Problemi

1

Problemi

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Imam problema sa mreznim stampacem koji se nalazi vezan na drugom kompjuteru a kojeg moj kompjuter nemoze prepoznati. Cudno je sto internet radi a mreza ne.
Tu je log fajl pa vidite moze li se sto uraditi
Hvala

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:06 PM, on 20/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [zzgykzeh.exe] C:\WINDOWS\zzgykzeh.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - banka.com.mk/Ctrls/Ctrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D2FB415-11D7-4B62-97D7-B4ACE794EB1F}: NameServer = 195.26.152.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{9D2FB415-11D7-4B62-97D7-B4ACE794EB1F}: NameServer = 195.26.152.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{9D2FB415-11D7-4B62-97D7-B4ACE794EB1F}: NameServer = 195.26.152.19
O20 - Winlogon Notify: tqtzyy - C:\WINDOWS\SYSTEM32\tqtzyy.dll
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 4369 bytes

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Privremeno iskljuci sve zastitne programe i uradi sledece :

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Javili su se problemi sa memorijom. Pri skeniranju sam ComboFix mi je javio da nemoze proveriti memoriju a zatim mi je sam kompjuter pao na plavi ekran gde upozorava da ima nekih hardverskih ili softverskih problema i pravi damp memoriji.
Sad sam u nedoumici dali je zaista problem sa memorijom ili neka zaraza prouzrokuje ovaj problem. Kako bi mogao proveriti ispravnost memorije?

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Aj ovako... Probaj da iskljucis nekako Antivirus koji koristis...

Pa onda pusti combofix... Ako ni tako nece... Onda ocekuj moj odgovor oko 17 h danas.... NE verujem da je memorija jer su vidljivi znaci nekoliko infekcija...

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Tako sam i probao, iskljucio sam i anti virus i spyware terminator. Jos jedna napomena, iskljucio sam se i od interneta jer iskljucujem AV. Probao sam i u save modu i ponovo se javlja isti problem.

Dopuna: 22 Jan 2009 14:13

Probao sam jos jednom i uspeo da dodjem do log fajla.
Napominjem da je pri ponovnom startanju kompjutera i pri ispisivanju log fajla automatski su se podigli AV program i spyware terminator.
Isto tako, na pocetku je Combofix izbacio prozor da THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED i trazio je internet konekciju kako bi izvrsio instalaciju ali sam ja ignorirao tu napomenu, nakon cega je izvrseno skeniranje sa log fajlom koji sledi


ComboFix 09-01-21.02 - Ace 2009-01-22 13:38:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.113 [GMT 1:00]
Running from: c:\documents and settings\Ace\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\tqtzyy.dll
c:\windows\system32\tqtzyy32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_ICF
-------\Service_ICF
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-21 12:27 . 2009-01-21 12:27 <DIR> d-------- c:\program files\Sophos
2009-01-21 11:17 . 2009-01-21 11:17 <DIR> d-------- c:\program files\CA
2009-01-21 08:05 . 2009-01-21 08:05 <DIR> d-------- c:\program files\AVG
2009-01-21 07:56 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-21 07:56 . 2003-03-18 20:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-01-20 14:46 . 2004-08-04 13:00 59,904 --a------ c:\windows\system32\drivers\atmarpc.sys.bak
2009-01-20 14:44 . 2004-08-04 13:00 14,336 --a------ c:\windows\system32\drivers\asyncmac.sys.bak
2009-01-16 14:06 . 2009-01-16 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 12:41 . 2009-01-21 08:56 5,760 --a------ c:\windows\system32\drivers\restore.sys
2009-01-16 08:42 . 2009-01-16 08:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-15 15:20 . 2009-01-15 15:20 <DIR> d-------- c:\documents and settings\Ace\Application Data\Lavasoft
2009-01-15 14:11 . 2009-01-22 13:17 <DIR> d-------- c:\program files\Spyware Terminator
2009-01-15 14:11 . 2009-01-22 13:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-01-15 14:11 . 2009-01-22 11:00 <DIR> d-------- c:\documents and settings\Ace\Application Data\Spyware Terminator
2009-01-15 14:11 . 2009-01-15 14:11 138,752 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2009-01-15 14:10 . 2009-01-15 14:10 <DIR> d-------- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 07:56 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-20 13:46 136,640 ----a-w c:\windows\system32\drivers\atmarpc.sys
2009-01-15 13:53 --------- d-----w c:\program files\Yahoo! Games
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-15 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-15 114688]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-01-16 2957824]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"SoundMan"="SOUNDMAN.EXE" [2002-08-02 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-10"="advpack.dll" [2007-09-20 c:\windows\system32\advpack.dll]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 1.0.2.lnk - c:\program files\OpenOffice.org1.0.2\program\quickstart.exe [2003-03-13 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7bhxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-01-15 138752]
S0 ati7bhxx;ati7bhxx;c:\windows\system32\Drivers\ati7bhxx.sys --> c:\windows\system32\Drivers\ati7bhxx.sys [?]
S3 EL910;3Com 3CSOHO100B-TX PCI;c:\windows\system32\drivers\EL910N51.sys [2002-05-29 38400]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\e:\everestultimate450\kerneld.wnt --> e:\everestultimate450\kerneld.wnt [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
S4 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-zzgykzeh.exe - c:\windows\zzgykzeh.exe
Notify-tqtzyy - tqtzyy32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {9D2FB415-11D7-4B62-97D7-B4ACE794EB1F} = 195.26.152.19
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-22 13:43:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\e:\everestultimate450\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Spyware Terminator\sp_rsser.exe
.
**************************************************************************
.
Completion time: 2009-01-22 13:48:33 - machine was rebooted [Ace]
ComboFix-quarantined-files.txt 2009-01-22 12:48:27

Pre-Run: 8,626,667,520 bytes free
Post-Run: 8,700,993,536 bytes free

131

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\restore.sys
c:\windows\system32\Drivers\ati7bhxx.sys

Driver::
ati7bhxx

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7bhxx.sys]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Uradjeno, evo log fajla

ComboFix 09-01-21.04 - Ace 2009-01-23 9:28:17.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.83 [GMT 1:00]
Running from: c:\documents and settings\Ace\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ace\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\Drivers\ati7bhxx.sys
c:\windows\system32\drivers\restore.sys
.
/wow section - STAGE 27


((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.

2009-01-21 12:27 . 2009-01-21 12:27 <DIR> d-------- c:\program files\Sophos
2009-01-21 11:17 . 2009-01-21 11:17 <DIR> d-------- c:\program files\CA
2009-01-21 08:05 . 2009-01-21 08:05 <DIR> d-------- c:\program files\AVG
2009-01-21 07:56 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-21 07:56 . 2003-03-18 20:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-01-20 14:46 . 2004-08-04 13:00 59,904 --a------ c:\windows\system32\drivers\atmarpc.sys.bak
2009-01-20 14:44 . 2004-08-04 13:00 14,336 --a------ c:\windows\system32\drivers\asyncmac.sys.bak
2009-01-16 14:06 . 2009-01-16 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 08:42 . 2009-01-16 08:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-15 15:20 . 2009-01-15 15:20 <DIR> d-------- c:\documents and settings\Ace\Application Data\Lavasoft
2009-01-15 14:11 . 2009-01-22 13:17 <DIR> d-------- c:\program files\Spyware Terminator
2009-01-15 14:11 . 2009-01-22 13:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-01-15 14:11 . 2009-01-22 11:00 <DIR> d-------- c:\documents and settings\Ace\Application Data\Spyware Terminator
2009-01-15 14:11 . 2009-01-15 14:11 138,752 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2009-01-15 14:10 . 2009-01-15 14:10 <DIR> d-------- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 07:56 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-20 13:46 136,640 ----a-w c:\windows\system32\drivers\atmarpc.sys
2009-01-15 13:53 --------- d-----w c:\program files\Yahoo! Games
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-15 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-15 114688]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-01-16 2957824]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"SoundMan"="SOUNDMAN.EXE" [2002-08-02 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-10"="advpack.dll" [2007-09-20 c:\windows\system32\advpack.dll]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 1.0.2.lnk - c:\program files\OpenOffice.org1.0.2\program\quickstart.exe [2003-03-13 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-01-15 138752]
S3 EL910;3Com 3CSOHO100B-TX PCI;c:\windows\system32\drivers\EL910N51.sys [2002-05-29 38400]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\e:\everestultimate450\kerneld.wnt --> e:\everestultimate450\kerneld.wnt [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
S4 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {9D2FB415-11D7-4B62-97D7-B4ACE794EB1F} = 195.26.152.19
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-23 09:30:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\e:\everestultimate450\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\TelnetServer\1.0\ReadConfig]
@DACL=(02 0000)
"Defaults"=dword:00000000
.
Completion time: 2009-01-23 9:32:48
ComboFix-quarantined-files.txt 2009-01-23 08:32:41
ComboFix2.txt 2009-01-23 08:20:03
ComboFix3.txt 2009-01-22 12:48:36

Pre-Run: 8,684,462,080 bytes free
Post-Run: 8,675,590,144 bytes free

108

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Kakvo je sad stanje?

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Zasad je dobro. Bilo je dobro i prije slanja prvog log fajla samo se je znalo povremeno ponovo pojaviti blokiranje stampaca.
Na kraju jedno pitanje, dali je moguce kompletno ocistiti zarazu na kompjuteru instaliranjem razlicitih AV i Antispyware programa (Instaliram jedan pa ga obrisem pa ponovo drugi itd.) ili se mora napraviti ciscenje uz pomoc Combobox-a ?
Na kraju hvala na pomoci

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Ovako... Nemoj instalirati vise AV programa pa cak ni na taj nacin (obrises jedan pa instaliras drugi)... Imao si srece pa nisi osetio nikakve posledice..Sada za vecinu AV programa postoje specijalizovani Cleaneri koji iste deinstaliraju i totalno uklanjaju sa sistema..Zato sto jednostavno AV programi postaju sve kompleksniji(svi znamo i zasto) i veoma duboko se "uvlace" u sistem...

Ja tebi savetujem da uradis sledece :

Obrisi sledece foldere :

c:\program files\Sophos
c:\program files\AVG
c:\program files\Alwil Software

Pokreni neki junk cleaner i registry cleaner (sam izaberi ili koristi pretragu, pricalo se o tome mnooogo puta ovde na forumu)...

I nemoj koristiti Combofix na svoju ruku... Postoje on-demand skeneri(Dr.Web Cure It,Norman Malware Cleaner itd... i online skeneri ako sumnjas da je AV nesto propustio..

Uradi jos i ovo :

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore

Ko je trenutno na forumu
 

Ukupno su 815 korisnika na forumu :: 37 registrovanih, 4 sakrivenih i 774 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., bankulen, Bogoslov, bojanM84, Boris90, Darkhunter, DENIRO, Djokkinen, dolinalima, Dovla, Drug pukovnik, Filip Marinković, goxin, jaeger, Kiki2004, Klecaviks, Koridor 11, Kruger, Markoni29, MB120mm, mercedesamg, Milan A. Nikolic, misa1xx, Mixelotti, NoOneEver Dreams, nuke92, pein, Pohovani_00, Polemarchoi, Profica, RJ, saputnik plavetnila, shone34, suton, theNedjeljko, vlvl, wolf431