error: C:\Documents and Settings\Korisnik\Local Settings\Application Data\
disk error: C:\WINDOWS\Downloaded Program Files\
disk error: C:\WINDOWS\Fonts\
disk error: C:\Documents and Settings\Korisnik\Start Menu\Programs\Startup\
disk error: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-06-03 22:07:31
ComboFix-quarantined-files.txt 2008-06-03 20:07:29
ComboFix2.txt 2008-06-03 19:14:58
ComboFix3.txt 2008-06-03 18:46:37

Pre-Run: 1,871,785,984 bytes free
Post-Run: 1,863,540,736 bytes free

244

Dopuna: 03 Jun 2008 22:13

tokom skeniranja nista nisam dirao, nod32 mi je nasao neki virus AV-test chini mi se u temp folderu i stavio ga u karantin sam, nije bilo nikakve opcije za brisanje ciscenje ili nesto dr. u nodu.

Poslao: 03 Jun 2008 22:22
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini sledeći file na Desktop:

https://www.mycity.rs/must-login.png

Dvoklik na njega - kada se pojavi upit, klikni Yes.


-------------------------------------------------------------------------------------



Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.

Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

Poslao: 03 Jun 2008 22:41
Idi na vrh
offline
  • Pridružio: 03 Jun 2008
  • Poruke: 18

mycity.rs/must-login.png

mycity.rs/must-login.png


Evo

Poslao: 03 Jun 2008 22:52
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poslao: 03 Jun 2008 23:11
Idi na vrh
offline
  • Pridružio: 03 Jun 2008
  • Poruke: 18

MAjstor Boro, alal ti kutnjak.......Pobedio si!!!!!!
Sve je ok i sad je opusteno kao kod urologa.....

Ti si nas idol!
Moj burazer i ja

Poslao: 03 Jun 2008 23:18
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Smile

poz...

MyCity » Ambulanta -> Arhiva Ambulante » Antichrist problem

Ko je trenutno na forumu
 

Ukupno su 1056 korisnika na forumu :: 41 registrovanih, 9 sakrivenih i 1006 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: airsuba, amaterSRB, babaroga, bobomicek, bojcistv, Darko8, DeerHunter, djboj, DPera, Haris, ivicasimo, JOntra, kikisp, Konda, kybonacci, lcc, Leonov, mane123, mercedesamg, MiG-29M2, mikrimaus, Milometer, nazgul75, nemkea71, nenad81, novator, procesor, rovac, sabros, sasa87, Sir Budimir, stegonosa, strelac07, trajkoni018, vasa.93, VJ, vladaa012, voja64, zastavnik, Žrnov, šumar bk2