U system32\drivers\karrxn.sys postoji malware

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Pre mesec dana instaliran je 32-bitni XP SP2. Koristim ADSL preko mrezne karte. Antivirusna zastita je sophos.
Pre nekoliko dana racunar je poceo sporo da radi, a u task menadzeru CPU usage 100%.



Zatim je sophos pronasao sledece:





Jedina akcija je clean up koju nisam izvrsio jer bih nekoga konsultovao, znaci nisam pokusavao da sam resim problem.

Evo i ostalih fajlova:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Aleksandar at 23:56:01.67 on Fri 03/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256.60 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aleksandar\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.rs/
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\aleksandar\start menu\programs\startup\winesm32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {042D0244-055C-4909-9076-0D96932AFFF1} = 85.222.160.162,213.244.255.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aleksa~1\applic~1\mozilla\firefox\profiles\odj1sxkb.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-2-10 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-2-10 38528]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-2-10 14976]

=============== Created Last 30 ================

2010-03-05 19:35:23 130104 ---ha-w- c:\windows\system32\37de045f.stf
2010-03-05 19:35:23 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2010-03-05 19:34:00 0 d-----w- c:\program files\common files\Cisco Systems
2010-03-05 19:33:29 23552 ----a-w- c:\windows\system32\SophosBootTasks.exe
2010-03-05 19:33:13 0 d-----w- c:\program files\Sophos
2010-03-05 19:33:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Sophos
2010-03-04 15:35:07 0 d-----w- c:\windows\pss
2010-03-04 15:09:10 0 d-----w- c:\windows\system32\appmgmt
2010-03-02 14:57:56 0 d-s---w- c:\documents and settings\aleksandar\UserData
2010-02-28 17:04:37 792064 ----a-w- c:\windows\system32\drivers\karrxn.sys
2010-02-28 17:04:21 12 ----a-w- c:\docume~1\aleksa~1\applic~1\rbuwzv.dat
2010-02-28 17:04:17 4 ----a-w- c:\docume~1\aleksa~1\applic~1\avdrn.dat
2010-02-26 18:54:29 25600 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-02-26 18:54:29 25600 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-02-26 18:54:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-02-26 18:54:13 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-02-26 18:54:04 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-02-26 18:54:00 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-26 18:42:21 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-02-26 18:42:08 0 d-----w- c:\program files\PC Connectivity Solution
2010-02-26 18:42:04 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-02-26 18:42:03 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-02-26 18:42:02 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-02-26 18:42:00 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-02-26 18:42:00 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-02-26 18:42:00 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-02-26 18:41:59 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-02-26 18:41:59 0 d-----w- c:\program files\Nokia
2010-02-24 18:19:25 0 d-----w- c:\program files\The KMPlayer
2010-02-23 16:49:13 0 d-----w- c:\program files\common files\ODBC
2010-02-23 16:49:11 0 d-----w- c:\program files\common files\SpeechEngines
2010-02-23 16:48:49 0 d-----r- c:\documents and settings\all users\Documents
2010-02-23 16:42:38 0 d-----w- c:\program files\VideoLAN
2010-02-23 16:42:07 0 d-----w- c:\program files\K-Lite Codec Pack
2010-02-23 16:41:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-02-23 16:40:53 0 d-----w- c:\docume~1\aleksa~1\applic~1\Foxit
2010-02-23 16:40:52 0 d-----w- c:\program files\Foxit Software
2010-02-23 16:27:23 0 d-----w- c:\program files\ACD
2010-02-23 16:05:31 0 d-----w- c:\program files\Analog Devices
2010-02-23 15:57:55 0 d-sh--w- c:\documents and settings\all users\DRM
2010-02-23 15:57:34 0 d--h--w- c:\program files\WindowsUpdate
2010-02-23 15:56:48 0 d-----w- c:\program files\common files\MSSoap
2010-02-23 15:55:32 0 d-----w- c:\program files\Online Services
2010-02-23 15:55:26 0 d-----w- c:\program files\Messenger
2010-02-23 15:55:23 0 d-----w- c:\program files\MSN Gaming Zone
2010-02-23 15:54:52 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-02-23 15:55:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:57:22.37 ===============

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Slobodno dopusti sophosu da ga obrise..U pitanju je malware.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nakon sto sma pustio clean up i ponovo skenirao dobio sam ovo:


I dalje je CPU 100% i radi usporeno.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder

Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:

 
Files to delete:
c:\documents and settings\aleksandar\start menu\programs\startup\winesm32.exe
c:\windows\system32\drivers\karrxn.sys
c:\docume~1\aleksa~1\applic~1\rbuwzv.dat
c:\docume~1\aleksa~1\applic~1\avdrn.dat

Drivers to delete:
karrxn


Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u
Iskopiraj sadržaj dobijenog loga u temu na forumu.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Odradjeno.
Logfile of The Avenger Version 2.0, (c) by Swandog46
swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\documents and settings\aleksandar\start menu\programs\startup\winesm32.exe" deleted successfully.
File "c:\windows\system32\drivers\karrxn.sys" deleted successfully.
File "c:\docume~1\aleksa~1\applic~1\rbuwzv.dat" deleted successfully.
File "c:\docume~1\aleksa~1\applic~1\avdrn.dat" deleted successfully.
Driver "karrxn" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Procesor je sad ok. Komp radi savrseno.
Stvarno si mi mnogo pomogao, hvala.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nema na cemu

To bi bilo to. Pozz