interpretare Raport Combofix

August 20, 2010

Va rog sa ma ajutati la interpretarea acestui raport!

ComboFix 10-08-19.02 - Administrator 08/20/2010 20:33:03.1.1 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1023.243 [GMT 3:00]

Running from: c:\users\Administrator\Downloads\ComboFix.exe

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\gorun.exe

c:\windows\system32\sleep.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_osppsvc

((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))

.

2010-08-20 18:00 . 2010-08-20 18:03 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2010-08-20 18:00 . 2010-08-20 18:00 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-08-20 17:30 . 2010-08-20 17:31 -------- d-----w- C:\32788R22FWJFW

2010-08-18 17:45 . 2010-05-27 19:16 81920 ----a-w- c:\windows\system32\iccvid.dll

2010-08-18 17:43 . 2010-06-11 15:31 274432 ----a-w- c:\windows\system32\schannel.dll

2010-08-18 17:02 . 2010-08-18 17:02 -------- d-----w- c:\program files\Common Files\Windows Live

2010-08-17 17:05 . 2010-06-18 14:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-17 04:41 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll

2010-08-17 04:41 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll

2010-08-17 04:41 . 2010-06-18 14:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-08-17 04:40 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-08-16 19:28 . 2010-08-17 04:37 -------- d-----w- c:\windows\Logs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-20 18:04 . 2009-12-02 20:28 -------- d-----w- c:\users\Administrator\AppData\Roaming\uTorrent

2010-08-20 18:03 . 2009-12-02 20:17 35655 ----a-w- c:\programdata\nvModes.dat

2010-08-17 05:07 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-06-26 17:59 . 2009-12-02 20:26 88720 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

2010-06-26 00:02 . 2010-06-19 21:56 -------- d-----w- c:\program files\Microsoft.NET

2010-05-26 16:16 . 2010-06-09 19:36 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-05-26 14:25 . 2010-06-09 19:36 289792 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]

2009-11-03 18:12 556432 ----a-w- d:\newfol~2\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"uTorrent"="d:\programe\uTorrent.exe" [2010-06-13 322352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2007-03-09 598016]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]

"BCSSync"="d:\new folder (2)\Office14\BCSSync.exe" [2009-09-26 83312]

"Adobe Reader Speed Launcher"="d:\new folder (3)\Reader\Reader_sl.exe" [2009-12-21 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

OfficeSAS.lnk - c:\program files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe [2009-9-26 202648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 0 (0x0)

"EnableInstallerDetection"= 0 (0x0)

"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"Start_ShowMyMusic"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\new folder (2)\Office14\GROOVE.EXE [2009-10-29 30603640]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ BFE mpssvc

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

TCP: {ACFC15F9-69DF-49F3-8F44-0ADCA75930CC} = 213.154.124.1 193.231.252.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ufaoutwy.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/

FF - plugin: c:\progra~1\MICROS~2\Office14\NPSPWRAP.DLL

FF - plugin: d:\new folder (3)\Reader\browser\nppdf32.dll

FF - plugin: d:\newfol~2\Office14\NPAUTHZ.DLL

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

AddRemove-C6F7B5EF053A155567D8417222794E2EE34B6601 - c:\progra~1\DIFX\288EF0155CE2B979\dpinst.exe

AddRemove-ECC9FA82445378B99012057E089F209CE9C0879F - c:\progra~1\DIFX\288EF0155CE2B979\dpinst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-20 21:04

Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\SOUNDMAN.EXE

c:\program files\Windows Media Player\wmpnscfg.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Microsoft Office\Office14\OfficeSAS\OfficeSAS.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Windows Live\Contacts\wlcomm.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2010-08-20 21:08:36 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-20 18:08

Pre-Run: 333,377,536 bytes free

Post-Run: 96,776,192 bytes free

- - End Of File - - 573E3437EF403E4866DD9FE5A11EAC26

August 20, 2010

Acu, sunt cateva chestii un pic dubioase in logul ala, dar tin sa pun o intrebare - crezi ca AI VIRUSI? Asa ca chestie, sa stiu si eu ce caut.

August 21, 2010

nu cred ca am virusiImi tot aparea mesaj ca nu am spatiu pe C, am sters tot din temp si am mai eliberat spatiu,acum imi da o eroare la un driver de imagine pt k deschid calc si nu merge direct,ii dau un f8 dupa ce deschid

August 21, 2010

nu cred ca am virusiImi tot aparea mesaj ca nu am spatiu pe C, am sters tot din temp si am mai eliberat spatiu,acum imi da o eroare la un driver de imagine pt k deschid calc si nu merge direct,ii dau un f8 dupa ce deschid

Atunci e ok log'ul, am zis chestii dubioase in sensul ca nu prea ai nevoie de ele dar nu sunt neaparat virusi. Pentru eliberat spatiu pe C recomand cu caldura CCleaner. Ce eroare iti da mai exact?

August 21, 2010

dupa ce deschid calculatorul imi apare un ecran albastru pe care scrie mai multe chestii printre care si "Attempt to reset the display driver and recover from timeout failed"de aici am dedus eu ca ar fi o pb la serverul de imagine

August 22, 2010

SalutProblema ta este de aici c:\windows\system32\nvvsvc.exe . nvvsvc.exe face parte din driverul video (ai placa video nvidia), iar combofix-ul cand a scanat, a dat si in driver, probabil a facut el ceva acolo ce nu i-a convenit driverului si deaia ai acel BSOD (blue screen of death) la intrarea in s.o..Cel mai bine porneste pc-ul in safe mode, dezinstaleaza driverul video cu programul Driver Sweeper, asa esti sigur ca nu ramane nici o urma din driverul vechi. Din nou restartezi pc-ul, il pornesti in normal mode, reinstalezi driverul si, sper sa fie ok!Daca nu, mai e o optiune: format C: , si o iei de la capat cu reinsalarea s.o. si toate cele.Sper ca am fost de ajutorNumai bine

Autentificare

interpretare Raport Combofix

Postări Recomandate

Vizitator alinaR

Link spre comentariu

Top autori în acest subiect

Zile populare

Top autori în acest subiect

Zile populare

Th3_uN1Qu3

Link spre comentariu

Vizitator alinaR

Link spre comentariu

Th3_uN1Qu3

Link spre comentariu

Vizitator alinaR

Link spre comentariu

Vizitator apophis

Link spre comentariu

Creează un cont sau autentifică-te pentru a adăuga comentariu

Creează un cont

Autentificare

Activitate

Informații Importante