Curatare sistem

Descarca: ComboFix si salveaza-l pe Desktop.

Apoi asigura-te ca ai inchis toate programele care ruleaza (Yahoo Messenger, MozilaFirefox, etc) si ruleaza ComboFix. Te va intreba daca sa inceapa sa curete sistemul. Confirma cu Yes de fiecare data. Nu-l opri in timp ce scaneaza si dezinfecteaza sistemul. E posibil ca in timpul rularii lui desktop-ul sa dispara, dar nu te ingrijora.
La sfarsit va afisa rezultatele scanarii. Salveaza acel fisier si posteaza continutul AICI impreuna cu un nou log HiJackThis.

ComboFix 09-03-06.02 - contabilitate2 2009-03-07 22:18:08.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.503.170 [GMT 2:00]
Running from: c:\documents and settings\contabilitate2\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\contabilitate2\v.exe
c:\windows\system32\zip32.dll

.
(((((((((((((((((((((((((   Files Created from 2009-02-07 to 2009-03-07  )))))))))))))))))))))))))))))))
.

2009-03-07 21:20 . 2009-03-07 21:21 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser
2009-03-07 21:18 . 2009-03-07 21:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogMeIn
2009-03-07 21:18 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll
2009-03-07 21:18 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys
2009-03-07 21:18 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll
2009-03-07 21:17 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll
2009-03-07 21:17 . 2009-03-07 21:17 1,024 --a------ C:\.rnd
2009-03-07 21:16 . 2009-03-07 21:18 <DIR> d-------- c:\program files\LogMeIn
2009-03-07 21:05 . 2009-03-07 21:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 21:05 . 2009-03-07 21:05 <DIR> d-------- c:\documents and settings\contabilitate2\Application Data\Malwarebytes
2009-03-07 21:05 . 2009-03-07 21:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-07 21:05 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 21:05 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-06 10:44 . 2009-03-07 16:01 <DIR> d-------- c:\program files\ChickenInvadersROTYXmas
2009-03-06 10:27 . 2009-03-06 10:27 <DIR> d-------- c:\program files\Chicken Invaders 1,2,3,4 Collection
2009-03-06 10:27 . 2008-07-20 14:14 245,760 --a------ c:\windows\system32\SUSB.exe
2009-02-17 08:47 . 2009-02-17 09:00 <DIR> d-------- c:\program files\D392 (an 2008)
2009-02-13 18:18 . 2009-03-05 13:22 <DIR> d-------- c:\program files\OPFV 2009
2009-02-13 12:50 . 2009-02-13 12:13 245,557 --a------ C:\fisa_sintetica_finala_17618147_13.02.2009.pdf

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 19:34 --------- d-----w c:\program files\Yahoo!
2009-03-05 03:59 --------- d-----w c:\program files\Declaratii_BASS
2009-03-02 20:24 --------- d-----w c:\program files\Bilant 1208
2009-03-02 18:44 --------- d-----w c:\program files\Bilant 1206
2009-03-02 08:39 --------- d-----w c:\program files\Declaratii fiscale 2009
2009-02-25 07:12 --------- d-----w c:\program files\OPFV 2007
2009-02-23 17:16 --------- d-----w c:\program files\Bilant 1207
2009-02-17 14:23 --------- d-----w c:\program files\Bilant 2005
2009-02-17 06:35 --------- d-----w c:\program files\Declaratii fiscale 2008
2009-02-13 07:10 --------- d-----w c:\program files\Bilant 0608
2009-02-03 17:26 --------- d-----w c:\program files\Avira
2009-02-03 17:26 --------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-02-01 19:55 --------- d-----w c:\program files\Trend Micro
2009-01-25 17:12 --------- d-----w c:\documents and settings\contabilitate2\Application Data\Wildfire
2009-01-23 17:54 --------- d-----w c:\program files\Fise fiscale 2008
2009-01-21 05:43 --------- d-----w c:\program files\D394
2006-02-20 05:18 4,754 -c--a-w c:\program files\setup.stf
2006-02-13 10:55 713 -c--a-w c:\program files\FOXUSER.DBF
2006-02-13 10:55 25,731 -c--a-w c:\program files\STARTDECLSOM.EXE
2006-02-13 10:55 1,792 -c--a-w c:\program files\FOXUSER.FPT
.

------- Sigcheck -------

2003-03-31 14:00  332928  244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14  359040  9f4b36614a0fc234525ba224957de55c c:\windows\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14  359040  6a603809f598332dbedd535bdbce313e c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((   snapshot@2009-02-03_19.08.03.48   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-02 16:07:40 1,914,440 ----a-w c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2008-05-09 10:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 15:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 08:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2008-07-24 16:45:20 10,144 ----a-w c:\windows\system32\drivers\lmimirr.sys
+ 2007-03-01 07:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
+ 2008-10-16 18:35:40 23,736 ----a-w c:\windows\system32\lmimirr.dll
+ 2008-10-16 18:35:42 10,040 ----a-w c:\windows\system32\lmimirr2.dll
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2009-02-26 15:34:20 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-10-16 18:35:44 34,104 ----a-w c:\windows\system32\spool\drivers\w32x86\3\LMIprinter.dll
+ 2008-10-16 18:35:46 43,320 ----a-w c:\windows\system32\spool\drivers\w32x86\3\LMIprinterdat.dll
+ 2008-10-16 18:35:46 43,320 ----a-w c:\windows\system32\spool\drivers\w32x86\3\LMIprinterui.dll
+ 2008-10-16 18:35:44 34,104 ----a-w c:\windows\system32\spool\drivers\w32x86\LMIprinter.dll
+ 2008-10-16 18:35:46 43,320 ----a-w c:\windows\system32\spool\drivers\w32x86\LMIprinterdat.dll
+ 2008-10-16 18:35:46 43,320 ----a-w c:\windows\system32\spool\drivers\w32x86\LMIprinterui.dll
+ 2008-10-16 18:35:50 47,416 ----a-w c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-12-14 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-12-14 118784]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"diagnostics"="C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" [2008-10-31 557149]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

c:\documents and settings\contabilitate2\Start Menu\Programs\Startup\
Wireless.lnk - c:\windows\system32\SUSB.exe [2009-03-06 245760]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-05-23 1806336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Wireless.lnk - c:\windows\system32\SUSB.exe [2009-03-06 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"wmsncs.exe"= wmsncs.exe:SYSTEM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1013:TCP"= 1013:TCP:BS
"8081:TCP"= 8081:TCP:PORT2
"8080:TCP"= 8080:TCP:PORT1
"1240:TCP"= 1240:TCP:FD
"1494:TCP"= 1494:TCP:FD

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-02-03 45376]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-03-07 47640]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-10-31 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-10-31 12672]
S3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\drivers\steth.sys [2008-10-31 40320]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]
c:\windows\Fonts\wmsncs.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2009-02-01 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []

2009-03-07 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 23:21]

2008-11-03 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 23:21]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\contabilitate2\Application Data\Mozilla\Firefox\Profiles\qmorj9o7.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 22:19:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-03-07 22:21:38
ComboFix-quarantined-files.txt  2009-03-07 20:21:36
ComboFix2.txt  2009-02-03 17:08:40

Pre-Run: 2.046.304.256 bytes free
Post-Run: 2,176,135,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

183


si HijackThis

Logfile of Trend Micro HiJackThis v2.0.2
Scan saved at 22:31:29, on 07/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Wireless.lnk = C:\WINDOWS\system32\SUSB.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless.lnk = C:\WINDOWS\system32\SUSB.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

--
End of file - 4647 bytes

Folosesti asa ceva? C:\Program Files\LogMeIn\x86\RaMaint.exe

Da-i fix la O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) in restul logul este curat. Mai ai pobleme?

Edited by xxvirusxx, 07 March 2009 - 22:44.

xxvirusxx, on Mar 7 2009, 22:38, said:

Da, ca sa am acces la calculatorul ala de la altul.

xxvirusxx, on Mar 7 2009, 22:38, said:

Da, din pacate n-am scapat de problema. Tot apar paginile alea

Poti sa faci un screenshot ?

crysty2k5, on Mar 7 2009, 22:56, said:

Da

Vezi daca se rezolva cu un update la Internet Explorer.

xxvirusxx, on Mar 7 2009, 23:34, said:

Dar eu nici nu folosesc internet explorer...nu inteleg de ce se deschid paginile cu IE

Intra in Start-RUN iar aici scrii msconfig si apesi Enter.

Apoi faci o poza cu procesele care ruleaza in Startup ( aici tragi de acea linie de la command spre dreapta sa se vada locatia fisierelor)


Se deschide pur si simplu daca nu intri pe internet?

xxvirusxx, on Mar 7 2009, 23:44, said:

Am atasat procesele.

Da, paginile alea se deschid singure. Chiar daca nu se face nimic pe calculatorul ala...alea tot se deschid.


Eu nu inteleg ce este acel wireless   ...ca acel calculator n-are wireless

OK daca nu are wireless debifeaza din Startup urmatoarele:

- cele 2 Wireless
- Winampa - ca nu este necesar in startup
- NeroCheck - care nici acesta nu este
- Microsoft Office - la fel

Apoi ii dai un restart la calc. Dupa ce i-ai dat restart te duci in C:\WINDOWS\system32 arhivezi SUSB.exe si mi-l trimiti mie prin PM sa vad ce anume este acest fisier.

Edited by xxvirusxx, 08 March 2009 - 11:09.

Si eu am zis ca e laptop si ca ai wireless activ

Pune urmatoarele fisiere intr-o arhiva cu parola infected si trimite-mi un PM cu ea sau urc-o pe un server (de exemplu: http://www.rapidshare.com ) si trimite-mi PM cu link-ul de download sa trimit la analiza.

Quote

NU ATASA ARHIVA SI NU POSTA LINK-UL DE DOWNLOAD PE FORUM !

Dupa ce ai facut asta si numai dupa ce faci asta...

Daca imi dadeam seama, iti faceam script de prima data

Descarca: ComboFix si salveaza-l pe Desktop.

Creeaza un fisier nou de tip .txt cu Notepad si scrie in el ce e mai jos in citat:

Quote

Denumeste fisierul CFScript.txt apoi trage-l peste ComboFix.exe asa cum e aratat in poza de mai jos.

[ http://users.telenet.be/bluepatchy/miekiemoes/images/CFScript.gif - Pentru incarcare in pagina (embed) Click aici ]
Apoi asigura-te ca ai inchis toate programele care ruleaza (Yahoo Messenger, MozilaFirefox, etc) si ruleaza ComboFix. Te va intreba daca sa inceapa sa curete sistemul. Confirma cu Yes de fiecare data. Nu-l opri in timp ce scaneaza si dezinfecteaza sistemul. E posibil ca in timpul rularii lui desktop-ul sa dispara, dar nu te ingrijora.
La sfarsit va afisa rezultatele scanarii. Salveaza acel fisier si posteaza continutul AICI impreuna cu un nou log HiJackThis.


Later edit: fisierul a fost trimis la analiza. Multumesc

Edited by crysty2k5, 08 March 2009 - 19:25.

ComboFix 09-03-06.02 - contabilitate2 2009-03-08 19:22:21.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.503.244 [GMT 2:00]
Running from: c:\documents and settings\contabilitate2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\contabilitate2\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\SUSB.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SUSB.exe

.
(((((((((((((((((((((((((   Files Created from 2009-02-08 to 2009-03-08  )))))))))))))))))))))))))))))))
.

2009-03-07 21:20 . 2009-03-07 21:21 <DIR> d-------- c:\documents and settings\LogMeInRemoteUser
2009-03-07 21:18 . 2009-03-07 21:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogMeIn
2009-03-07 21:18 . 2008-10-16 20:35 83,288 --a------ c:\windows\system32\LMIRfsClientNP.dll
2009-03-07 21:18 . 2008-07-24 18:46 47,640 --a------ c:\windows\system32\drivers\LMIRfsDriver.sys
2009-03-07 21:18 . 2008-10-16 20:35 28,984 --a------ c:\windows\system32\LMIport.dll
2009-03-07 21:17 . 2008-10-16 20:35 87,352 --a------ c:\windows\system32\LMIinit.dll
2009-03-07 21:17 . 2009-03-07 21:17 1,024 --a------ C:\.rnd
2009-03-07 21:16 . 2009-03-08 06:44 <DIR> d-------- c:\program files\LogMeIn
2009-03-07 21:05 . 2009-03-07 21:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 21:05 . 2009-03-07 21:05 <DIR> d-------- c:\documents and settings\contabilitate2\Application Data\Malwarebytes
2009-03-07 21:05 . 2009-03-07 21:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-07 21:05 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 21:05 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-06 10:44 . 2009-03-08 09:31 <DIR> d-------- c:\program files\ChickenInvadersROTYXmas
2009-03-06 10:27 . 2009-03-06 10:27 <DIR> d-------- c:\program files\Chicken Invaders 1,2,3,4 Collection
2009-02-17 08:47 . 2009-02-17 09:00 <DIR> d-------- c:\program files\D392 (an 2008)
2009-02-13 18:18 . 2009-03-05 13:22 <DIR> d-------- c:\program files\OPFV 2009
2009-02-13 12:50 . 2009-02-13 12:13 245,557 --a------ C:\fisa_sintetica_finala_17618147_13.02.2009.pdf

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 19:34 --------- d-----w c:\program files\Yahoo!
2009-03-05 03:59 --------- d-----w c:\program files\Declaratii_BASS
2009-03-02 20:24 --------- d-----w c:\program files\Bilant 1208
2009-03-02 18:44 --------- d-----w c:\program files\Bilant 1206
2009-03-02 08:39 --------- d-----w c:\program files\Declaratii fiscale 2009
2009-02-25 07:12 --------- d-----w c:\program files\OPFV 2007
2009-02-23 17:16 --------- d-----w c:\program files\Bilant 1207
2009-02-17 14:23 --------- d-----w c:\program files\Bilant 2005
2009-02-17 06:35 --------- d-----w c:\program files\Declaratii fiscale 2008
2009-02-13 07:10 --------- d-----w c:\program files\Bilant 0608
2009-02-03 17:26 --------- d-----w c:\program files\Avira
2009-02-03 17:26 --------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-02-01 19:55 --------- d-----w c:\program files\Trend Micro
2009-01-25 17:12 --------- d-----w c:\documents and settings\contabilitate2\Application Data\Wildfire
2009-01-23 17:54 --------- d-----w c:\program files\Fise fiscale 2008
2009-01-21 05:43 --------- d-----w c:\program files\D394
2006-02-20 05:18 4,754 -c--a-w c:\program files\setup.stf
2006-02-13 10:55 713 -c--a-w c:\program files\FOXUSER.DBF
2006-02-13 10:55 25,731 -c--a-w c:\program files\STARTDECLSOM.EXE
2006-02-13 10:55 1,792 -c--a-w c:\program files\FOXUSER.FPT
.

------- Sigcheck -------

2003-03-31 14:00  332928  244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14  359040  9f4b36614a0fc234525ba224957de55c c:\windows\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14  359040  6a603809f598332dbedd535bdbce313e c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((   snapshot@2009-02-03_19.08.03.48   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-02 16:07:40 1,914,440 ----a-w c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2008-05-09 10:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 15:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-10-30 08:21:03 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2008-07-24 16:45:20 10,144 ----a-w c:\windows\system32\drivers\lmimirr.sys
+ 2007-03-01 07:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
+ 2008-10-16 18:35:40 23,736 ----a-w c:\windows\system32\lmimirr.dll
+ 2008-10-16 18:35:42 10,040 ----a-w c:\windows\system32\lmimirr2.dll
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2009-02-26 15:34:20 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-10-16 18:35:44 34,104 ----a-w c:\windows\system32\spool\drivers\w32x86\3\LMIprinter.dll
+ 2008-10-16 18:35:46 43,320 ----a-w c:\windows\system32\spool\drivers\w32x86\3\LMIprinterdat.dll
+ 2008-10-16 18:35:46 43,320 ----a-w c:\windows\system32\spool\drivers\w32x86\3\LMIprinterui.dll
+ 2008-10-16 18:35:44 34,104 ----a-w c:\windows\system32\spool\drivers\w32x86\LMIprinter.dll
+ 2008-10-16 18:35:46 43,320 ----a-w c:\windows\system32\spool\drivers\w32x86\LMIprinterdat.dll
+ 2008-10-16 18:35:46 43,320 ----a-w c:\windows\system32\spool\drivers\w32x86\LMIprinterui.dll
+ 2008-10-16 18:35:50 47,416 ----a-w c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-12-14 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-12-14 118784]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"diagnostics"="C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" [2008-10-31 557149]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"wmsncs.exe"= wmsncs.exe:SYSTEM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1013:TCP"= 1013:TCP:BS
"8081:TCP"= 8081:TCP:PORT2
"8080:TCP"= 8080:TCP:PORT1
"1240:TCP"= 1240:TCP:FD
"1494:TCP"= 1494:TCP:FD

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-02-03 45376]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-03-07 47640]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-10-31 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-10-31 12672]
S3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\drivers\steth.sys [2008-10-31 40320]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]
c:\windows\Fonts\wmsncs.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2009-02-01 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []

2009-03-08 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 23:21]

2008-11-03 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 23:21]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\contabilitate2\Application Data\Mozilla\Firefox\Profiles\qmorj9o7.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 19:25:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-03-08 19:27:09
ComboFix-quarantined-files.txt  2009-03-08 17:27:07
ComboFix2.txt  2009-03-07 20:21:39
ComboFix3.txt  2009-02-03 17:08:40

Pre-Run: 2.065.260.544 bytes free
Post-Run: 2,167,078,912 bytes free

174

100% acel fisier este problema cu deschis paginile. L-am testat personal si deschide mereu pagini web.

Desi pe Virustotal nu l-a detectat ca fiind un virus.

xxvirusxx, on Mar 8 2009, 19:30, said:

Se va adauga definitie. L-am trimis la BitDefender si Avira

Oricum Alina daca ai debitat din Startup cele 2 cu Wirless care au locatia C:\Windows\system32\susb.exe, apoi l-ai sters nu o sa mai ai probleme cu deschisul paginilor.

Edited by xxvirusxx, 08 March 2009 - 19:36.

Multumesc mult de tot crysty2k5, multumesc xxvirusxx...pentru ajutor
Am dat restart si vad ca e "liniste"...nu s-a mai deschis nicio pagina
Multumesc inca o data  

Ok. Daca mai e ceva, stii unde ne gasesti

Daca nu uit o sa anunt cand primesc rezultatul analizei pe email aici