Racunar radi usporeno - Mis "secka" pri pomeranju

1

Racunar radi usporeno - Mis "secka" pri pomeranju

offline
  • Pridružio: 16 Sep 2008
  • Poruke: 14

Kao sto stoji u naslovu....

Racunar kao da se muci dok radi, desava se da mis "secka", odnosno dok ga pomeram kao da zastajkuje.
Cini mi se da ima nekih cudnih, meni nepoznatih procesa.

Zamolio bih za proveru log fajla i eventualna uputstva ako su potrebna.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:00 PM, on 9/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Zlaja\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
c:\temps\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = rs1.travian.com/build.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\real\IEeREAD.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\real\WebHook.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=092608
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [minyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080913a.dll tan16d
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Internet Service - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: TCP IP Service (Messager) - Unknown owner - c:\temps\svchost.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 7887 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...


Na kompjuteru definitivno postoji malware.



* Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.



Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 16 Sep 2008
  • Poruke: 14

Kao prvo, hvala na pomoci.
Uradio sam kako si napisao i evo kopiram ovde sadrzaj ComboFix.txt fajla.

ComboFix 08-09-15.02 - Zlaja 2008-09-16 23:42:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.83 [GMT 2:00]
Running from: C:\Documents and Settings\Zlaja\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Zlaja\LOCALS~1\Temp\WowInitcode.dll
C:\WINDOWS\dcbdcatys32_080913a.dll
C:\WINDOWS\MSSqlServer.dll
C:\WINDOWS\smss.exe
C:\WINDOWS\system\sgcxcxxaspf080913.exe
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\FOLESVR.DLL
C:\WINDOWS\system32\inf\scsys16_080913.dll
C:\WINDOWS\system32\inf\sppdcrs080913.scr
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\mywfhit.ini
C:\WINDOWS\system32\mywfhit.ini.tmp
C:\WINDOWS\system32\tmpacj0.exe
C:\WINDOWS\tawisys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_INTERNET_SERVICE
-------\Legacy_SVCHOST
-------\Service_Internet Service
-------\Service_svchost


((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.

2008-09-16 23:56 . 2008-09-16 23:56 319,234 --a------ C:\notpad.exe
2008-09-15 19:50 . 2008-09-15 19:51 <DIR> d-------- C:\Documents and Settings\Zlaja\Application Data\BarbieIP
2008-09-15 02:41 . 2008-09-15 02:40 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-09-15 02:41 . 2008-09-15 02:41 270,336 --a------ C:\WINDOWS\system32\imon.dll
2008-09-14 05:12 . 2008-09-14 05:12 <DIR> d--hs---- C:\temps
2008-09-12 20:28 . 2008-09-12 20:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-09-07 20:19 . 2008-09-07 20:19 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2008-09-07 20:19 . 2008-09-07 20:20 <DIR> d-------- C:\Documents and Settings\Zlaja\.SimpleCenter
2008-09-07 20:18 . 2008-09-07 20:19 <DIR> d-------- C:\Program Files\SimpleCenter
2008-09-07 20:11 . 2008-09-07 20:11 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-09-06 11:17 . 2008-09-16 23:44 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-29 17:48 . 2008-08-29 17:48 <DIR> d-------- C:\Documents and Settings\Zlaja\Application Data\Disney Interactive Studios
2008-08-29 17:37 . 2008-08-29 17:37 <DIR> d-------- C:\Program Files\Disney Interactive Studios
2008-08-29 17:36 . 2008-08-29 17:36 <DIR> d-------- C:\Documents and Settings\Zlaja\Application Data\InstallShield
2008-08-22 13:34 . 2008-08-22 13:36 <DIR> d-------- C:\Documents and Settings\Zlaja\Application Data\ScannerData
2008-08-22 09:06 . 2008-08-22 09:06 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-08-22 09:04 . 2008-08-22 09:04 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-08-22 09:04 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-08-22 09:02 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-08-22 09:02 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-22 09:02 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-08-22 09:02 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-08-22 09:02 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-08-22 09:02 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-08-20 09:52 . 2008-08-22 09:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-20 09:52 . 2008-08-20 09:52 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 17:17 --------- d-----w C:\Program Files\Activision
2008-09-15 00:49 --------- d-----w C:\Program Files\ESET
2008-09-13 06:32 --------- d-----w C:\Program Files\Build in Time
2008-09-08 01:46 --------- d-----w C:\Program Files\Nokia
2008-09-08 01:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-09-08 01:45 --------- d-----w C:\Program Files\Common Files\Nokia
2008-09-07 18:15 --------- d-----w C:\Documents and Settings\Zlaja\Application Data\PC Suite
2008-09-06 09:50 --------- d-----w C:\Program Files\HyperVRE
2008-08-29 15:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 06:53 --------- d-----w C:\Program Files\Opera
2008-08-10 09:14 --------- d-----w C:\Program Files\Battleship
2008-08-06 18:44 --------- d-----w C:\Program Files\Fantasysoft-Studio
2008-08-06 10:52 3,001 --sha-w C:\Documents and Settings\Zlaja\ppUser.dat
2008-08-02 12:11 --------- d-----w C:\Program Files\Google
2008-08-02 11:27 --------- d-----w C:\Program Files\Nobilis
2008-07-29 21:20 --------- d-----w C:\Program Files\Ubisoft
2008-07-29 08:04 --------- d-----w C:\Program Files\SysSense
2008-07-28 14:55 --------- d-----w C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-07-28 14:49 --------- d-----w C:\Program Files\BearPaw 2400CU Plus
2008-07-19 17:02 --------- d-----w C:\Documents and Settings\Zlaja\Application Data\Skype
2008-07-19 17:01 --------- d-----w C:\Documents and Settings\Zlaja\Application Data\skypePM
2008-07-17 11:23 --------- d-----w C:\Documents and Settings\Zlaja\Application Data\uTorrent
2008-05-13 14:58 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2004-08-04 00:56 14336 1242f3a2ba2edab2cedd8209feab86a9 C:\WINDOWS\system32\svchost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"bwprnmon.exe"="C:\BITWARE\NT\bwprnmon.exe" [2008-02-16 54272]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 128920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 185896]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-09-15 917504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-22 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=C:\WINDOWS\pss\GetRight.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Zlaja^Start Menu^Programs^Startup^Ovulation Calendar.lnk]
path=C:\Documents and Settings\Zlaja\Start Menu\Programs\Startup\Ovulation Calendar.lnk
backup=C:\WINDOWS\pss\Ovulation Calendar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-02-22 23:21 32768 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-02-22 22:05 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 12:28 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-09 22:05 133104 C:\Documents and Settings\Zlaja\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 23:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 02:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-16 21:28 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2005-09-28 15:15 90112 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 06:42 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\BACKUP\\Ivana Igrice\\Tenis Pro\\DMTP2.08\\Dream Match Tennis Pro.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Aspyr\\MTX\\Game\\MTX.exe"=
"C:\\Program Files\\netGangsters\\simGangster (2007)\\simgangster.exe"=
"C:\\Program Files\\Global Star Software\\Jetfighter V\\Game.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\gnucash\\bin\\gnucash-bin.exe"=
"C:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 9216]
R2 Messager;TCP IP Service;c:\temps\svchost.exe [2008-09-17 502272]
S2 seiuctol;Security Control;c:\windows\system32\rundll32.exe adubes.dll,test [ ]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
svchost

*Newly Created Service* - MESSAGER
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-minyust - C:\WINDOWS\system32\inf\svchoct.exe
MSConfigStartUp-PC Suite Tray - C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
MSConfigStartUp-Uniblue SpeedUpMyPC - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
MSConfigStartUp-Uniblue SpyEraser - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Zlaja\Application Data\Mozilla\Firefox\Profiles\9b0vfa9w.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - C:\Documents and Settings\Zlaja\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npdivx32.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-09-16 23:56:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-17 0:04:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-16 22:04:07

Pre-Run: 6,637,449,216 bytes free
Post-Run: 7,046,086,656 bytes free

235

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\notpad.exe

Folder::
C:\temps
C:\WINDOWS\system32\inf

Driver::
Messager
seiuctol

NetSvc::
svchost



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 16 Sep 2008
  • Poruke: 14

Uradio sam sve po uputstvu i kopiram dobijeni log:

ComboFix 08-09-15.02 - Zlaja 2008-09-18 1:07:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.203 [GMT 2:00]
Running from: C:\Documents and Settings\Zlaja\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zlaja\Desktop\CFScript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\notpad.exe
C:\temps\svchost.exe
C:\WINDOWS\system32\inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MESSAGER
-------\Legacy_SEIUCTOL
-------\Service_Messager
-------\Service_seiuctol


((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))
.

2008-09-18 01:21 . 502,272 C:\notpad.exe
2008-09-15 19:50 . 2008-09-15 19:51 <DIR> d-------- C:\Documents and Settings\Zlaja\Application Data\BarbieIP
2008-09-15 02:41 . 2008-09-15 02:40 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-09-15 02:41 . 2008-09-15 02:41 270,336 --a------ C:\WINDOWS\system32\imon.dll
2008-09-14 05:12 . 2008-09-18 01:22 <DIR> d--hs---- C:\temps
2008-09-12 20:28 . 2008-09-12 20:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-09-07 20:19 . 2008-09-07 20:19 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2008-09-07 20:19 . 2008-09-07 20:20 <DIR> d-------- C:\Documents and Settings\Zlaja\.SimpleCenter
2008-09-07 20:18 . 2008-09-07 20:19 <DIR> d-------- C:\Program Files\SimpleCenter
2008-09-07 20:11 . 2008-09-07 20:11 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-08-29 17:48 . 2008-08-29 17:48 <DIR> d-------- C:\Documents and Settings\Zlaja\Application Data\Disney Interactive Studios
2008-08-29 17:37 . 2008-08-29 17:37 <DIR> d-------- C:\Program Files\Disney Interactive Studios
2008-08-29 17:36 . 2008-08-29 17:36 <DIR> d-------- C:\Documents and Settings\Zlaja\Application Data\InstallShield
2008-08-22 13:34 . 2008-08-22 13:36 <DIR> d-------- C:\Documents and Settings\Zlaja\Application Data\ScannerData
2008-08-22 09:06 . 2008-08-22 09:06 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-08-22 09:04 . 2008-08-22 09:04 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-08-22 09:04 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-08-22 09:02 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-08-22 09:02 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-08-22 09:02 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-08-22 09:02 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-08-22 09:02 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-08-22 09:02 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-08-20 09:52 . 2008-08-22 09:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-20 09:52 . 2008-08-20 09:52 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 17:17 --------- d-----w C:\Program Files\Activision
2008-09-15 00:49 --------- d-----w C:\Program Files\ESET
2008-09-14 03:09 91,136 ----a-w C:\WINDOWS\system32\msgsvc.dll
2008-09-13 06:32 --------- d-----w C:\Program Files\Build in Time
2008-09-08 01:46 --------- d-----w C:\Program Files\Nokia
2008-09-08 01:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-09-08 01:45 --------- d-----w C:\Program Files\Common Files\Nokia
2008-09-07 18:15 --------- d-----w C:\Documents and Settings\Zlaja\Application Data\PC Suite
2008-09-06 09:50 --------- d-----w C:\Program Files\HyperVRE
2008-08-29 15:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-16 06:53 --------- d-----w C:\Program Files\Opera
2008-08-10 09:14 --------- d-----w C:\Program Files\Battleship
2008-08-06 18:44 --------- d-----w C:\Program Files\Fantasysoft-Studio
2008-08-06 10:52 3,001 --sha-w C:\Documents and Settings\Zlaja\ppUser.dat
2008-08-02 12:11 --------- d-----w C:\Program Files\Google
2008-08-02 11:27 --------- d-----w C:\Program Files\Nobilis
2008-07-29 21:20 --------- d-----w C:\Program Files\Ubisoft
2008-07-29 08:04 --------- d-----w C:\Program Files\SysSense
2008-07-28 14:55 --------- d-----w C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-07-28 14:49 --------- d-----w C:\Program Files\BearPaw 2400CU Plus
2008-07-19 17:02 --------- d-----w C:\Documents and Settings\Zlaja\Application Data\Skype
2008-07-19 17:01 --------- d-----w C:\Documents and Settings\Zlaja\Application Data\skypePM
2008-07-17 11:23 --------- d-----w C:\Documents and Settings\Zlaja\Application Data\uTorrent
2008-05-13 14:58 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2004-08-04 00:56 14336 1242f3a2ba2edab2cedd8209feab86a9 C:\WINDOWS\system32\svchost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"bwprnmon.exe"="C:\BITWARE\NT\bwprnmon.exe" [2008-02-16 54272]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 128920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-16 185896]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-09-15 917504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-22 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=C:\WINDOWS\pss\GetRight.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Zlaja^Start Menu^Programs^Startup^Ovulation Calendar.lnk]
path=C:\Documents and Settings\Zlaja\Start Menu\Programs\Startup\Ovulation Calendar.lnk
backup=C:\WINDOWS\pss\Ovulation Calendar.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-02-22 23:21 32768 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-02-22 22:05 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 12:28 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-09 22:05 133104 C:\Documents and Settings\Zlaja\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 23:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 02:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-16 21:28 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2005-09-28 15:15 90112 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-11-17 06:42 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\BACKUP\\Ivana Igrice\\Tenis Pro\\DMTP2.08\\Dream Match Tennis Pro.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Aspyr\\MTX\\Game\\MTX.exe"=
"C:\\Program Files\\netGangsters\\simGangster (2007)\\simgangster.exe"=
"C:\\Program Files\\Global Star Software\\Jetfighter V\\Game.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\gnucash\\bin\\gnucash-bin.exe"=
"C:\\Program Files\\gnucash\\bin\\gconfd-2.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 9216]
R2 Messager;TCP IP Service;c:\temps\svchost.exe [2008-09-18 502272]

*Newly Created Service* - MESSAGER
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-09-18 01:21:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-09-18 1:29:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-17 23:29:18
ComboFix2.txt 2008-09-16 22:04:47

Pre-Run: 6,705,754,112 bytes free
Post-Run: 6,991,900,672 bytes free

201

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\notpad.exe

Folder::
C:\temps

Driver::
Messager


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.



-------------------------------------------------------------------------------------



Arrow Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

offline
  • Pridružio: 16 Sep 2008
  • Poruke: 14

Doktore, odradio sam kako si napisao.
Prikacio sam .txt fajlove koje si rekao.

Jos jednom ti hvala na trudu da mi pomognes da resim ovo.
mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Postavi i poslednji ComboFix log - lokacija mu je C:\ComboFix.txt .

offline
  • Pridružio: 16 Sep 2008
  • Poruke: 14

Evo i njega


mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder

Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:

Drivers to delete:
Messager

Files to delete:
C:\notpad.exe

Folders to delete:
C:\temps


Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u

Iskopiraj sadržaj dobijenog loga u temu na forumu.


Takođe, odmah nakon toga uploaduj file: C:\Avenger\backup.zip

preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

Ko je trenutno na forumu
 

Ukupno su 948 korisnika na forumu :: 26 registrovanih, 6 sakrivenih i 916 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: bobomicek, Bobrock1, DPera, FOX, galerija, Georgius, hatman, janbo, Još malo pa deda, ljuba, Mcdado, mercedesamg, Milos ZA, milutin134, NEDZAT.PR, nenad81, pein, Povratak1912, procesor, ruseskij, Udvar, uruk, vandrej, vathra, x9, zastavnik