Evo novog log-a:
ComboFix 08-04-12.4 - Davor Stankovic 2008-04-13 13:06:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.111 [GMT 2:00]
Running from: C:\Documents and Settings\Davor Stankovic\Desktop\ComboFix.exe
* Resident AV is active
[color=red]
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
/wow section - STAGE 38
pv: No matching processes found
The syntax of the command is incorrect.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\TEMP\1.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.
2008-04-12 21:36 . 2008-04-12 21:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-10 22:12 . 2008-04-13 01:02 <DIR> d-------- C:\Documents and Settings\Davor Stankovic\Application Data\Uniblue
2008-04-09 23:59 . 2008-04-11 21:00 <DIR> d-------- C:\Documents and Settings\Davor Stankovic\Application Data\Hide IP NG
2008-04-08 09:24 . 2008-04-09 15:48 <DIR> d-------- C:\Program Files\Net Tools
2008-04-06 00:47 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-04-06 00:46 . 2008-04-06 00:46 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-05 18:46 . 2008-04-05 18:46 62 --a------ C:\WINDOWS\MyProg.ini
2008-04-05 18:15 . 2007-07-11 11:11 888,832 --a------ C:\WINDOWS\system32\securenet.dll
2008-04-05 17:53 . 2008-04-08 00:25 32 --a------ C:\WINDOWS\go
2008-04-04 21:20 . 2008-04-04 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-04 00:26 . 2008-04-04 00:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-04-04 00:25 . 2008-04-04 00:25 <DIR> d-------- C:\Documents and Settings\Davor Stankovic\Application Data\GRETECH
2008-04-03 00:16 . 2008-04-03 00:16 51,712 --a------ C:\WINDOWS\wc98pp.dll
2008-04-02 19:33 . 2008-04-02 19:33 78 --a------ C:\WINDOWS\AbsoluteTelnet.trg
2008-04-02 19:32 . 2008-04-02 19:55 <DIR> d-------- C:\Documents and Settings\Davor Stankovic\Application Data\AbsoluteTelnet
2008-03-29 00:56 . 2008-04-02 23:39 <DIR> d-------- C:\tmp99
2008-03-16 22:47 . 2008-03-16 22:48 <DIR> d-------- C:\Program Files\WWW File Share Pro
2008-03-16 22:47 . 2000-12-05 19:30 109,248 --a------ C:\WINDOWS\system32\Mswinsck.ocx
2008-03-16 22:47 . 2000-10-26 18:01 45,056 --a------ C:\WINDOWS\system32\NTSVC.OCX
2008-03-16 00:42 . 2008-03-25 17:28 <DIR> d-------- C:\Documents and Settings\Davor Stankovic\Application Data\BSplayer Pro
2008-03-14 00:40 . 2008-03-14 00:40 332 --a------ C:\WINDOWS\desctemp.dat
2008-03-13 23:49 . 2008-03-21 17:07 32 --a------ C:\WINDOWS\
0
2008-03-13 23:49 . 2008-03-13 23:49 0 --a------ C:\WINDOWS\system32\
0
2008-03-13 23:42 . 2004-12-22 02:32 369,024 --------- C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-03-13 23:42 . 2004-12-22 02:32 184,320 --------- C:\WINDOWS\system32\BCMWLU00.EXE
2008-03-13 10:24 . 2008-03-21 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-03-13 10:18 . 2007-12-01 01:26 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 11:07 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\uTorrent
2008-04-10 09:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-09 13:46 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\Skype
2008-04-09 13:24 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\skypePM
2008-04-03 22:30 --------- d-----w C:\Program Files\AviSynth 2.5
2008-04-03 22:30 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\GetRight
2008-03-21 10:08 --------- d-----w C:\Program Files\Opera 9.5 beta
2008-03-13 21:41 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-10 22:02 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\Thinstall
2008-03-07 23:37 --------- d-----w C:\Program Files\uTorrent
2008-03-06 10:17 --------- d-----w C:\Program Files\Macromedia
2008-03-03 23:23 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\GetRightToGo
2008-03-01 14:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-01 14:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 01:32 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\Azureus
2008-03-01 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-02-25 23:37 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\RhinoSoft.com
2008-02-25 23:09 --------- d-----w C:\Program Files\ImTOO
2008-02-25 22:22 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-02-25 21:32 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\PC Suite
2008-02-25 21:32 --------- d-----w C:\Documents and Settings\Davor Stankovic\Application Data\Nokia
2008-02-25 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-02-25 21:30 --------- d-----w C:\Program Files\DIFX
2008-02-25 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-02-24 00:34 --------- d-----w C:\Program Files\FileZilla
2008-02-17 12:49 --------- d-----w C:\Program Files\%temp&
2008-01-27 12:01 3,221,948 ----a-w C:\WINDOWS\Novak Djokovic GRAND SLAM 2007.scr
2008-01-18 23:03 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViStart"="C:\Program Files\ViStart\ViStart.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 01:26 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-11-14 16:05 1410304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-12-01 01:26 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Opera 9.5 beta\\opera.exe"=
"C:\\Program Files\\WWW File Share Pro\\WWWFileSharePro.exe"=
"C:\\Program Files\\WWW File Share Pro\\Plugins\\Chat Room\\ChatRoom.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 PAC207;PC Camer@;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2006-11-20 09:48]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 13:54]
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-04-13 13:10:13
Windows 5.1.2600 Service Pack 3, v.3264 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\DOCUME~1\DAVORS~1\LOCALS~1\Temp\catchme.dll
.
Completion time: 2008-04-13 13:11:20
ComboFix-quarantined-files.txt 2008-04-13 11:11:06
ComboFix2.txt 2008-04-12 22:58:45
Pre-Run: 613,646,336 bytes free
Post-Run: 603,049,984 bytes free
.
2008-04-10 09:23:14 --- E O F ---