MyCity » Ambulanta -> Arhiva Ambulante » Problem - vise rootkitova/malware programa

Problem - vise rootkitova/malware programa

Napisano na dan: 17.3.2010

Problem - vise rootkitova/malware programa

Sledeća strana

Pagination

Odgovori

Moraelyn Poslao: 17 Mar 2010 22:42 Idi na vrh
offline Moraelyn Novi MyCity građanin Pridružio: 17 Mar 2010 Poruke: 3	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: E pa ovako. Supruga mi se požalila da joj se laptop strašno čudno ponaša i posumnjala je na viruse. Uzeo sam da pogledam i vidio da je pun svega i svačega. Pri samom startovanju Windowsa, računar prijavljuje poruku "Retrieving personalized settings from" i onda neka gomila brojeva i slova (kasnije sam shvatio da ucitava fajl igfxsrvo.exe koji se nalazi u Recycle binu - problem br. 1 pretpostavljam). Pokušao sam da ga očistim iz Registryja, ali kada restartujem računar ponovo se pojavi. Ranije sam i sam uspijevao da očistim po nešto od malwarea uglavnom koristeći HiJackThis, ali u ovom slučaju mi računar uopšte ne da da ga pokrenem. Slično je i sa RootRepealom - oba programa se sami gase posle 3-4 sekunde. Pored toga, računar blokira mnoge sajtove (uključujući i ovaj forum - čestitke ) tako da sam sve što sam mislio da je potrebno prebacio na flash i onda prenio na laptop. Na žalost GMER ne radi na tom računaru, a kao što sam već rekao RootRepeal neki od rootkita gasi sam poslije najviše 3-4 sekunde. Fajlovi koje sam našao da su sigurno problemi su: brac.exe uapss.exe sawe.exe sawery.exe 473.exe 820.exe igfxsrvo.exe Naravno, nijedan ne može ručno da se izbriše. Računar neće da se podigne u safe modeu (sam se resetuje na pola inicijalizacije drajvera), a ni command prompt neće da se podigne. Jedino što sam uspio da dobijem su DDS izvještaji. Nadam se da ćete imati više uspjeha od mene. DDS (Ver_10-03-17.01) - NTFSx86 Run by Admin at 22:18:42.03 on 17/03/2010 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.503.99 [GMT 1:00] AV: Norton AntiVirus 2005 On-access scanning disabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Worm Protection enabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\SealedMedia\sealmon.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Admin\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.hp.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Page_URL = hxxp://www.hp.com mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q= uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll mWinlogon: Taskman=c:\documents and settings\admin\application data\brac.exe uWinlogon: Shell=c:\documents and settings\admin\csrss.exe,c:\documents and settings\admin\application data\uapss.exe,explorer.exe,c:\documents and settings\admin\application data\brac.exe BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll TB: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer mRun: [sealmon] c:\program files\sealedmedia\sealmon.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [ctfmon.exe] ctfmon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: &ICQ Toolbar Search - c:\program files\icqtoolbar\toolbaru.dll/SEARCH.HTML IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: igfxcui - igfxsrvc.dll mASetup: {92GOM5C0-6FCB-13HJ-LKX5-81CTYK99850309} - c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\igfxsrvo.exe IFEO: ctfmon.exe - wmiexecxz.exe Hosts: 18.250.56.11 msnfix.changelog.fr Hosts: 18.250.56.11 www.incodesolutions.com Hosts: 18.250.56.11 virusinfo.prevx.com Hosts: 18.250.56.11 download.bleepingcomputer.com Hosts: 18.250.56.11 www.dazhizhu.cn Note: multiple HOSTS entries found. Please refer to Attach.txt ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\smwgzdem.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q= FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-3-17 30280] R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\SAVRTPEL.SYS [2004-7-24 50312] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-14 198248] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-14 181864] R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-3-17 50504] R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-9-22 817304] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384] R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?] R3 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2004-8-18 177264] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100303.005\NAVENG.Sys [2010-3-5 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100303.005\NavEx15.Sys [2010-3-5 1324720] R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-3-17 24368] R3 SAVRT;SAVRT;c:\program files\norton antivirus\SAVRT.SYS [2004-7-24 338056] S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-3-17 18816] S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-3-17 6300592] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-3 135664] S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-18 67184] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-14 79464] S3 musbehco;musbehco;c:\docume~1\admin\locals~1\temp\musbehco.sys [2004-4-29 29696] S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2004-7-24 198368] =============== Created Last 30 ================ 2010-03-17 21:18:02 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys 2010-03-17 21:04:02 0 d-----w- c:\program files\Sophos 2010-03-17 17:14:35 55184 ----a-w- c:\windows\system32\PxSecure.dll 2010-03-17 17:14:33 50504 ----a-w- c:\windows\system32\drivers\pxrts.sys 2010-03-17 17:14:33 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys 2010-03-17 17:14:32 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys 2010-03-17 17:14:31 0 d-----w- c:\program files\Prevx 2010-03-17 17:14:26 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI 2010-03-17 16:20:55 0 d-----w- c:\program files\Trend Micro 2010-03-17 12:18:17 0 ----a-w- c:\documents and settings\admin\Desktop.ini 2010-03-16 21:59:15 143360 --sh--r- c:\windows\system32\wmiexecxz.exe 2010-03-10 22:46:21 102912 ---h--w- c:\docume~1\admin\applic~1\uapss.exe 2010-03-10 22:46:10 102912 ----a-w- c:\documents and settings\admin\sawe.exe 2010-03-10 22:38:42 97280 ---h--w- c:\docume~1\admin\applic~1\brac.exe 2010-03-10 22:38:35 97280 ----a-w- c:\documents and settings\admin\sawery.exe 2010-03-09 20:18:25 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-03-04 09:40:38 143360 --sh--r- c:\documents and settings\admin\csrss.exe 2010-02-26 14:54:55 0 d-----w- c:\documents and settings\admin\Application DataPDFcreator ==================== Find3M ==================== 2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys 2005-11-16 17:59:28 868 ----a-w- c:\program files\INSTALL.LOG ============= FINISH: 22:19:58.53 =============== mycity.rs/must-login.png

Profil

diarno Poslao: 17 Mar 2010 23:06 Idi na vrh
offline diarno Anti Malware Fighter Rank 2 Pridružio: 15 Jun 2007 Poruke: 5572	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pozdrav i dobrodosao na forum Isprati pazljivo sledece uputstvo : Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop: Bleeping Computer Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu); Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save. Kada preuzimanje programa bude završeno: deaktiviraj zaštitni softver (uputstvo); zatvori pokrenute programe; dvoklikom pokreni program ComboFix. U toku rada, ComboFix će:proveriti postoji li novija verzija programa: klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE: klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju: obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja: prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta); na kraju rada, otvoriti Notepad sa izveštajem o skeniranju. Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu: klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All; klikni desnim tasterom miša na obeleženi tekst i izaberi Copy; klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste. Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt); Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

Profil

diarno Poslao: 18 Mar 2010 00:11 Idi na vrh
offline diarno Anti Malware Fighter Rank 2 Pridružio: 15 Jun 2007 Poruke: 5572	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Otvoriti Notepad i iskopirati sledeci tekst: File:: c:\windows\system32\wmiexecxz.exe c:\documents and settings\Admin\Application Data\uapss.exe c:\documents and settings\Admin\sawe.exe c:\documents and settings\Admin\Application Data\brac.exe . c:\documents and settings\Admin\sawery.exe c:\docume~1\Admin\LOCALS~1\Temp\musbehco.sys c:\windows\system32\drivers\rr.sys Driver:: rr musbehco Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\wmiexecxz.exe"= - Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Profil

Moraelyn Poslao: 18 Mar 2010 00:42 Idi na vrh
offline Moraelyn Novi MyCity građanin Pridružio: 17 Mar 2010 Poruke: 3	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Napisano: 17 Mar 2010 23:56 Hvala na dobrodošlici. :-) Odavno sam lurker na ovom forumu, ali je ovo prvi put da sam imao veći problem pa sam morao da se registrujem... Elem, i Combofix je "odbijao poslušnost" kao i ostali programi i proradio je tek kada sam ubio jedan malware proces sa sa GMER-om. Usput, uspio sam iz 10-ak pokusaja da izvučem neke GMER logs. Prva je nepotpuna, druge dvije potpune, ali su napravljene prije Combofixa. ComboFix 10-03-16.05 - Admin 17/03/2010 23:30:20.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.503.205 [GMT 1:00] Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe AV: Norton AntiVirus 2005 On-access scanning disabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Worm Protection enabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\data c:\documents and settings\Admin\csrss.exe c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk c:\program files\AskSearch\bin\DefaultSearch.dll c:\program files\INSTALL.LOG c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013 c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\igfxsrvo.exe c:\windows\eSellerateEngine.dll . ((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 ))))))))))))))))))))))))))))))) . 2010-03-17 21:31 . 2010-03-17 21:48 34816 ----a-w- c:\windows\system32\drivers\rr.sys 2010-03-17 21:18 . 2009-06-18 11:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys 2010-03-17 21:04 . 2010-03-17 21:04 -------- d-----w- c:\program files\Sophos 2010-03-17 17:14 . 2010-03-17 17:14 55184 ----a-w- c:\windows\system32\PxSecure.dll 2010-03-17 17:14 . 2010-03-17 17:14 50504 ----a-w- c:\windows\system32\drivers\pxrts.sys 2010-03-17 17:14 . 2010-03-17 17:14 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys 2010-03-17 17:14 . 2010-03-17 17:14 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys 2010-03-17 17:14 . 2010-03-17 17:14 -------- d-----w- c:\program files\Prevx 2010-03-17 17:14 . 2010-03-17 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI 2010-03-17 16:20 . 2010-03-17 16:20 -------- d-----w- c:\program files\Trend Micro 2010-03-16 21:59 . 2010-03-16 21:59 143360 --sh--r- c:\windows\system32\wmiexecxz.exe 2010-03-10 22:46 . 2010-03-10 22:46 102912 --sh--r- c:\documents and settings\Admin\Application Data\uapss.exe 2010-03-10 22:46 . 2010-03-10 22:46 102912 ----a-w- c:\documents and settings\Admin\sawe.exe 2010-03-10 22:38 . 2010-03-10 22:38 97280 --sh--r- c:\documents and settings\Admin\Application Data\brac.exe 2010-03-10 22:38 . 2010-03-10 22:38 97280 ----a-w- c:\documents and settings\Admin\sawery.exe 2010-03-09 20:18 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-03-08 10:45 . 2010-03-08 10:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2010-03-03 15:17 . 2010-03-03 15:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2010-02-26 14:54 . 2010-02-26 14:54 -------- d-----w- c:\documents and settings\Admin\Application DataPDFcreator . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-17 22:15 . 2005-12-05 19:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype 2010-03-17 17:04 . 2005-06-09 12:44 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-03-03 15:17 . 2005-09-22 15:37 -------- d-----w- c:\program files\Google 2010-03-03 12:21 . 2005-11-25 20:50 -------- d-----w- c:\program files\ICQToolbar 2010-01-01 12:12 . 2010-01-01 12:12 79488 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-12-31 16:14 . 2004-08-04 08:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-22 05:42 . 2004-08-04 08:00 662016 ----a-w- c:\windows\system32\wininet.dll 2009-12-22 05:42 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2005-10-24 14892072] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-23 68856] "Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-21 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-21 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 88363] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054] "hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-09 790528] "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-09-04 100056] "sealmon"="c:\program files\SealedMedia\sealmon.exe" [2006-06-19 94208] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-27 77824] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280] "ctfmon.exe"="ctfmon.exe" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2005-9-22 184320] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2004-3-16 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe] "Debugger"=wmiexecxz.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\wmiexecxz.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [17/03/2010 18:14 30280] R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [17/03/2010 22:18 18816] R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [17/03/2010 18:14 50504] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [03/05/2004 17:26 80384] R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [17/03/2010 18:14 24368] S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [17/03/2010 18:14 6300592] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2010 16:17 135664] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?] S3 musbehco;musbehco;\??\c:\docume~1\Admin\LOCALS~1\Temp\musbehco.sys --> c:\docume~1\Admin\LOCALS~1\Temp\musbehco.sys [?] S3 rr;rr;c:\windows\system32\drivers\rr.sys [17/03/2010 22:31 34816] --- Other Services/Drivers In Memory --- Deregistered - pwldrfob . Contents of the 'Scheduled Tasks' folder 2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 15:16] 2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 15:16] 2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951824921-2737178999-3325866196-1006Core.job - c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 19:33] 2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951824921-2737178999-3325866196-1006UA.job - c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 19:33] 2010-03-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Administrator.job - c:\progra~1\NORTON~1\Navw32.exe [2004-08-18 11:54] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hp.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\smwgzdem.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q= FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll . - - - - ORPHANS REMOVED - - - - ActiveSetup-{92GOM5C0-6FCB-13HJ-LKX5-81CTYK99850309} - c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\igfxsrvo.exe AddRemove-Digital Overlay Demo - c:\windows\unvise32.exe AddRemove-QuickTime - c:\windows\unvise32qt.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net Rootkit scan 2010-03-17 23:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... c:\windows\system32\wmiexecxz.exe [1616] 0xFEB06020 scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?7?8?9??????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\35.tmp" . Completion time: 2010-03-17 23:48:39 ComboFix-quarantined-files.txt 2010-03-17 22:48 Pre-Run: 41,562,906,624 bytes free Post-Run: 42,764,042,240 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - CDFD9953A7882D366F3C85A51E3301D2 mycity.rs/must-login.png mycity.rs/must-login.png mycity.rs/must-login.png Dopuna: 18 Mar 2010 0:11 Izvinjavam se za double post, ali ne vidim nigdje edit dugme. Proces koji sam morao da "ubijem" da bi Combofix proradio je ovaj na kraju GMER1 loga C:\WINDOWS\system32\wmiexecxz.exe (* hidden *** ) i koliko vidim i dalje je aktivan. Dopuna: 18 Mar 2010 0:42 Rekao bih da je sve čisto, ali čekam zvaničnu potvrdu stručnjaka prije hvalospjeva. ComboFix 10-03-17.04 - Admin 18/03/2010 0:18.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.503.106 [GMT 1:00] Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt AV: Norton AntiVirus 2005 On-access scanning disabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Worm Protection enabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} * Created a new restore point FILE :: "c:\docume~1\Admin\LOCALS~1\Temp\musbehco.sys" "c:\documents and settings\Admin\Application Data\brac.exe ." "c:\documents and settings\Admin\Application Data\uapss.exe" "c:\documents and settings\Admin\sawe.exe" "c:\documents and settings\Admin\sawery.exe" "c:\windows\system32\drivers\rr.sys" "c:\windows\system32\wmiexecxz.exe" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\rr.sys c:\windows\system32\wmiexecxz.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MUSBEHCO -------\Service_musbehco -------\Service_rr ((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 ))))))))))))))))))))))))))))))) . 2010-03-17 21:18 . 2009-06-18 11:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys 2010-03-17 21:04 . 2010-03-17 21:04 -------- d-----w- c:\program files\Sophos 2010-03-17 17:14 . 2010-03-17 17:14 55184 ----a-w- c:\windows\system32\PxSecure.dll 2010-03-17 17:14 . 2010-03-17 17:14 50504 ----a-w- c:\windows\system32\drivers\pxrts.sys 2010-03-17 17:14 . 2010-03-17 17:14 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys 2010-03-17 17:14 . 2010-03-17 17:14 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys 2010-03-17 17:14 . 2010-03-17 17:14 -------- d-----w- c:\program files\Prevx 2010-03-17 17:14 . 2010-03-17 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI 2010-03-17 16:20 . 2010-03-17 16:20 -------- d-----w- c:\program files\Trend Micro 2010-03-09 20:18 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-03-08 10:45 . 2010-03-08 10:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2010-03-03 15:17 . 2010-03-03 15:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2010-02-26 14:54 . 2010-02-26 14:54 -------- d-----w- c:\documents and settings\Admin\Application DataPDFcreator . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-17 23:29 . 2005-12-05 19:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype 2010-03-17 17:04 . 2005-06-09 12:44 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-03-03 15:17 . 2005-09-22 15:37 -------- d-----w- c:\program files\Google 2010-03-03 12:21 . 2005-11-25 20:50 -------- d-----w- c:\program files\ICQToolbar 2010-01-01 12:12 . 2010-01-01 12:12 79488 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-12-31 16:14 . 2004-08-04 08:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-22 05:42 . 2004-08-04 08:00 662016 ------w- c:\windows\system32\wininet.dll 2009-12-22 05:42 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2005-10-24 14892072] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-23 68856] "Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-21 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-21 126976] "AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 88363] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054] "hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-09 790528] "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-09-04 100056] "sealmon"="c:\program files\SealedMedia\sealmon.exe" [2006-06-19 94208] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-27 77824] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2005-9-22 184320] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2004-3-16 83360] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [17/03/2010 18:14 30280] R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [17/03/2010 22:18 18816] R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [17/03/2010 18:14 6300592] R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [17/03/2010 18:14 50504] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [03/05/2004 17:26 80384] R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [17/03/2010 18:14 24368] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2010 16:17 135664] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?] . Contents of the 'Scheduled Tasks' folder 2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 15:16] 2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 15:16] 2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951824921-2737178999-3325866196-1006Core.job - c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 19:33] 2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951824921-2737178999-3325866196-1006UA.job - c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 19:33] 2010-03-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Administrator.job - c:\progra~1\NORTON~1\Navw32.exe [2004-08-18 11:54] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hp.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\smwgzdem.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q= FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net Rootkit scan 2010-03-18 00:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??\|?????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\35.tmp" . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\SCardSvr.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wdfmgr.exe c:\windows\AGRSMMSG.exe c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe c:\program files\HPQ\SHARED\HPQWMI.exe c:\program files\Messenger\msmsgs.exe . ************************************************************************ . Completion time: 2010-03-18 00:39:24 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-17 23:39 ComboFix2.txt 2010-03-17 22:48 Pre-Run: 42,748,555,264 bytes free Post-Run: 42,524,540,928 bytes free - - End Of File - - 1F1044714D85C199DE2AB24163BEBDE7

Profil

diarno Poslao: 18 Mar 2010 12:10 Idi na vrh
offline diarno Anti Malware Fighter Rank 2 Pridružio: 15 Jun 2007 Poruke: 5572	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Kolko ja vidim, ovde je sve cisto i ne bi trebalo biti vise nikakvih problema sa startom i usporenoscu sistema. Dalje, nije preporucljivo gomilati zastitni softwer.(tipa prevx,sophos)..Dovovaljan je AV, Antyspyware i eventualno Firewall(ako smatras da ti je potreban)>> vise o tome imas u zastita podforumu. I jos je potrebno je deinstalirati ComboFix: klikni start (ili ), a zatim RUN. Na Visti koristiti Start Search polje ukoliko Run nije dostupan. U liniju za unos teksta ukucaj (iskopiraj) sledeće: ComboFix /Uninstall Primeti da postoji razmak između "ComboFix" i "/Uninstall". a zatim klikni OK (ili pritisni Enter). Sačekaj da se proces deinstalacije završi. To bi bilo to.. POzzz

Profil

Moraelyn Poslao: 18 Mar 2010 15:04 Idi na vrh
offline Moraelyn Novi MyCity građanin Pridružio: 17 Mar 2010 Poruke: 3	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Definitivno je sve u redu. Hvala puno na pomoći! Inače programe sam instalirao jer sam pokušavao da očistim neke od gluposti. Sada ću poskidati sve i instalirati vjerovatno Avast + Comodo. Još jednom puno hvala na ekspresnoj pomoći. Ovo može u arhivu.

Profil

MyCity » Ambulanta -> Arhiva Ambulante » Problem - vise rootkitova/malware programa

Ko je trenutno na forumu

Ukupno su 791 korisnika na forumu :: 5 registrovanih, 2 sakrivenih i 784 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: goxin, mgolub, MilosKop, S-lash, zziko

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by