Results 1 to 5 of 5

Thread: -

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Registered User ripdvs's Avatar
    Join Date: Oct:2011
    Location:
    Posts: 9

    -

    : , ( ) . . 2 ?

    ComboFix :


    ComboFix 11-11-18.01 - Admin 11/18/2011 7:52.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.296 [GMT 2:00]
    Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))) )))))))))
    .
    .
    c:\windows\regopt.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-18 to 2011-11-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-18 07:04 . 2011-11-18 05:30 -------- d-----r- C:\Program Files
    2011-11-18 07:03 . 2011-11-18 05:21 -------- d-----w- C:\Documents and Settings
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))) ))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))) ))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows\CurrentVersion\Run]
    "ATIModeChange"="Ati2mdxx.exe" [2010-02-11 26112]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\W indows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON .EXE" [2008-04-14 15360]
    .
    [HKLM\~\services\sharedaccess\parameters\ firewallpolicy\standardprofile\Authorize dApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\ firewallpolicy\standardprofile\GloballyO penPorts\List]
    "1114:TCP"= 1114:TCP:ndcsq
    .
    S2 wubmzena;Installer Image;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 1:00 PM 14336]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Svchost - NetSvcs
    wubmzena
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1085031214-1644491937-1003Core.job
    - c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-18 05:37]
    .
    2011-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1085031214-1644491937-1003UA.job
    - c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-18 05:37]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 192.168.1.1
    .
    .
    **************************************** **********************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-18 07:55
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************** **********************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\ Services\wubmzena]
    "ServiceDll"="c:\windows\system32\iyolcq d.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(692)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-11-18 07:56:23
    ComboFix-quarantined-files.txt 2011-11-18 05:56
    .
    Pre-Run: 28,375,040,000 bytes free
    Post-Run: 28,424,478,720 bytes free
    .
    - - End Of File - - FB799C797D5498E36670AA25D809BCE5

    .

  2. #2
    XaMaB's Avatar
    Join Date: Nov:2001
    Location:
    Posts: 20,392
    S2 wubmzena;Installer Image;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 1:00 PM 14336]
    ..

    [HKEY_LOCAL_MACHINE\System\ControlSet001\ Services\wubmzena]
    "ServiceDll"="c:\windows\system32\iy olcq d.dll"
    , . , wubmzena,
    : XaMaB; . 0.42

    In God we Trust (all others must submit a X.509 certificate). , ()

  3. #3
    Registered User raven's Avatar
    Join Date: Apr:2006
    Location:
    Posts: 3,714
    .
    "" , .
    , - , .
    ,

  4. #4
    Registered User
    Join Date: Oct:2003
    Location:
    Posts: 4,317
    Downadup/Conficker. . XaMaB, wubmzena .
    registry, - HKEY_LOCAL_MACHINE\System\CurrentControl Set\ Services\wubmzena
    Properties -> Permissions -> Advanced Allow inheritable permissions from parent... .
    ServiceDll, , . , .
    .
    ServiceDll - security.
    sc delete wubmzena , (, ). .

    Safe Mode, - . , .

    .

  5. #5
    Registered User ripdvs's Avatar
    Join Date: Oct:2011
    Location:
    Posts: 9
    . .
    Last edited by ripdvs; 24th November 2011 at 21:17.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Copyright © 1999-2011 . .
iskamPC.com | mobility.BG | Bloody's Techblog | | 3D Vision Blog |