Results 1 to 5 of 5
Thread: -
Hybrid View
-
18th November 2011 08:12 #1
-
: , ( ) . . 2 ?
ComboFix :
ComboFix 11-11-18.01 - Admin 11/18/2011 7:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.296 [GMT 2:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))) )))))))))
.
.
c:\windows\regopt.log
.
.
((((((((((((((((((((((((( Files Created from 2011-10-18 to 2011-11-18 )))))))))))))))))))))))))))))))
.
.
2011-11-18 07:04 . 2011-11-18 05:30 -------- d-----r- C:\Program Files
2011-11-18 07:03 . 2011-11-18 05:21 -------- d-----w- C:\Documents and Settings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))) ))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))) ))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2010-02-11 26112]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\W indows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON .EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\ firewallpolicy\standardprofile\Authorize dApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\ firewallpolicy\standardprofile\GloballyO penPorts\List]
"1114:TCP"= 1114:TCP:ndcsq
.
S2 wubmzena;Installer Image;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 1:00 PM 14336]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Svchost - NetSvcs
wubmzena
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1085031214-1644491937-1003Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-18 05:37]
.
2011-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1085031214-1644491937-1003UA.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-18 05:37]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************** **********************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-18 07:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************** **********************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\ Services\wubmzena]
"ServiceDll"="c:\windows\system32\iyolcq d.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-11-18 07:56:23
ComboFix-quarantined-files.txt 2011-11-18 05:56
.
Pre-Run: 28,375,040,000 bytes free
Post-Run: 28,424,478,720 bytes free
.
- - End Of File - - FB799C797D5498E36670AA25D809BCE5
.
-
18th November 2011 09:57 #2, . , wubmzena,S2 wubmzena;Installer Image;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 1:00 PM 14336]
..
[HKEY_LOCAL_MACHINE\System\ControlSet001\ Services\wubmzena]
"ServiceDll"="c:\windows\system32\iy olcq d.dll": XaMaB; . 0.42
In God we Trust (all others must submit a X.509 certificate). , ()
-
18th November 2011 20:08 #3
-
18th November 2011 20:17 #4Registered User
Join Date: Oct:2003
Location:
Posts: 4,317
Downadup/Conficker. . XaMaB, wubmzena .
registry, - HKEY_LOCAL_MACHINE\System\CurrentControl Set\ Services\wubmzena
Properties -> Permissions -> Advanced Allow inheritable permissions from parent... .
ServiceDll, , . , .
.
ServiceDll - security.
sc delete wubmzena , (, ). .
Safe Mode, - . , .
.
-
19th November 2011 17:13 #5
. .
Last edited by ripdvs; 24th November 2011 at 21:17.




Reply With Quote
R9 280,
7th May 2023, 21:28 in