Poslao: 01 Dec 2010 23:26
|
offline
- AleX
- Građanin
- Pridružio: 20 Jul 2008
- Poruke: 197
|
Napisano: 01 Dec 2010 22:37
Pise da ce da se ugasi nakon minuta, medjutim ne ugasi se, ali je potpuno neupotrebljiv.
Kad prodje oko 20-30 sekundi, prozori se dupliraju kad se pomeraju.
Imam avast koji do sad nista nije prijavio.
Sve ove izvestaje sam radio iz safe mode-a jer je jedino tad kompjuter normalan.
DDS (Ver_10-11-27.01) - NTFSx86 NETWORK
Run by Administrator at 21:10:44,28 on sre 01.12.2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.557 [GMT 1:00]
AV: avast! antivirus 4.7.1098 [VPS 080214-0] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
============== Pseudo HJT Report ===============
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: {4c6dac00-224d-40ab-9f81-c143923b72bf} - c:\windows\system32\cmpbk3.dll
uRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [<NO NAME>]
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BMISR] c:\program files\kye\webmate\BM.exe
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [RegistryMonitor1] c:\windows\system32\qtplugin.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ra2pugze.default\
FF - prefs.js: network.proxy.type - 0
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
============= SERVICES / DRIVERS ===============
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-11-8 20480]
S1 jlh5f77;jlh5f77;c:\windows\system32\drivers\jlh5f77.sys [2010-11-17 138272]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-11-21 140664]
S2 vwqhcyso;System Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S2 xuhdly;System Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-11-21 247160]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-11-21 345464]
S3 bnptsez;bnptsez;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [2010-6-11 616064]
=============== Created Last 30 ================
2010-12-01 19:59:52 40960 ----a-w- c:\windows\system32\x.exe
2010-11-21 12:44:40 53760 ----a-w- c:\windows\ExplorerSrv.exe
2010-11-21 12:37:33 53760 ----a-w- c:\program files\messenger\msmsgsSrv.exe
2010-11-21 11:40:08 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla
2010-11-21 11:30:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-11-17 12:07:42 138272 ----a-w- c:\windows\system32\drivers\jlh5f77.sys
2010-11-16 21:12:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\aDoPd02100
2010-11-11 14:13:13 1451520 ----a-w- c:\windows\system32\qtplugin.exe
2010-11-08 20:55:24 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
==================== Find3M ====================
============= FINISH: 21:11:31,73 ===============
mycity.rs/must-login.png
GMER je na pocetku postavio upit> Primecena je sistemska promena koju je uzrokovao ROOTKIT. Zelite li full system scan. Kliknuo sam na NE, prateci uputstvo iz teme.
mycity.rs/must-login.png
mycity.rs/must-login.png
mycity.rs/must-login.png
Dopuna: 01 Dec 2010 23:19
Mali update.
Za ovo vreme sam skenirao avastom pri boot-u.
Ovo je izvestaj.
12/01/2010 22:46
Skenira sve lokalne diskove
Datoteka: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O066IXIO\x[1] je inficirana sa Win32:Virtob, Popravi: Greška 42060 {Datoteka nije popravljena.}, Obrisan
Datoteka: C:\WINDOWS\system32\x.exe je inficirana sa Win32:Virtob
Broj skeniranih fascikla: 4145
Broj testiranih datoteka: 74060
Broj inficiranih datoteka: 2
Ovaj drugi fajl, nije diran, samo je ignorisan.
Dopuna: 01 Dec 2010 23:26
Ramnit:B, sada je i taj virus nasao.
|
|
|
|
|
Poslao: 02 Dec 2010 00:22
|
offline
- AleX
- Građanin
- Pridružio: 20 Jul 2008
- Poruke: 197
|
Ovo je jedino sto pise u logu avasta:
12/01/2010 22:46
Skenira sve lokalne diskove
Datoteka: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O066IXIO\x[1] je inficirana sa Win32:Virtob, Popravi: Greška 42060 {Datoteka nije popravljena.}, Obrisan
Datoteka: C:\WINDOWS\system32\x.exe je inficirana sa Win32:Virtob
Broj skeniranih fascikla: 4145
Broj testiranih datoteka: 74060
Broj inficiranih datoteka: 2
Jos nesto, pise kad se odbrojava pred gasenje
services.exe status 1073741819
Onaj DDS scan mi je trajao sto godina.
Ima li nacina da ga ubrzam malo?
Kad se skenira, vidim da ceo c:\ prodje.
|
|
|
|
|
Poslao: 02 Dec 2010 22:14
|
offline
- AleX
- Građanin
- Pridružio: 20 Jul 2008
- Poruke: 197
|
Iz safe mode-a pokrenut, ali je dovrsio u normalu.
mycity.rs/must-login.png
ComboFix 10-12-02.01 - Administrator 02.12.2010 22:02:30.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.715 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.7.1098 [VPS 101201-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\aDoPd02100
c:\documents and settings\All Users\Application Data\aDoPd02100\aDoPd02100
c:\documents and settings\All Users\Application Data\aDoPd02100\aDoPd02100.exe
c:\documents and settings\Korisnik\_tmpf
c:\documents and settings\Korisnik\Application Data\download2
c:\documents and settings\Korisnik\Application Data\download2\svcnost.exe
c:\documents and settings\Korisnik\Application Data\updates\updates.exe
c:\documents and settings\Korisnik\drvsign.exe
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\quicktime\qttasksrv.exe
c:\program files\Realtek\InstallShield\Alcmtr.exe
c:\program files\XviD\StatsReader.exe
c:\windows\ExplorerSrv.exe
c:\windows\system32\drivers\jlh5f77.sys
c:\windows\system32\qtplugin.exe
c:\windows\system32\x.exe
c:\program files\Microsoft\DesktopLayer.exe . . . . Failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_jlh5f77
-------\Service_jlh5f77
((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
.
2010-12-02 20:47 . 2010-12-02 20:49 -------- d-----w- c:\program files\Mozilla Firefox new
2010-12-01 19:45 . 2010-04-27 10:04 381816 ----a-w- c:\windows\system32\PsExec.exe
2010-12-01 19:45 . 2010-04-27 10:04 333176 ----a-w- c:\windows\system32\PsGetsid.exe
2010-12-01 19:45 . 2010-04-27 10:04 178040 ----a-w- c:\windows\system32\psloglist.exe
2010-12-01 19:45 . 2010-04-27 10:04 390520 ----a-w- c:\windows\system32\PsInfo.exe
2010-12-01 19:45 . 2010-04-27 10:04 231288 ----a-w- c:\windows\system32\PsList.exe
2010-12-01 19:45 . 2010-04-27 10:04 183160 ----a-w- c:\windows\system32\PsLoggedon.exe
2010-12-01 19:45 . 2010-04-27 10:04 169848 ----a-w- c:\windows\system32\PsService.exe
2010-12-01 19:45 . 2009-12-01 09:52 621944 ----a-w- c:\windows\system32\pskill.exe
2010-12-01 19:45 . 2006-12-04 16:53 207664 ----a-w- c:\windows\system32\psshutdown.exe
2010-12-01 19:45 . 2006-12-04 16:53 187184 ----a-w- c:\windows\system32\pssuspend.exe
2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\pspasswd.exe
2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\psfile.exe
2010-11-21 12:37 . 2010-12-01 22:40 53760 ----a-w- c:\program files\Messenger\msmsgsSrv.exe
2010-11-21 12:24 . 2010-11-21 12:24 -------- d-----w- c:\documents and settings\Korisnik\Application Data\sorrypeople
2010-11-21 11:42 . 2007-12-04 14:53 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-21 11:42 . 2007-12-04 14:51 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-21 11:42 . 2007-12-04 14:49 26624 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-21 11:42 . 2007-12-04 14:56 93264 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-21 11:42 . 2007-12-04 14:55 94544 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-21 11:42 . 2007-12-04 12:54 95608 ----a-w- c:\windows\system32\AvastSS.scr
2010-11-21 11:41 . 2007-12-04 13:04 837496 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-21 11:41 . 2004-01-09 09:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2010-11-21 11:30 . 2010-11-21 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-11-21 11:29 . 2010-11-21 11:29 -------- d-----w- c:\documents and settings\Administrator
2010-11-16 06:10 . 2010-12-02 21:04 -------- d-----w- c:\documents and settings\Korisnik\Application Data\updates
2010-11-08 20:55 . 2010-11-08 20:55 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-11-08 20:55 . 2010-11-08 20:55 20480 ----a-w- c:\documents and settings\Korisnik\ndisrd.sys
2010-11-08 20:55 . 2010-11-08 20:55 13824 ----a-w- c:\documents and settings\Korisnik\snetcfg.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-27 212992]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^Quick Data Copy.lnk]
path=c:\documents and settings\Korisnik\Start Menu\Programs\Startup\Quick Data Copy.lnk
backup=c:\windows\pss\Quick Data Copy.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2010-10-27 12:13 401408 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2010-10-27 12:15 299008 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-10-27 12:15 106496 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-10-27 12:15 335872 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2010-11-21 12:31 1749504 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-01-12 01:45 4898816 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2010-10-27 12:13 1994752 ----a-w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-10-27 12:17 212992 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2010-10-27 12:14 90112 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2006-12-18 16:32 25365032 ----a-w- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2010-10-27 12:15 94208 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2010-10-27 12:15 212992 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5625:TCP"= 5625:TCP:vbupvjdo
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [8.11.2010 21:55 20480]
S2 vwqhcyso;System Universal;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S2 xuhdly;System Windows;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S3 bnptsez;bnptsez;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [11.6.2010 22:30 616064]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vwqhcyso
xuhdly
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10bb11c4-c3b2-11dc-8588-e1986ae817f6}]
\Shell\Auto\command - G:\AdobeR.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b0844ea-d6d9-11da-9a43-806d6172696f}]
\Shell\AutoRun\command - F:\install.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\8sxf8hvl.default\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox new\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-download - c:\documents and settings\Korisnik\Application Data\download2\svcnost.exe
HKCU-Run-engel - c:\documents and settings\Korisnik\Application Data\updates\updates.exe
HKCU-Run-Rapport - c:\documents and settings\Korisnik\Application Data\sorrypeople2\smss.exe
HKLM-Run-BMISR - c:\program files\KYE\WebMate\BM.exe
MSConfigStartUp-nod32kui - c:\program files\Eset\nod32kui.exe
AddRemove-Doninno2 - c:\documents and settings\All Users\Documents\Doninno2\uninstall.exe
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bnptsez]
"ImagePath"="\??\c:\windows\system32\01.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vwqhcyso]
"ServiceDll"="c:\windows\system32\ffrkyql.dll"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xuhdly]
"ServiceDll"="c:\windows\system32\ffrkyql.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-12-02 22:10:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-02 21:10
Pre-Run: 9.606.049.792 bytes free
Post-Run: 13.309.222.912 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 28AA01150832A98C64CDDAF787D86314
|
|
|
|
|
Poslao: 04 Dec 2010 00:59
|
offline
- AleX
- Građanin
- Pridružio: 20 Jul 2008
- Poruke: 197
|
Kad sam prevukao CFScript preko combofixa, on je svoje odradio i restartovao komp i opet nesto svoje radio.
Medjutim, posle toga mi net nije radio. Modem je bio u redu.
Na network connection mi pise connected, a vidim da je sent 0 i received 0.
Kliknem dalje na vise informacija, kad ono nit pise ip, nit dns, niti icega.
Vec je proslo 10 sati da bih mogao operatera da zovem, a osecaj mi kaze da nije do njih.
Odem ja korak dalje, u commanderu ukucam ipconfig, ono prikaze samo svoj prvi red, tacnije, naziv "windows IP configuration".
To mi sumnjivo. Ukucam ja ipconfig /all
opet nista.
Kucao ja svasta nesto, ali nema informacija o netu.
Sta bi to moglo biti?
ComboFix 10-12-02.01 - Administrator 03.12.2010 21:39:27.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.821 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.7.1098 [VPS 101201-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
"c:\documents and settings\Korisnik\ndisrd.sys"
"c:\documents and settings\Korisnik\snetcfg.exe"
"c:\program files\Messenger\msmsgsSrv.exe"
"c:\program files\microsoft\desktoplayer.exe"
"c:\windows\system32\01.tmp"
"c:\windows\system32\drivers\ndisrd.sys"
"c:\windows\system32\ffrkyql.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Korisnik\Application Data\sorrypeople
c:\documents and settings\Korisnik\ndisrd.sys
c:\documents and settings\Korisnik\snetcfg.exe
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Messenger\msmsgsSrv.exe
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\ExplorerSrv.exe
c:\windows\system\servicers.exe
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\ffrkyql.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BNPTSEZ
-------\Legacy_VWQHCYSO
-------\Legacy_XUHDLY
-------\Service_bnptsez
-------\Service_ndisrd
-------\Service_vwqhcyso
-------\Service_xuhdly
-------\Legacy_evelfisj
-------\Legacy_seccenHelp
-------\Service_evelfisj
-------\Service_seccenHelp
((((((((((((((((((((((((( Files Created from 2010-11-03 to 2010-12-03 )))))))))))))))))))))))))))))))
.
2010-12-03 20:36 . 2010-12-03 20:36 47616 ----a-w- c:\windows\system32\fgtu.exe
2010-12-02 20:47 . 2010-12-02 20:49 -------- d-----w- c:\program files\Mozilla Firefox new
2010-12-01 19:45 . 2010-04-27 10:04 381816 ----a-w- c:\windows\system32\PsExec.exe
2010-12-01 19:45 . 2010-04-27 10:04 333176 ----a-w- c:\windows\system32\PsGetsid.exe
2010-12-01 19:45 . 2010-04-27 10:04 178040 ----a-w- c:\windows\system32\psloglist.exe
2010-12-01 19:45 . 2010-04-27 10:04 390520 ----a-w- c:\windows\system32\PsInfo.exe
2010-12-01 19:45 . 2010-04-27 10:04 231288 ----a-w- c:\windows\system32\PsList.exe
2010-12-01 19:45 . 2010-04-27 10:04 183160 ----a-w- c:\windows\system32\PsLoggedon.exe
2010-12-01 19:45 . 2010-04-27 10:04 169848 ----a-w- c:\windows\system32\PsService.exe
2010-12-01 19:45 . 2009-12-01 09:52 621944 ----a-w- c:\windows\system32\pskill.exe
2010-12-01 19:45 . 2006-12-04 16:53 207664 ----a-w- c:\windows\system32\psshutdown.exe
2010-12-01 19:45 . 2006-12-04 16:53 187184 ----a-w- c:\windows\system32\pssuspend.exe
2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\pspasswd.exe
2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\psfile.exe
2010-11-21 11:42 . 2007-12-04 14:53 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-21 11:42 . 2007-12-04 14:51 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-21 11:42 . 2007-12-04 14:49 26624 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-21 11:42 . 2007-12-04 14:56 93264 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-21 11:42 . 2007-12-04 14:55 94544 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-21 11:42 . 2007-12-04 12:54 95608 ----a-w- c:\windows\system32\AvastSS.scr
2010-11-21 11:41 . 2007-12-04 13:04 837496 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-21 11:41 . 2004-01-09 09:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2010-11-21 11:30 . 2010-11-21 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-11-21 11:29 . 2010-11-21 11:29 -------- d-----w- c:\documents and settings\Administrator
2010-11-16 06:10 . 2010-12-02 21:04 -------- d-----w- c:\documents and settings\Korisnik\Application Data\updates
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-27 212992]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^Quick Data Copy.lnk]
path=c:\documents and settings\Korisnik\Start Menu\Programs\Startup\Quick Data Copy.lnk
backup=c:\windows\pss\Quick Data Copy.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2010-10-27 12:13 401408 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2010-10-27 12:15 299008 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-10-27 12:15 106496 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-10-27 12:15 335872 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2010-11-21 12:31 1749504 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-01-12 01:45 4898816 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2010-10-27 12:13 1994752 ----a-w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-10-27 12:17 212992 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2010-10-27 12:14 90112 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2006-12-18 16:32 25365032 ----a-w- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2010-10-27 12:15 94208 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2010-10-27 12:15 212992 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 evelfisj;System Windows;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [11.6.2010 22:30 616064]
S3 ytxmgn;ytxmgn;\??\c:\windows\system32\013.tmp --> c:\windows\system32\013.tmp [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
evelfisj
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.rs/
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\8sxf8hvl.default\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox new\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2010-12-03 21:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ytxmgn]
"ImagePath"="\??\c:\windows\system32\013.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\evelfisj]
"ServiceDll"="c:\windows\system32\ffrkyql.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(348-)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\Iac25_32.ax
c:\windows\system32\DivXa32.acm
- - - - - - - > 'explorer.exe'(1028-)
c:\windows\system32\msi.dll
.
Completion time: 2010-12-03 21:46:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-03 20:45
ComboFix2.txt 2010-12-02 21:10
Pre-Run: 14.776.066.048 bytes free
Post-Run: 14.628.294.656 bytes free
- - End Of File - - 4029E585CD0AB3A43EA57F4D126B0F8A
|
|
|
|
|
Poslao: 04 Dec 2010 02:21
|
offline
- AleX
- Građanin
- Pridružio: 20 Jul 2008
- Poruke: 197
|
Sorry, ali avast ne moze da se deaktivira iz prostog razloga sto ga je virus naceo i onda je avast sam sebe detektovao i sam sebi nesto "otkinuo".
Stoga, ne pise nigde da je avast pokrenut, ali kad se pokrene combofix, tek onda pise da je avast pokrenut.
|
|
|
|
Poslao: 04 Dec 2010 02:37
|
offline
- magna86
- Anti Malware Fighter
Rank 2
- Pridružio: 21 Jun 2008
- Poruke: 6103
|
Privremeno ga reinstaliraj ili deinstaliraj pa nastavi po uputstvu.
|
|
|
|