Antivirus pro 2010

2

Antivirus pro 2010

offline
  • Stekss 
  • Novi MyCity građanin
  • Pridružio: 07 Sep 2009
  • Poruke: 13

Uploadovao sam fajl

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\sys32_nov.exe
c:\documents and settings\Odrzavanje\sys32_nov.exe
c:\program files\Common Files\somezyh.exe
c:\program files\Common Files\otez.exe
c:\program files\Common Files\sasaluko.db
c:\program files\Common Files\amihiv.lib
c:\program files\Common Files\uvico.lib
c:\program files\Common Files\ihuborehyp.dat
c:\program files\Common Files\ulusecevak.db
c:\program files\settings.dat
c:\documents and settings\All Users\Application Data\ocodac.dat

Folder::
c:\program files\AntivirusPro_2010

Driver::
iguafxuz

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sys32_nov"=-
"braviax"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sys32_nov"=-
"Antivirus Pro 2010"=-
"braviax"=-

NetSvc::
iguafxuz

Rootkit::
c:\windows\system32\braviax.exe


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Stekss 
  • Novi MyCity građanin
  • Pridružio: 07 Sep 2009
  • Poruke: 13

ComboFix 09-09-06.04 - Odrzavanje 07.09.2009 23:33.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.93 [GMT 2:00]
Running from: c:\documents and settings\Odrzavanje\Desktop\1234.exe
Command switches used :: c:\documents and settings\Odrzavanje\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\dllcache\figaro.sys

c:\windows\system32\drivers\beep.sys . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{6EE2268B-AB94-4A1D-8654-7F7088B2CBF8}\RP2\A0000287.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IGUAFXUZ


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-07 09:21 . 2009-09-07 21:44 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-07 09:08 . 2009-09-07 14:20 -------- d-s---w- C:\ComboFix
2009-09-02 04:57 . 2009-09-02 04:57 29216 ----a-w- c:\windows\system32\sys32_nov.exe
2009-08-10 12:52 . 2009-08-10 12:52 -------- d-----w- c:\windows\Sun
2009-08-10 12:50 . 2009-08-10 12:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-10 12:50 . 2009-08-10 12:50 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 09:28 . 2009-09-07 09:28 14960 ----a-w- c:\documents and settings\All Users\Application Data\ocodac.dat
2009-09-07 07:37 . 2007-05-16 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 06:19 . 2008-02-21 07:54 -------- d-----w- c:\program files\FreeCommander
2009-07-30 11:05 . 2009-07-30 11:05 -------- d-----w- c:\program files\TrebingHimstedt
2009-07-30 11:05 . 2009-07-30 11:05 -------- d-----w- c:\program files\Common Files\Softing
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\PF_Activation_Tool
2009-07-30 11:04 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\CWGenericFDT
2009-07-30 11:04 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\DTMstudioPB
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\Common Files\Pepperl+Fuchs GmbH
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\Pepperl+Fuchs
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\OPC Foundation
2009-07-30 11:03 . 2009-07-30 11:00 -------- d-----w- c:\program files\Endress+Hauser
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\DTMstudio
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\CWLicServer
2009-07-30 11:02 . 2009-07-30 11:02 -------- d-----w- c:\program files\Common Files\_is Common
2009-07-30 11:02 . 2009-07-30 11:02 -------- d-----w- c:\program files\Common Files\CodeWrights
2009-07-30 11:01 . 2009-07-30 11:01 86016 ----a-w- c:\windows\system32\OdbcJdbcSetup.dll
2009-07-30 11:01 . 2009-07-30 11:01 225280 ----a-w- c:\windows\system32\IscDbc.dll
2009-07-30 11:01 . 2009-07-30 11:01 200704 ----a-w- c:\windows\system32\OdbcJdbc.dll
2009-07-20 12:26 . 2009-07-20 12:24 -------- d-----w- c:\program files\MSI Card Reader
2009-07-20 12:24 . 2007-05-16 06:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-20 12:05 . 2009-07-20 12:05 -------- d-----w- c:\program files\MUP RS
2009-07-17 11:47 . 2009-07-17 11:47 -------- d-----w- c:\program files\Common Files\Business Objects
2009-07-17 11:47 . 2009-07-17 11:47 -------- d-----w- c:\program files\Fluke
2009-07-17 11:44 . 2009-07-17 11:44 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-16 07:52 . 2009-07-16 07:52 -------- d-----w- c:\program files\Compaq
2009-06-03 21:52 . 2009-06-03 21:52 18180 ----a-w- c:\program files\Common Files\somezyh.exe
2009-06-03 21:48 . 2009-06-03 21:48 18084 ----a-w- c:\program files\Common Files\otez.exe
2009-06-03 21:48 . 2009-06-03 21:48 13677 ----a-w- c:\program files\Common Files\sasaluko.db
2009-06-03 15:20 . 2009-06-03 15:20 18732 ----a-w- c:\program files\Common Files\amihiv.lib
2009-06-03 14:31 . 2009-06-03 14:31 19892 ----a-w- c:\program files\Common Files\uvico.lib
2009-06-03 14:31 . 2009-06-03 14:31 13152 ----a-w- c:\program files\Common Files\ihuborehyp.dat
2009-06-03 14:31 . 2009-06-03 14:31 12913 ----a-w- c:\program files\Common Files\ulusecevak.db
2008-03-03 07:05 . 2008-03-03 07:05 14290 ----a-w- c:\program files\settings.dat
2007-06-21 11:33 . 2007-06-21 11:33 35328 ----a-w- c:\program files\winbox.exe
2008-02-02 10:07 . 2008-02-21 11:25 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2008-02-21 11:25 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2008-02-21 11:25 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2008-02-21 11:25 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2008-02-21 11:25 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] A058EBADF778FC582FC278BF333870B4 [------] c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-07_07.25.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 21:47 . 2009-09-07 21:47 16384 c:\windows\temp\Perflib_Perfdata_298.dat
+ 2009-09-07 21:47 . 2009-09-07 21:47 16384 c:\windows\temp\Perflib_Perfdata_1b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"FtpDrive"="c:\program files\KillSoft\FtpDrive\FtpDrive.exe" [2006-11-05 300653]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-04-16 172032]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2003-12-17 110645]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GatewaySysTray"="c:\program files\3S CoDeSys\GatewayPLC\GatewaySysTray.exe" [2007-12-13 311409]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-10 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-08-03 53248]
"S3Trayp"="S3Trayp.exe" - c:\windows\system32\S3Trayp.exe [2006-07-11 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Procitaj.txt [2009-6-4 199]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv7.exe"=
"c:\\Program Files\\Siemens\\Step7\\S7BIN\\S7tgtopx.exe"=
"c:\\Program Files\\Siemens\\Step7\\S7INF\\S7usiapx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1005MC.EXE"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\CoDeSys.exe"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\RepTool.exe"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\IPMCLI.exe"=
"c:\\Program Files\\3S CoDeSys\\GatewayPLC\\GatewayService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [21.7.2005 12:40 622654]
R2 CoDeSys Gateway V3;CoDeSys Gateway V3 Version 3.1.3.1;c:\program files\3S CoDeSys\GatewayPLC\GatewayService.exe [13.12.2007 20:43 843897]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [14.1.2008 12:03 30224]
R2 MCT10 Service;MCT10 Service;c:\program files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe [5.12.2008 13:04 192512]
R2 MSSQL$FLUKE;MSSQL$FLUKE;c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe -sFLUKE --> c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe -sFLUKE [?]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 22:22 34064]
R2 PROFIbrd;PROFIBUS V5 Hardware Driver (Softing);c:\windows\system32\drivers\PROFIbrd.sys [30.7.2009 13:05 184832]
R2 PROFIprt;PROFIBUS Protocol Driver (Softing);c:\windows\system32\drivers\PROFIprt.sys [30.7.2009 13:05 35968]
R2 PROFIstack;PROFIBUS V6 Hardware Driver (Softing);c:\windows\system32\drivers\PROFIstack.sys [30.7.2009 13:05 250112]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [26.7.2004 21:13 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [5.10.2007 11:40 78408]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [5.10.2007 11:51 208968]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [5.10.2007 11:44 194120]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [30.7.2007 12:06 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [31.8.2007 11:32 163840]
R2 scpdrv;scpdrv;c:\program files\Common Files\Siemens\SWS\plugins\scp\scpdrv.sys [14.10.2003 2:44 26944]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [12.9.2006 10:43 659456]
S2 CoDeSys SP Win V3;CoDeSys SP Win V3 Version 3.1.3.0;c:\program files\3S CoDeSys\GatewayPLC\CoDeSysSPService.exe --> c:\program files\3S CoDeSys\GatewayPLC\CoDeSysSPService.exe [?]
S3 AIDA32Driver;AIDA32Driver;\??\e:\ aaaaaaaaaaaa\aida32.sys --> e:\ aaaaaaaaaaaa\aida32.sys [?]
S3 IRIMAGER;Fluke Ti30, IR-Imager USB Driver (irimager.sys);c:\windows\system32\drivers\irimager.sys [21.4.2006 16:48 19263]
S3 oad;Visibroker Activation Daemon;c:\progra~1\Borland\vbroker\bin\oad.exe [31.5.2007 13:41 1781248]
S3 osagent;VisiBroker Smart Agent;c:\progra~1\Borland\vbroker\bin\osagent.exe [31.5.2007 13:41 193536]
S3 PROFIpnp;PROFIBUS PnP Hardware Driver (Softing);c:\windows\system32\drivers\PROFIpnp.sys [30.7.2009 13:05 12416]
S3 PROFIusb;PROFIusb Device Driver (Softing AG);c:\windows\system32\drivers\PROFIusb.sys [30.7.2009 13:05 30464]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [3.9.2008 20:03 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [3.9.2008 20:03 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [18.10.2002 2:34 30512]
S3 s7oupc2x;SIMATIC PC Adapter USB Driver;c:\windows\system32\drivers\s7oupc2x.sys [28.5.2008 9:55 12333]
S3 SQLAgent$FLUKE;SQLAgent$FLUKE;c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlagent.EXE -i FLUKE --> c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlagent.EXE -i FLUKE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {C0C53F1F-B894-4187-8C88-E30165556C08} = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Odrzavanje\Application Data\Mozilla\Firefox\Profiles\ydhnp2au.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-09-07 23:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3360)
c:\program files\KillSoft\FtpDrive\FtpDrive.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\logonui.exe
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe
c:\windows\system32\rdpclip.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Common Files\Siemens\SQLANY\dbsrv7.exe
.
**************************************************************************
.
Completion time: 2009-09-07 23:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 21:53
ComboFix2.txt 2009-09-07 14:41
ComboFix3.txt 2009-09-07 07:28
ComboFix4.txt 2009-06-03 15:14

Pre-Run: 24.253.829.120 bytes free
Post-Run: 24.144.211.968 bytes free

239

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Uploaduj mi:

c:\windows\system32\drivers\beep.sys

preko sledeceg linka:

http://www.mycity.rs/ambulanta-upload.php


Jesi sigurno sve ono sto sam ti napisao da stavis u skriptu i stavio?

offline
  • Stekss 
  • Novi MyCity građanin
  • Pridružio: 07 Sep 2009
  • Poruke: 13

Postavljen fajl . Sigurno je cela skripta iskopirana. Posle skeniranja vise ne iskace doticni program sada deluje da je ok.

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\program files\Common Files\somezyh.exe
c:\program files\Common Files\otez.exe
c:\program files\Common Files\sasaluko.db
c:\program files\Common Files\amihiv.lib
c:\program files\Common Files\uvico.lib
c:\program files\Common Files\ihuborehyp.dat
c:\program files\Common Files\ulusecevak.db
c:\program files\settings.dat
c:\documents and settings\All Users\Application Data\ocodac.dat
c:\windows\system32\sys32_nov.exe



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Stekss 
  • Novi MyCity građanin
  • Pridružio: 07 Sep 2009
  • Poruke: 13

ComboFix 09-09-07.03 - Odrzavanje 08.09.2009 10:27.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.132 [GMT 2:00]
Running from: c:\documents and settings\Odrzavanje\Desktop\1234.exe
Command switches used :: c:\documents and settings\Odrzavanje\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\documents and settings\All Users\Application Data\ocodac.dat"
"c:\program files\Common Files\amihiv.lib"
"c:\program files\Common Files\ihuborehyp.dat"
"c:\program files\Common Files\otez.exe"
"c:\program files\Common Files\sasaluko.db"
"c:\program files\Common Files\somezyh.exe"
"c:\program files\Common Files\ulusecevak.db"
"c:\program files\Common Files\uvico.lib"
"c:\program files\settings.dat"
"c:\windows\system32\sys32_nov.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ocodac.dat
c:\program files\Common Files\amihiv.lib
c:\program files\Common Files\ihuborehyp.dat
c:\program files\Common Files\otez.exe
c:\program files\Common Files\sasaluko.db
c:\program files\Common Files\somezyh.exe
c:\program files\Common Files\ulusecevak.db
c:\program files\Common Files\uvico.lib
c:\program files\settings.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-08 06:59 . 2009-09-08 06:59 -------- d-----w- c:\documents and settings\Odrzavanje\Local Settings\Application Data\ESET
2009-09-08 06:49 . 2009-09-08 06:49 -------- d-----w- c:\windows\LastGood
2009-09-08 06:48 . 2009-09-08 06:48 -------- d-----w- c:\program files\ESET
2009-09-08 06:48 . 2009-09-08 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-09-08 06:48 . 2009-09-08 06:48 290816 ----a-w- c:\windows\einstaller.exe
2009-09-07 09:21 . 2009-09-07 21:44 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-07 09:08 . 2009-09-07 14:20 -------- d-s---w- C:\ComboFix
2009-08-10 12:52 . 2009-08-10 12:52 -------- d-----w- c:\windows\Sun
2009-08-10 12:50 . 2009-08-10 12:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-10 12:50 . 2009-08-10 12:50 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 07:37 . 2007-05-16 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 06:19 . 2008-02-21 07:54 -------- d-----w- c:\program files\FreeCommander
2009-07-30 11:05 . 2009-07-30 11:05 -------- d-----w- c:\program files\TrebingHimstedt
2009-07-30 11:05 . 2009-07-30 11:05 -------- d-----w- c:\program files\Common Files\Softing
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\PF_Activation_Tool
2009-07-30 11:04 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\CWGenericFDT
2009-07-30 11:04 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\DTMstudioPB
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\Common Files\Pepperl+Fuchs GmbH
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\Pepperl+Fuchs
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\OPC Foundation
2009-07-30 11:03 . 2009-07-30 11:00 -------- d-----w- c:\program files\Endress+Hauser
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\DTMstudio
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\CWLicServer
2009-07-30 11:02 . 2009-07-30 11:02 -------- d-----w- c:\program files\Common Files\_is Common
2009-07-30 11:02 . 2009-07-30 11:02 -------- d-----w- c:\program files\Common Files\CodeWrights
2009-07-30 11:01 . 2009-07-30 11:01 86016 ----a-w- c:\windows\system32\OdbcJdbcSetup.dll
2009-07-30 11:01 . 2009-07-30 11:01 225280 ----a-w- c:\windows\system32\IscDbc.dll
2009-07-30 11:01 . 2009-07-30 11:01 200704 ----a-w- c:\windows\system32\OdbcJdbc.dll
2009-07-20 12:26 . 2009-07-20 12:24 -------- d-----w- c:\program files\MSI Card Reader
2009-07-20 12:24 . 2007-05-16 06:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-20 12:05 . 2009-07-20 12:05 -------- d-----w- c:\program files\MUP RS
2009-07-17 11:47 . 2009-07-17 11:47 -------- d-----w- c:\program files\Common Files\Business Objects
2009-07-17 11:47 . 2009-07-17 11:47 -------- d-----w- c:\program files\Fluke
2009-07-17 11:44 . 2009-07-17 11:44 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-16 07:52 . 2009-07-16 07:52 -------- d-----w- c:\program files\Compaq
2007-06-21 11:33 . 2007-06-21 11:33 35328 ----a-w- c:\program files\winbox.exe
2008-02-02 10:07 . 2008-02-21 11:25 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2008-02-21 11:25 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2008-02-21 11:25 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2008-02-21 11:25 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2008-02-21 11:25 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2009-09-07 21:44 . A058EBADF778FC582FC278BF333870B4 . 4224 . . [------] . . c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-07_07.25.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 04:52 . 2009-09-08 04:52 16384 c:\windows\temp\Perflib_Perfdata_298.dat
+ 2009-05-14 13:49 . 2009-05-14 13:49 94360 c:\windows\system32\drivers\epfwtdir.sys
+ 2009-09-08 06:49 . 2009-09-08 06:49 10134 c:\windows\Installer\{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}\callmsi.exe
+ 2009-05-14 13:47 . 2009-05-14 13:47 107256 c:\windows\system32\drivers\ehdrv.sys
+ 2009-05-14 13:41 . 2009-05-14 13:41 114472 c:\windows\system32\drivers\eamon.sys
+ 2009-09-08 06:49 . 2009-09-08 06:49 101480 c:\windows\Installer\{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}\egui.exe
+ 2009-09-08 06:49 . 2009-09-08 06:49 1131520 c:\windows\Installer\6a7c84.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"FtpDrive"="c:\program files\KillSoft\FtpDrive\FtpDrive.exe" [2006-11-05 300653]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-04-16 172032]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2003-12-17 110645]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GatewaySysTray"="c:\program files\3S CoDeSys\GatewayPLC\GatewaySysTray.exe" [2007-12-13 311409]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-10 149280]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-08-03 53248]
"S3Trayp"="S3Trayp.exe" - c:\windows\system32\S3Trayp.exe [2006-07-11 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Procitaj.txt [2009-6-4 199]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv7.exe"=
"c:\\Program Files\\Siemens\\Step7\\S7BIN\\S7tgtopx.exe"=
"c:\\Program Files\\Siemens\\Step7\\S7INF\\S7usiapx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1005MC.EXE"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\CoDeSys.exe"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\RepTool.exe"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\IPMCLI.exe"=
"c:\\Program Files\\3S CoDeSys\\GatewayPLC\\GatewayService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [21.7.2005 12:40 622654]
R2 CoDeSys Gateway V3;CoDeSys Gateway V3 Version 3.1.3.1;c:\program files\3S CoDeSys\GatewayPLC\GatewayService.exe [13.12.2007 20:43 843897]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [14.1.2008 12:03 30224]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 MCT10 Service;MCT10 Service;c:\program files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe [5.12.2008 13:04 192512]
R2 MSSQL$FLUKE;MSSQL$FLUKE;c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe -sFLUKE --> c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe -sFLUKE [?]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 22:22 34064]
R2 PROFIbrd;PROFIBUS V5 Hardware Driver (Softing);c:\windows\system32\drivers\PROFIbrd.sys [30.7.2009 13:05 184832]
R2 PROFIprt;PROFIBUS Protocol Driver (Softing);c:\windows\system32\drivers\PROFIprt.sys [30.7.2009 13:05 35968]
R2 PROFIstack;PROFIBUS V6 Hardware Driver (Softing);c:\windows\system32\drivers\PROFIstack.sys [30.7.2009 13:05 250112]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [26.7.2004 21:13 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [5.10.2007 11:40 78408]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [5.10.2007 11:51 208968]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [5.10.2007 11:44 194120]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [30.7.2007 12:06 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [31.8.2007 11:32 163840]
R2 scpdrv;scpdrv;c:\program files\Common Files\Siemens\SWS\plugins\scp\scpdrv.sys [14.10.2003 2:44 26944]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [12.9.2006 10:43 659456]
S2 CoDeSys SP Win V3;CoDeSys SP Win V3 Version 3.1.3.0;c:\program files\3S CoDeSys\GatewayPLC\CoDeSysSPService.exe --> c:\program files\3S CoDeSys\GatewayPLC\CoDeSysSPService.exe [?]
S3 AIDA32Driver;AIDA32Driver;\??\e:\ aaaaaaaaaaaa\aida32.sys --> e:\ aaaaaaaaaaaa\aida32.sys [?]
S3 IRIMAGER;Fluke Ti30, IR-Imager USB Driver (irimager.sys);c:\windows\system32\drivers\irimager.sys [21.4.2006 16:48 19263]
S3 oad;Visibroker Activation Daemon;c:\progra~1\Borland\vbroker\bin\oad.exe [31.5.2007 13:41 1781248]
S3 osagent;VisiBroker Smart Agent;c:\progra~1\Borland\vbroker\bin\osagent.exe [31.5.2007 13:41 193536]
S3 PROFIpnp;PROFIBUS PnP Hardware Driver (Softing);c:\windows\system32\drivers\PROFIpnp.sys [30.7.2009 13:05 12416]
S3 PROFIusb;PROFIusb Device Driver (Softing AG);c:\windows\system32\drivers\PROFIusb.sys [30.7.2009 13:05 30464]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [3.9.2008 20:03 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [3.9.2008 20:03 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [18.10.2002 2:34 30512]
S3 s7oupc2x;SIMATIC PC Adapter USB Driver;c:\windows\system32\drivers\s7oupc2x.sys [28.5.2008 9:55 12333]
S3 SQLAgent$FLUKE;SQLAgent$FLUKE;c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlagent.EXE -i FLUKE --> c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlagent.EXE -i FLUKE [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EAMON
*NewlyCreated* - EHDRV
*NewlyCreated* - EKRN
*NewlyCreated* - EPFWTDIR

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {C0C53F1F-B894-4187-8C88-E30165556C08} = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Odrzavanje\Application Data\Mozilla\Firefox\Profiles\ydhnp2au.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-09-08 10:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-09-08 10:37
ComboFix-quarantined-files.txt 2009-09-08 08:37
ComboFix2.txt 2009-09-07 21:53
ComboFix3.txt 2009-09-07 14:41
ComboFix4.txt 2009-09-07 07:28
ComboFix5.txt 2009-09-08 08:26

Pre-Run: 24.046.907.392 bytes free
Post-Run: 24.005.828.608 bytes free

222

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Skini sledeći file na Desktop: http://amf.mycity.rs/personal/dr_Bora/UnKillMe.exe

Klikni Start, Run; u liniju za unos teksta iskopiraj:


"%userprofile%\Desktop\UnKillMe.exe" C:\WINDOWS\system32\drivers\beep.sys


i klikni OK.

Prozor koji će se otvoriti možeš zatvoriti klikom na njega, a zatim dvoklikom pokreni ComboFix i postavi ovde log koji dobiješ.

offline
  • Stekss 
  • Novi MyCity građanin
  • Pridružio: 07 Sep 2009
  • Poruke: 13

ComboFix 09-09-07.05 - Odrzavanje 08.09.2009 17:45.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.190 [GMT 2:00]
Running from: c:\documents and settings\Odrzavanje\Desktop\1234.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-08 15:27 . 2002-08-29 12:00 4224 ----a-w- C:\beep.sys
2009-09-08 12:25 . 2009-09-08 12:25 100352 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 06:59 . 2009-09-08 06:59 -------- d-----w- c:\documents and settings\Odrzavanje\Local Settings\Application Data\ESET
2009-09-08 06:48 . 2009-09-08 06:48 -------- d-----w- c:\program files\ESET
2009-09-08 06:48 . 2009-09-08 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-09-07 09:21 . 2009-09-08 15:38 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-07 09:21 . 2009-09-08 15:38 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-07 09:08 . 2009-09-07 14:20 -------- d-----w- C:\ComboFix
2009-08-10 12:52 . 2009-08-10 12:52 -------- d-----w- c:\windows\Sun
2009-08-10 12:50 . 2009-08-10 12:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-10 12:50 . 2009-08-10 12:50 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 12:13 . 2008-11-13 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-09-07 07:37 . 2007-05-16 10:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 06:19 . 2008-02-21 07:54 -------- d-----w- c:\program files\FreeCommander
2009-07-30 11:05 . 2009-07-30 11:05 -------- d-----w- c:\program files\TrebingHimstedt
2009-07-30 11:05 . 2009-07-30 11:05 -------- d-----w- c:\program files\Common Files\Softing
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\PF_Activation_Tool
2009-07-30 11:04 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\CWGenericFDT
2009-07-30 11:04 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\DTMstudioPB
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\Common Files\Pepperl+Fuchs GmbH
2009-07-30 11:04 . 2009-07-30 11:04 -------- d-----w- c:\program files\Pepperl+Fuchs
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\OPC Foundation
2009-07-30 11:03 . 2009-07-30 11:00 -------- d-----w- c:\program files\Endress+Hauser
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\DTMstudio
2009-07-30 11:03 . 2009-07-30 11:03 -------- d-----w- c:\program files\Common Files\CWLicServer
2009-07-30 11:02 . 2009-07-30 11:02 -------- d-----w- c:\program files\Common Files\_is Common
2009-07-30 11:02 . 2009-07-30 11:02 -------- d-----w- c:\program files\Common Files\CodeWrights
2009-07-30 11:01 . 2009-07-30 11:01 86016 ----a-w- c:\windows\system32\OdbcJdbcSetup.dll
2009-07-30 11:01 . 2009-07-30 11:01 225280 ----a-w- c:\windows\system32\IscDbc.dll
2009-07-30 11:01 . 2009-07-30 11:01 200704 ----a-w- c:\windows\system32\OdbcJdbc.dll
2009-07-20 12:26 . 2009-07-20 12:24 -------- d-----w- c:\program files\MSI Card Reader
2009-07-20 12:24 . 2007-05-16 06:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-20 12:05 . 2009-07-20 12:05 -------- d-----w- c:\program files\MUP RS
2009-07-17 11:47 . 2009-07-17 11:47 -------- d-----w- c:\program files\Common Files\Business Objects
2009-07-17 11:47 . 2009-07-17 11:47 -------- d-----w- c:\program files\Fluke
2009-07-17 11:44 . 2009-07-17 11:44 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-16 07:52 . 2009-07-16 07:52 -------- d-----w- c:\program files\Compaq
2007-06-21 11:33 . 2007-06-21 11:33 35328 ----a-w- c:\program files\winbox.exe
2008-02-02 10:07 . 2008-02-21 11:25 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2008-02-21 11:25 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2008-02-21 11:25 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2008-02-21 11:25 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2008-02-21 11:25 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-07_07.25.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 15:24 . 2009-09-08 15:24 16384 c:\windows\temp\Perflib_Perfdata_274.dat
+ 2009-05-14 13:49 . 2009-05-14 13:49 94360 c:\windows\system32\drivers\epfwtdir.sys
+ 2009-09-08 06:49 . 2009-09-08 06:49 10134 c:\windows\Installer\{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}\callmsi.exe
+ 2009-05-14 13:47 . 2009-05-14 13:47 107256 c:\windows\system32\drivers\ehdrv.sys
+ 2009-05-14 13:41 . 2009-05-14 13:41 114472 c:\windows\system32\drivers\eamon.sys
+ 2009-09-08 06:49 . 2009-09-08 06:49 101480 c:\windows\Installer\{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}\egui.exe
+ 2009-09-08 06:49 . 2009-09-08 06:49 1131520 c:\windows\Installer\6a7c84.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"FtpDrive"="c:\program files\KillSoft\FtpDrive\FtpDrive.exe" [2006-11-05 300653]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-04-16 172032]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2003-12-17 110645]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GatewaySysTray"="c:\program files\3S CoDeSys\GatewayPLC\GatewaySysTray.exe" [2007-12-13 311409]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-10 149280]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-08-03 53248]
"S3Trayp"="S3Trayp.exe" - c:\windows\system32\S3Trayp.exe [2006-07-11 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv7.exe"=
"c:\\Program Files\\Siemens\\Step7\\S7BIN\\S7tgtopx.exe"=
"c:\\Program Files\\Siemens\\Step7\\S7INF\\S7usiapx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1005MC.EXE"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\CoDeSys.exe"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\RepTool.exe"=
"c:\\Program Files\\3S CoDeSys\\CoDeSys\\Common\\IPMCLI.exe"=
"c:\\Program Files\\3S CoDeSys\\GatewayPLC\\GatewayService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2221:TCP"= 2221:TCP:Nod
"2222:TCP"= 2222:TCP:Nod1
"2224:TCP"= 2224:TCP:Nod

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\SWS\almsrv\almsrvx.exe [21.7.2005 12:40 622654]
R2 CoDeSys Gateway V3;CoDeSys Gateway V3 Version 3.1.3.1;c:\program files\3S CoDeSys\GatewayPLC\GatewayService.exe [13.12.2007 20:43 843897]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [14.1.2008 12:03 30224]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 MCT10 Service;MCT10 Service;c:\program files\Danfoss Drives\VLT Motion Control Tool\MCT 10 Set-up Software\MCTServ.exe [5.12.2008 13:04 192512]
R2 MSSQL$FLUKE;MSSQL$FLUKE;c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe -sFLUKE --> c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlservr.exe -sFLUKE [?]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 22:22 34064]
R2 PROFIbrd;PROFIBUS V5 Hardware Driver (Softing);c:\windows\system32\drivers\PROFIbrd.sys [30.7.2009 13:05 184832]
R2 PROFIprt;PROFIBUS Protocol Driver (Softing);c:\windows\system32\drivers\PROFIprt.sys [30.7.2009 13:05 35968]
R2 PROFIstack;PROFIBUS V6 Hardware Driver (Softing);c:\windows\system32\drivers\PROFIstack.sys [30.7.2009 13:05 250112]
R2 s7asysvx;S7 Global Services;c:\program files\Siemens\Step7\S7BIN\s7asysvx.exe [26.7.2004 21:13 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [5.10.2007 11:40 78408]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [5.10.2007 11:51 208968]
R2 s7osmcax;s7osmcax;c:\windows\system32\drivers\s7osmcax.sys [5.10.2007 11:44 194120]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [30.7.2007 12:06 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [31.8.2007 11:32 163840]
R2 scpdrv;scpdrv;c:\program files\Common Files\Siemens\SWS\plugins\scp\scpdrv.sys [14.10.2003 2:44 26944]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [12.9.2006 10:43 659456]
S2 CoDeSys SP Win V3;CoDeSys SP Win V3 Version 3.1.3.0;c:\program files\3S CoDeSys\GatewayPLC\CoDeSysSPService.exe --> c:\program files\3S CoDeSys\GatewayPLC\CoDeSysSPService.exe [?]
S3 AIDA32Driver;AIDA32Driver;\??\e:\ aaaaaaaaaaaa\aida32.sys --> e:\ aaaaaaaaaaaa\aida32.sys [?]
S3 IRIMAGER;Fluke Ti30, IR-Imager USB Driver (irimager.sys);c:\windows\system32\drivers\irimager.sys [21.4.2006 16:48 19263]
S3 oad;Visibroker Activation Daemon;c:\progra~1\Borland\vbroker\bin\oad.exe [31.5.2007 13:41 1781248]
S3 osagent;VisiBroker Smart Agent;c:\progra~1\Borland\vbroker\bin\osagent.exe [31.5.2007 13:41 193536]
S3 PROFIpnp;PROFIBUS PnP Hardware Driver (Softing);c:\windows\system32\drivers\PROFIpnp.sys [30.7.2009 13:05 12416]
S3 PROFIusb;PROFIusb Device Driver (Softing AG);c:\windows\system32\drivers\PROFIusb.sys [30.7.2009 13:05 30464]
S3 S5AS511;S5AS511;c:\windows\system32\drivers\S5AS511.SYS [3.9.2008 20:03 15360]
S3 S5MCD;S5MCD;c:\windows\system32\drivers\S5MCD.SYS [3.9.2008 20:03 188416]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [18.10.2002 2:34 30512]
S3 s7oupc2x;SIMATIC PC Adapter USB Driver;c:\windows\system32\drivers\s7oupc2x.sys [28.5.2008 9:55 12333]
S3 SQLAgent$FLUKE;SQLAgent$FLUKE;c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlagent.EXE -i FLUKE --> c:\program files\Microsoft SQL Server\MSSQL$FLUKE\Binn\sqlagent.EXE -i FLUKE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {C0C53F1F-B894-4187-8C88-E30165556C08} = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Odrzavanje\Application Data\Mozilla\Firefox\Profiles\ydhnp2au.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-09-08 17:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3296)
c:\program files\KillSoft\FtpDrive\FtpDrive.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-08 17:56
ComboFix-quarantined-files.txt 2009-09-08 15:56
ComboFix2.txt 2009-09-08 08:37
ComboFix3.txt 2009-09-07 21:53
ComboFix4.txt 2009-09-07 14:41
ComboFix5.txt 2009-09-08 15:44

Pre-Run: 24.001.388.544 bytes free
Post-Run: 23.975.055.360 bytes free

197

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Zipuj/raruj pa mi uploaduj:

C:\Qoobox\Quarantine


preko:

http://www.mycity.rs/ambulanta-upload.php

Ko je trenutno na forumu
 

Ukupno su 1042 korisnika na forumu :: 55 registrovanih, 3 sakrivenih i 984 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, _Rade, A.R.Chafee.Jr., amaterSRB, babaroga, Bluper, Bobrock1, cavatina, CikaKURE, darkangel, debeli, Dežurni pod palubom, Dimitrije Paunovic, djuradj, DragoslavS, Dukelander, Georgius, Jeremiah, Karla, krkalon, Krusarac, ladro, laurusri, ljuba, mercedesamg, Miki01, milenko crazy north, milos.cbr, Mlav, moldway, Nemanja.M, nemkea71, nenad81, Parker, pedja.st, pein, Pohovani_00, raketaš, RED4G-304, repac, Ripanjac, ruma, Shinobi, Simon simonović, stegonosa, Tila Painen, tubular, vaso1, VJ, voja64, Webb, wizzardone, YU-UKI, zastavnik, ZetaMan