avast nece ili ne moze da obrise virus. molim za pomoc.

1

avast nece ili ne moze da obrise virus. molim za pomoc.

offline
  • Pridružio: 01 Jul 2009
  • Poruke: 42

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:43:03, on 28.7.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\FrostWire\FrostWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\korisnik\Desktop\six.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ask.com/?o=101677&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Windows Live pomagac za prijavljivanje - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F877597C-FCF1-4C90-895A-589AF897DCF4}: NameServer = 87.250.98.250 208.68.222.222
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: fca (eaf) - Unknown owner - C:\WINDOWS\system32\i\J002.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: soft Service (Service) - Unknown owner - C:\WINDOWS\system32\i\J003.exe
O23 - Service: Windows Color Service (WcsSrv) - Unknown owner - C:\Program Files\Common Files\Svc.exe

--
End of file - 5862 bytes



vec par dana me zeza kompjuter kad se konektujem na internet. avast me upozorava da imam virus i poslije par minuta zablokira mi internet, pa moram da restartujem komp da bi mogo ponovo da se konektujem. pokusavo sam da izbrisem virus,al` izgleda avast ne moze da ga obrise.

hvala u naprijed.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Da li bi mogao na prepišeš nazive detektovanih file-ova ili da napraviš screenshot na kome se to vidi?



Arrow Preuzmi SysProt AntiRootkit sa sledeće stranice:

SysProt downlaod

Na strani koja se otvori treba kliknuti "here" link.


Raspakuj arhivu u neki folder;

dvoklikom pokreni program i pređi na Log karticu;

štikliraj svih osam stavki i klikni Create log;

nakon određenog vremena će se pojaviti upit u kome treba obeležiti
Scan root drive only i kliknuti Start;

po završetku skeniranja pojaviće se obaveštenje koje treba zatvoriti klikom na OK;

log će biti sačuvan u istom folderu u kome se nalazi i sam program.



Priloži kreirani log uz poruku korišćenjem opcije Prikači fajl.

offline
  • Pridružio: 01 Jul 2009
  • Poruke: 42

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EF759000
Module End: EF771000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8A62000
Module End: F8A64000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: EF7796B8
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwCreateKey
Address: EF779574
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteValueKey
Address: EF779A52
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: EF77914C
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenKey
Address: EF77964E
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenProcess
Address: EF77908C
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenThread
Address: EF7790F0
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryValueKey
Address: EF77976E
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: EF77972E
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwSetValueKey
Address: EF7798AE
Driver Base: EF771000
Driver End: EF792000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: KORISNIK-F4BA11:3798
Remote Address: 61.160.216.6:6800
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:3771
Remote Address: HB-IN-F137.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: CLOSE_WAIT

Local Address: KORISNIK-F4BA11:3769
Remote Address: HB-IN-F103.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LAST_ACK

Local Address: KORISNIK-F4BA11:3766
Remote Address: HB-IN-F101.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LAST_ACK

Local Address: KORISNIK-F4BA11:3757
Remote Address: HB-IN-F101.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LAST_ACK

Local Address: KORISNIK-F4BA11:3746
Remote Address: 80.255.4.206:HTTP
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LAST_ACK

Local Address: KORISNIK-F4BA11:3737
Remote Address: USER-514D2B3D.L1.C2.DSL.POL.CO.UK:15248
Type: TCP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:3736
Remote Address: CPE-76-173-46-60.SOCAL.RES.RR.COM:32058
Type: TCP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:3735
Remote Address: CPE-74-75-48-244.MAINE.RES.RR.COM:27908
Type: TCP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:3694
Remote Address: C-71-202-112-75.HSD1.CA.COMCAST.NET:38812
Type: TCP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:3220
Remote Address: WSIP-24-234-134-146.LV.LV.COX.NET:24770
Type: TCP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:2092
Remote Address: A92-122-213-112.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jusched.exe
State: CLOSE_WAIT

Local Address: KORISNIK-F4BA11:12143
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: KORISNIK-F4BA11:12119
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: KORISNIK-F4BA11:12110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: KORISNIK-F4BA11:12080
Remote Address: LOCALHOST:3770
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:12080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LISTENING

Local Address: KORISNIK-F4BA11:12025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: KORISNIK-F4BA11:5152
Remote Address: LOCALHOST:1879
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: KORISNIK-F4BA11:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: KORISNIK-F4BA11:3770
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:1885
Remote Address: LOCALHOST:1884
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:1884
Remote Address: LOCALHOST:1885
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:1876
Remote Address: LOCALHOST:1875
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:1875
Remote Address: LOCALHOST:1876
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:1030
Remote Address: LOCALHOST:1029
Type: TCP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:1029
Remote Address: LOCALHOST:1030
Type: TCP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: ESTABLISHED

Local Address: KORISNIK-F4BA11:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: KORISNIK-F4BA11:45100
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: LISTENING

Local Address: KORISNIK-F4BA11:5403
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: LISTENING

Local Address: KORISNIK-F4BA11:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: KORISNIK-F4BA11:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: KORISNIK-F4BA11:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:1877
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: KORISNIK-F4BA11:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: KORISNIK-F4BA11:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:5403
Remote Address: NA
Type: UDP
Process: C:\Program Files\FrostWire\FrostWire.exe
State: NA

Local Address: KORISNIK-F4BA11:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: KORISNIK-F4BA11:1980
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:1886
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:1861
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:1860
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:1720
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KORISNIK-F4BA11:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: KORISNIK-F4BA11:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\korisnik\Desktop\Sve\nove\Roger Sanchez (Bang That Box - Laidback Rmx on Daft Punk mashup) + Bodyrox feat. Luciana (Brave New World) + Joey Negro (Must Be The Music - Fasano Mix on Moby mashup) [Jay Amato PODCAST 3AS1 short mix-u
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{E63ACD2A-69E3-447C-90FE-5967A0E50442}
Status: Access denied

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder

Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:


Folders to delete:
C:\WINDOWS\system32\i

Files to delete:
C:\Program Files\Common Files\Svc.exe

Drivers to delete:
eaf
Service
WcsSrv


Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u

Iskopiraj sadržaj dobijenog loga u temu na forumu.

offline
  • Pridružio: 01 Jul 2009
  • Poruke: 42

Napisano: 29 Jul 2009 22:37

Logfile of The Avenger Version 2.0, (c) by Swandog46
swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\WINDOWS\system32\i" deleted successfully.
File "C:\Program Files\Common Files\Svc.exe" deleted successfully.
Driver "eaf" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service" not found!
Deletion of driver "Service" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "WcsSrv" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Dopuna: 29 Jul 2009 22:42

evo sta mi pise avast

Pronadjen je malware!

ime datoteke C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KT2BOV4J\scanner[1].dll

ime maware-a Win32:Siveras-B [Expl]

tip malwara-a Exploit

VPS verzija 090729-0, 29.07.2009

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Odradi sada skeniranje avast-om. Detektuje li nešto što ne može da obriše?





Preuzmi program DDS sa ovog, ovog ili ovog linka na Desktop.


Dvoklikom pokreni DDS;

nakon par minuta će se pojaviti poruka o završetku procesa i otvoriće se dva izveštaja;

snimi oba izveštaja na Desktop (izborom File > Save As);

dvoklikom otvori DDS.txt i iskopiraj sadržaj u temu;

file Attach.txt priloži uz poruku korišćenjem opcije Prikači fajl.


Napomena: u slučaju da zaštitni softver omete DDS u radu, privremeno deaktiviraj isti (uputstvo) i ponovo pokreni DDS.

offline
  • Pridružio: 01 Jul 2009
  • Poruke: 42

Napisano: 30 Jul 2009 7:45

sve ko i dosad



DDS (Ver_09-06-26.01) - NTFSx86
Run by korisnik at 7:41:41,73 on cet 30.07.2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.87 [GMT 2:00]

AV: avast! antivirus 4.8.1335 [VPS 090729-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k VaultSrv
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\FrostWire\FrostWire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\korisnik\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=101677&l=dis
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Windows Live pomagac za prijavljivanje: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\korisnik\startm~1\programs\startup\frostw~1.lnk - c:\program files\frostwire\FrostWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {F877597C-FCF1-4C90-895A-589AF897DCF4} = 87.250.98.250 208.67.222.222
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\korisnik\applic~1\mozilla\firefox\profiles\coy493u0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=101677&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-25 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-25 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-25 138680]
R2 TCPZ;TCP Half Open Limited Patcher ( TCP-Z);c:\windows\system32\drivers\tcpz-x86d.sys [2009-7-28 12136]
R2 VaultSrv;Credential Manager Service;c:\windows\system32\svchost.exe -k VaultSrv [2004-8-4 14336]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-25 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-25 352920]

=============== Created Last 30 ================

2009-07-30 07:41 <DIR> --d-h--- c:\windows\PIF
2009-07-30 07:39 220,029 a------- c:\windows\system32\crdtsrv.dll
2009-07-28 19:43 873,984 a------- c:\windows\system32\libmysql.dll
2009-07-28 10:14 12,136 a------- c:\windows\system32\drivers\tcpz-x86d.sys
2009-07-28 10:14 101,888 ---sh--- c:\windows\system32\comptres.dll
2009-07-27 19:35 <DIR> --d----- c:\program files\Autodesk
2009-07-27 19:35 12,464 a------- c:\windows\system32\drivers\CDAC15BA.SYS
2009-07-27 19:35 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-07-27 19:35 54,784 a------- c:\windows\system32\drivers\CDAC11BA.EXE
2009-07-27 19:35 <DIR> --d----- c:\program files\AnswerWorks 4.0
2009-07-27 19:34 <DIR> --d----- C:\Programme
2009-07-27 19:34 <DIR> --d----- c:\program files\common files\Autodesk Shared
2009-07-27 19:34 <DIR> --d----- c:\docume~1\korisnik\applic~1\Autodesk
2009-07-27 19:30 <DIR> --d----- c:\program files\AutoCad2004
2009-07-20 19:26 <DIR> --d----- c:\documents and settings\korisnik\Tracing
2009-07-20 19:11 <DIR> --d----- c:\program files\Microsoft
2009-07-20 19:10 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-20 18:34 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-20 16:39 <DIR> --d----- c:\program files\YouTube Downloader
2009-07-18 09:10 <DIR> --d----- c:\docume~1\korisnik\applic~1\FrostWire
2009-07-18 09:09 <DIR> --d----- c:\program files\AskSearch
2009-07-18 09:09 <DIR> --d----- c:\program files\AskBarDis
2009-07-18 09:09 <DIR> --d----- c:\program files\FrostWire
2009-07-15 16:52 <DIR> --d----- c:\docume~1\korisnik\applic~1\Participatory Culture Foundation
2009-07-15 16:51 <DIR> --d----- c:\program files\Participatory Culture Foundation
2009-07-15 16:38 79 a------- c:\windows\system32\asr_xeehd
2009-07-13 20:42 79 a------- c:\windows\system32\asr_rhlog
2009-07-08 13:04 79 a------- c:\windows\system32\asr_gondg
2009-07-08 12:20 79 a------- c:\windows\system32\asr_ckfny
2009-07-08 12:10 79 a------- c:\windows\system32\asr_dyhrs
2009-07-03 22:37 664 a------- c:\windows\system32\d3d9caps.dat
2009-07-01 23:35 <DIR> --d----- c:\program files\City Interactive

==================== Find3M ====================

2009-06-26 00:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-24 20:28 5,632 a------- c:\windows\system32\drivers\StarOpen.sys
2009-06-24 12:55 5,058 a------- c:\windows\help\hhcolreg.dat
2009-06-24 12:33 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-24 12:05 21,640 a------- c:\windows\system32\emptyregdb.dat
2001-11-23 06:08 712,704 a----r-- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 7:42:00,43 ===============



mycity.rs/must-login.png

Dopuna: 30 Jul 2009 7:47

sve je ko i do sad, jos uvjek izbacuje.

Pronadjen je malware!

ime datoteke C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KT2BOV4J\scanner[1].dll

ime maware-a Win32:Siveras-B [Expl]

tip malwara-a Exploit

VPS verzija 090729-0, 29.07.2009

Dopuna: 30 Jul 2009 7:50

Pronadjen je malware!

ime datoteke C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH6RA309\scanner[1].dll
razlika je u ovom broju
ime maware-a Win32:Siveras-B [Expl]

tip malwara-a Exploit

VPS verzija 090729-0, 29.07.2009

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 01 Jul 2009
  • Poruke: 42

ComboFix 09-07-29.04 - korisnik 30.07.2009 23:14.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.266 [GMT 2:00]
Running from: c:\documents and settings\korisnik\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090729-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\system32\capisrv.dll
c:\windows\system32\crdtsrv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SERVICE


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-30 17:52 . 2009-07-30 17:55 -------- d-----w- c:\windows\system32\81FR0MLUJV
2009-07-30 16:18 . 2009-07-30 16:18 -------- d-----w- c:\windows\system32\N8R5GQWFEY
2009-07-30 15:14 . 2009-07-30 16:11 -------- d-----w- c:\windows\system32\A64JU1WW2Z
2009-07-30 14:33 . 2009-07-30 15:08 -------- d-----w- c:\windows\system32\1FMZ2NEBD5
2009-07-30 13:13 . 2009-07-30 13:15 -------- d-----w- c:\windows\system32\KE571CDGC2
2009-07-30 13:13 . 2009-07-30 13:13 97792 ------w- c:\windows\system32\cmptes.dll
2009-07-30 13:12 . 2009-07-30 13:13 -------- d-----w- c:\windows\system32\JV33PKTIZY
2009-07-30 05:41 . 2009-07-30 05:41 -------- d--h--w- c:\windows\PIF
2009-07-28 08:14 . 2009-07-30 13:13 12136 ----a-w- c:\windows\system32\drivers\tcpz-x86d.sys
2009-07-28 08:14 . 2009-07-28 08:14 101888 --sh--w- c:\windows\system32\comptres.dll
2009-07-27 17:35 . 2009-07-27 17:35 -------- d-----w- c:\program files\Autodesk
2009-07-27 17:35 . 2009-07-27 17:35 12464 ----a-w- c:\windows\system32\drivers\CDAC15BA.SYS
2009-07-27 17:35 . 2009-07-27 17:35 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-27 17:35 . 2009-07-27 17:35 54784 ----a-w- c:\windows\system32\drivers\CDAC11BA.EXE
2009-07-27 17:35 . 2009-07-27 17:35 -------- d-----w- c:\documents and settings\korisnik\Local Settings\Application Data\Autodesk
2009-07-27 17:35 . 2009-07-27 17:35 -------- d-----w- c:\program files\AnswerWorks 4.0
2009-07-27 17:34 . 2009-07-27 17:39 -------- d-----w- c:\documents and settings\korisnik\Application Data\Autodesk
2009-07-27 17:34 . 2009-07-27 17:36 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-07-27 17:34 . 2009-07-27 17:34 -------- d-----w- C:\Programme
2009-07-27 17:34 . 2009-07-27 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-07-27 17:30 . 2009-07-27 17:30 -------- d-----w- c:\program files\AutoCad2004
2009-07-20 17:26 . 2009-07-30 21:20 -------- d-----w- c:\documents and settings\korisnik\Tracing
2009-07-20 17:11 . 2009-07-20 17:11 -------- d-----w- c:\program files\Microsoft
2009-07-20 17:10 . 2009-07-20 17:10 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-20 17:10 . 2009-07-20 17:11 -------- d-----w- c:\program files\Windows Live
2009-07-20 16:34 . 2009-07-20 16:34 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-20 14:43 . 2007-03-22 10:46 126976 ----a-w- c:\documents and settings\korisnik\Application Data\GRETECH\GomPlayer\GrLauncher.exe
2009-07-20 14:39 . 2009-07-20 14:39 -------- d-----w- c:\program files\YouTube Downloader
2009-07-18 07:24 . 2009-07-18 07:24 0 ----a-w- c:\documents and settings\korisnik\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-07-18 07:10 . 2009-07-30 16:46 -------- d-----w- c:\documents and settings\korisnik\Application Data\FrostWire
2009-07-18 07:09 . 2009-07-18 07:09 -------- d-----w- c:\program files\AskSearch
2009-07-18 07:09 . 2009-07-18 07:09 -------- d-----w- c:\program files\AskBarDis
2009-07-18 07:09 . 2009-07-30 16:44 -------- d-----w- c:\program files\FrostWire
2009-07-15 14:52 . 2009-07-15 14:52 -------- d-----w- c:\documents and settings\korisnik\Application Data\Participatory Culture Foundation
2009-07-15 14:51 . 2009-07-15 14:51 -------- d-----w- c:\program files\Participatory Culture Foundation
2009-07-13 14:36 . 2009-07-13 14:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2009-07-08 21:08 . 2009-07-08 21:08 -------- d-----w- c:\documents and settings\korisnik\Local Settings\Application Data\Identities
2009-07-06 14:36 . 2009-07-06 14:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-06 04:47 . 2009-07-06 04:47 -------- d-----w- c:\documents and settings\korisnik\Local Settings\Application Data\Ahead
2009-07-03 20:37 . 2009-07-29 19:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-01 21:35 . 2009-07-01 21:35 -------- d-----w- c:\program files\City Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 19:21 . 2009-06-24 12:52 -------- d-----w- c:\program files\Winamp
2009-07-26 07:57 . 2009-06-24 12:49 -------- d-----w- c:\program files\Mv2Player
2009-07-20 17:26 . 2009-06-24 10:15 17728 ----a-w- c:\documents and settings\korisnik\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 14:00 . 2009-06-24 12:49 -------- d-----w- c:\program files\CyberLink
2009-06-28 22:34 . 2009-06-28 22:34 -------- d-----w- c:\documents and settings\korisnik\Application Data\DivX
2009-06-28 22:28 . 2009-06-24 12:52 -------- d-----w- c:\program files\QuickTime Alternative
2009-06-28 22:27 . 2009-06-24 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-28 22:27 . 2009-06-28 22:27 -------- d-----w- c:\program files\Apple Software Update
2009-06-28 22:27 . 2009-06-28 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-27 17:32 . 2009-06-27 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\GRETECH
2009-06-27 17:32 . 2009-06-27 17:32 -------- d-----w- c:\documents and settings\korisnik\Application Data\GRETECH
2009-06-27 17:31 . 2009-06-27 17:31 -------- d-----w- c:\program files\GRETECH
2009-06-27 17:28 . 2009-06-24 12:49 -------- d-----w- c:\program files\DivX
2009-06-27 17:22 . 2009-06-27 17:22 -------- d-----w- c:\documents and settings\korisnik\Application Data\Media Player Classic
2009-06-27 17:20 . 2009-06-24 10:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 17:19 . 2009-06-27 17:19 -------- d-----w- c:\program files\Real Alternative
2009-06-26 05:02 . 2009-06-26 05:02 -------- d-----w- c:\documents and settings\korisnik\Application Data\CyberLink
2009-06-25 22:29 . 2009-06-25 22:29 -------- d-----w- c:\documents and settings\korisnik\Application Data\AdobeUM
2009-06-25 22:28 . 2009-06-24 18:06 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-25 22:00 . 2009-06-25 22:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-25 22:00 . 2009-06-25 22:00 -------- d-----w- c:\program files\Java
2009-06-25 22:00 . 2009-06-25 22:00 152576 ----a-w- c:\documents and settings\korisnik\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-25 17:49 . 2009-06-25 17:49 -------- d-----w- c:\program files\Alwil Software
2009-06-25 16:37 . 2009-06-25 16:37 0 ----a-w- c:\windows\nsreg.dat
2009-06-24 18:45 . 2009-06-24 18:45 1915520 ----a-w- c:\documents and settings\korisnik\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-24 18:33 . 2009-06-24 18:33 -------- d-----w- c:\documents and settings\korisnik\Application Data\Samsung
2009-06-24 18:28 . 2009-06-24 18:07 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-06-24 18:07 . 2009-06-24 18:07 -------- d-----w- c:\program files\Samsung
2009-06-24 12:52 . 2009-06-24 12:52 -------- d-----w- c:\program files\Media Player Classic
2009-06-24 12:50 . 2009-06-24 12:50 -------- d-----w- c:\program files\Ahead
2009-06-24 12:50 . 2009-06-24 12:50 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-24 12:50 . 2009-06-24 12:50 -------- d-----w- c:\program files\XviD
2009-06-24 12:50 . 2009-06-24 12:50 -------- d-----w- c:\program files\ffdshow
2009-06-24 12:50 . 2009-06-24 12:50 -------- d-----w- c:\program files\DivXCodec
2009-06-24 12:50 . 2009-06-24 12:50 -------- d-----w- c:\program files\DivX_311alpha
2009-06-24 12:50 . 2009-06-24 12:50 -------- d-----w- c:\program files\AC3Filter
2009-06-24 12:49 . 2009-06-24 12:49 -------- d-----w- c:\program files\ASUSTek
2009-06-24 12:48 . 2009-06-24 12:48 -------- d-----w- c:\program files\IrfanView
2009-06-24 10:55 . 2009-06-24 10:55 5058 ----a-w- c:\windows\Help\hhcolreg.dat
2009-06-24 10:52 . 2009-06-24 10:52 -------- d-----w- c:\documents and settings\korisnik\Application Data\Microsoft Web Folders
2009-06-24 10:52 . 2009-06-24 10:09 -------- d-----w- c:\program files\microsoft frontpage
2009-06-24 10:45 . 2009-06-24 10:45 -------- d-----w- c:\program files\ANI
2009-06-24 10:45 . 2009-06-24 10:45 -------- d-----w- c:\program files\D-Link
2009-06-24 10:44 . 2009-06-24 10:35 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-24 10:40 . 2009-06-24 10:40 -------- d-----w- c:\program files\C-Media 3D Audio
2009-06-24 10:37 . 2009-06-24 10:36 -------- d-----w- c:\program files\ATI Technologies
2009-06-24 10:33 . 2009-06-24 10:08 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-24 10:05 . 2009-06-24 10:05 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-23 08:04 . 2009-06-25 16:37 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-08 20:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 339968]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 1519616]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-25 148888]
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2009-05-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\korisnik\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-9-4 114688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [25.6.2009 19:49 114768]
R2 AExpSrv;Application Experiences;c:\windows\System32\svchost.exe -k AExpSrv [4.8.2004 0:56 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25.6.2009 19:49 20560]
R2 efrgt;daetfr;c:\windows\system32\KE571CDGC2\J001.exe [30.7.2009 15:15 69632]
R2 TCPZ;TCP Half Open Limited Patcher ( TCP-Z);c:\windows\system32\drivers\tcpz-x86d.sys [28.7.2009 10:14 12136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
VaultSrv REG_MULTI_SZ VaultSrv Cred
AExpSrv REG_MULTI_SZ AExpSrv Appl
.
Contents of the 'Scheduled Tasks' folder

2009-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101677&l=dis
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=%s
FF - ProfilePath - c:\documents and settings\korisnik\Application Data\Mozilla\Firefox\Profiles\coy493u0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=101677&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-07-30 23:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2404)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-07-30 23:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 21:21

Pre-Run: 16.041.033.728 bytes free
Post-Run: 16.354.611.200 bytes free

207

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Arrow Otvori Control Panel, Add/Remove Programs i deinstaliraj sve vezano za: Ask (Search, Tooolbar...).



Arrow Koristiš li program TCP-Z ?



Arrow Otvoriti Notepad i iskopirati sledeci tekst:


File::
c:\windows\system32\cmptes.dll

Folder::
c:\windows\system32\81FR0MLUJV
c:\windows\system32\N8R5GQWFEY
c:\windows\system32\A64JU1WW2Z
c:\windows\system32\1FMZ2NEBD5
c:\windows\system32\KE571CDGC2
c:\windows\system32\JV33PKTIZY

Driver::
AExpSrv
efrgt

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"VaultSrv"=-
"AExpSrv"=-

DDS::
uStart Page = hxxp://www.ask.com/?o=101677&l=dis
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=%s

Firefox::
FF - ProfilePath - c:\documents and settings\korisnik\Application Data\Mozilla\Firefox\Profiles\coy493u0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=101677&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101668&gct=&gc=1&q=



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 1372 korisnika na forumu :: 25 registrovanih, 3 sakrivenih i 1344 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: aramis s, bestguarder, Bobrock1, cifra, Djokislav, FileFinder, Georgius, hyla, jackreacher011011, Koca Popovic, ladro, laki_bb, M1los, maCvele, Mi lao shu, Milometer, Oscar, Parker, stegonosa, vathra, Volkhov-M, vukdra, W123, zlaya011, zzapNDjuric99