Lancano resetovanje

Lancano resetovanje

offline
  • Pridružio: 12 Okt 2008
  • Poruke: 3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:39:09, on 12.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Milos Djordjevic\Desktop\Krekre\Krekre.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = defaulthomepage.info
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\ASUS\ASUS Remote\RemoteControlAppl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [mstds.exe] c:\windows\system32\mstds.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Mp4 Player] "C:\Program Files\Mp4 Player\Mp4Player.exe" hmw
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dhammapada.lnk = C:\Program Files\Dhammapada\Dhammapada.exe
O4 - Startup: WinMySQLadmin.lnk = C:\Program Files\mysql\bin\winmysqladmin.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7190 bytes


Ovo sam uspeo da uradim samo iz Safe Mode plus Networking, jer se sa racunarom desava sledece: com se podigne sistem, pre nego sto prikaze desktop i wallpaper, on se resetuje! Bez ikakve sanse da bilo sta uradim. Ako li nista ne uradim, ceo ciklus se ponavlja u nedogled... Inace, racunar je bio zasticen AVG-om (besplatna verzija) i SpyBot-om (oba redovno update-ovana). Comp u Safe modu radi, ali ako iz njega pokusam da skeniram hard AVG-om, cim naidje na "nesto" (to nesto ne uspem da vidim sta je), on se resetuje. Koliko znam, OS je Win XP SP2. Sad ovako laicki, vidim da je gore navedeno da ucitava nesto za Messenger, a koliko znam, ja ga nisam instalirao? Cutim i slusam! Smile

Dopuna: 12 Okt 2008 20:57

Zaboravio sam da napomenem da kada se Windows podigne iz Safe moda, vidim da pored mene odjednom postoji i mogucnost da se ulogujem kao Administrator (nije bilo ranije) i tad trazi sifru?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...



Čisto da se razumemo - kompjuter je očigledno u lošem stanju i pitanje je možemo li nešto uraditi.

Tragovi malware-a su vidljivi, no to ne znači da je malware uzrok restartovanja.


Hajde da vidimo može li izdržati ovo skeniranje...


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 12 Okt 2008
  • Poruke: 3

Auh! Jedva je uspelo! Prvo je cim pocne skeniranje izbacio poruku "Rootkit!! ComboFix has detected the presence of rootkit activity and needs to reboot the machine", a nakon restarta bi se prilikom podizanja sistema opet sam resetovao i upao bi u tu petlju. Opet iz Safe moda sam probao da startujem ComboFix i situacija bi se ponovila. Onda sam onako intuitivno, kad vec nemam sta da izgubim, izbrisao neki folder koji je ComboFix napravio na C:\ i jos dva fajla iz stavki odozgo koje su mi bile sumnjive:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

...i nakon toga starovao ComboFix i on je najzad uspeo da odradi ceo Scan, da nakon toga restartuje sistem i da vam ovaj mail posaljem iz "normalnog" moda! Prilikom starta Windowsa SpyBot mi je prijavio brojne promene u Registry bazi koje je, kako mi se cini, ComboFix napravio, a AVG mi je izbacio sledece:
Resident shield alert
Threat detected!
(1)
File name: c:\windows\system32\sens.dll
Virus identified win32\PEPatch.CA
Detected on open
Details:
Process Name: c:\windows\system32\svchost.exe
Process ID: 1384
Kliknuo sam na ponudjenu opciju "Move to Vault"
(2)
File name: c:\windows\system32\spoolsv.exe
Threat name: Virus found Win32/PEPatch
Detected on open
Details:
Process Name: C:\ComboFix\pv.cfexe
Process ID: 3952
Kada sam kliknuo na "Move to Vault" pitao me je:
"Do you want to force the threat removal? Forced removal can cause system unstability or even crash." i ja sam odgovorio "No". Jesam li pogresio?

Evo i log fajla:

ComboFix 08-10-11.04 - Milos Djordjevic 2008-10-13 22:27:35.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.341 [GMT 2:00]
Running from: C:\Documents and Settings\Milos Djordjevic\Desktop\Krekre\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - system32: deleted 79040 bytes in 1 streams.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 68 bytes in 1 streams.
ADS - explorer.exe: deleted 132 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Milos Djordjevic\ravmonlog
C:\WINDOWS\install.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\msporc.dll
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://208.66.194.241
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EXAMPLE
-------\Legacy_NDNET1
-------\Legacy_NPF
-------\Legacy_RUNTIME
-------\Legacy_RUNTIME2
-------\Service_EXAMPLE1
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-11 15:14 . 2008-10-11 15:14 <DIR> d-------- C:\WINDOWS\LastGood
2008-09-29 15:12 . 2004-08-04 01:56 92,672 --a------ C:\WINDOWS\system32\msxmle.dll
2008-09-27 20:13 . 2008-09-27 20:22 <DIR> d-------- C:\TEMP\1
2008-09-27 18:05 . 2008-09-27 18:24 <DIR> d-------- C:\TEMP\Amerikanci
2008-09-27 18:04 . 2008-09-27 18:05 <DIR> d-------- C:\TEMP\1000 Zasto 1000 Zato
2008-09-27 04:40 . 2008-09-27 06:11 <DIR> d-------- C:\ZA STAMPU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-13 20:22 --------- d-----w C:\Program Files\Ares
2008-10-13 20:19 --------- d-----w C:\Program Files\QuickTime
2008-10-10 15:57 --------- d-----w C:\Program Files\FlashGet
2008-09-28 01:46 --------- d-----w C:\Program Files\eMule
2008-09-26 08:43 102,400 ----a-w C:\WINDOWS\DUMPaf6a.tmp
2008-09-19 23:21 102,400 ----a-w C:\WINDOWS\DUMPae02.tmp
2008-09-19 20:49 102,400 ----a-w C:\WINDOWS\DUMP9615.tmp
2008-09-18 21:31 --------- d-----w C:\Documents and Settings\Milos Djordjevic\Application Data\AdobeUM
2008-08-29 11:33 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-20 15:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 22:02 --------- d-----w C:\Documents and Settings\Milos Djordjevic\Application Data\AVGTOOLBAR
2008-08-05 16:06 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2006-11-20 12:01 56 --sh--r C:\WINDOWS\system32\705E70FE7B.sys
2007-10-27 18:45 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2002-08-29 03:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2007-05-16 22:39 502272 fb552e603b642c2e1a4c338e2ba85607 C:\WINDOWS\system32\winlogon.exe

2001-08-23 14:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 01:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2004-08-04 01:56 57856 9f80f873aff7c80e5fd7278de43517b8 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]
"RemoteControl"="C:\Program Files\ASUS\ASUS Remote\RemoteControlAppl.exe" [2005-05-11 61440]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2005-05-11 127118]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-05 185896]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-13 1234712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\Milos Djordjevic\Start Menu\Programs\Startup\
Dhammapada.lnk - C:\Program Files\Dhammapada\Dhammapada.exe [2006-12-10 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.AP41"= APmpg4v1.dll
"VIDC.ZMBV"= zmbv.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 00:12 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
--a------ 2005-06-20 19:53 1056768 C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14260:TCP"= 14260:TCP:*:Disabled:NortonAV
"18070:TCP"= 18070:TCP:*:Disabled:NortonAV
"61251:TCP"= 61251:TCP:*:Disabled:eMule_TCP
"57791:UDP"= 57791:UDP:*:Disabled:eMule_UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-05 76040]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-05-18 2679168]
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
S3 CA500AI;GSmart 300 Still Image Capture Version 1.00;C:\WINDOWS\system32\Drivers\2NF.sys [ ]
S3 CA500AV;GSmart 300 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\GS30AV.SYS [ ]
S3 FlyPCI;FlyPCI;C:\WINDOWS\system32\drivers\FlyPCI.sys [2003-10-10 4134]
S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [ ]
S4 cdawdm;CDAWDM;C:\WINDOWS\system32\DRIVERS\CDAWDM.sys [ ]
Start Pending2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3c7062-a508-11dc-8656-0013d4a7c73f}]
\Shell\AutoRun\command - h6o0re.cmd
\Shell\explore\Command - h6o0re.cmd
\Shell\open\Command - h6o0re.cmd
.
Contents of the 'Scheduled Tasks' folder

2008-09-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-09-15 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\blastclnnn.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VirtualDrive - C:\Program Files\FarStone\VirtualDrive\vdtask.exe
HKCU-Run-Mp4 Player - C:\Program Files\Mp4 Player\Mp4Player.exe
HKLM-Run-mstds.exe - c:\windows\system32\mstds.exe
HKLM-Run-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
MSConfigStartUp-Acrobat Assistant 7 - C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Milos Djordjevic\Application Data\Mozilla\Firefox\Profiles\f1hsjezg.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-13 22:31:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\MILOSD~1\LOCALS~1\Temp\375a486e-5ed8-47a7-a5f0-2e47b3b878c0.tmp 0 bytes
C:\DOCUME~1\MILOSD~1\LOCALS~1\Temp\d1c7a580-7d07-4753-8995-d88de2b920d7.tmp

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/Program Files/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/Program Files/mysql/bin/mysqld-nt.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-10-13 22:49:03 - machine was rebooted [Milos Djordjevic]
ComboFix-quarantined-files.txt 2008-10-13 20:48:07

Pre-Run: 265,752,576 bytes free
Post-Run: 195,624,960 bytes free

199



Izvinite sto vas mucim ovoliko i veeeeeeliko hvala!

Dopuna: 14 Okt 2008 14:51

Nakon narednog starta sistema, AVG je prijavio jos 2 infekcije:
(1) File name: c:\windows\system32\dmserver.dll
Process name c:\windows\system32\svchost.exe
(2) File name: c:\windows\system32\spoolsv.exe
Process name: c:\windows\system32\services.exe

U oba slucaja virus je identifikovao kao win32\PEPatch i sredio ga prilikom otveranja.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Da li se kompjuter još uvek restartuje?


Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

offline
  • Pridružio: 12 Okt 2008
  • Poruke: 3

mycity.rs/must-login.png

mycity.rs/must-login.png

Dragi dr Boro!
Komp se vise ne restartuje, mada se desilo par puta prilikom rada sa gorenavedenim Gmer programom. U prilogu su dva izvestaja skeniranja, kao sto je trazeno.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Obriši sledeće file-ove:

C:\WINDOWS\system32\msxmle.dll
C:\WINDOWS\Tasks\At1.job



Skini ovaj file na Desktop (desni klik na link pa Save tareget as, Save as ili sl.):


https://www.mycity.rs/must-login.png

Dvoklikni na njega - kada se pojavi upit, klikni Yes.



Trenutno stanje? Postoji li neki konkretan problem za koji smatraš da bi mogao biti prouzrokovan malware-om?

Ako postoji, pojasni.

Ako je sve ok, onda uradi sledeće:

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore

Ko je trenutno na forumu
 

Ukupno su 781 korisnika na forumu :: 33 registrovanih, 3 sakrivenih i 745 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aramis s, bojank, cemix, draganca, dragoljub11987, flash12, HrcAk47, ILGromovnik, Ilija Cvorovic, Insan, krkalon, krlebgd77, LUDI, Marko Marković, Milan A. Nikolic, milos.cbr, mushroom, nikoladim, novator, ostoja, Pavac, Polemarchoi, RJ, shone34, Steeeefan, Tenk, VJ, Vl veliki, Vlada1389, Warhawk, wexy, Yellow Pinky