neizbrisiv csrss file na usb-u

1

neizbrisiv csrss file na usb-u

offline
  • Pridružio: 03 Nov 2009
  • Poruke: 8

Pozdrav dobri ljudi,

zadnjih mjesec dana sam primjetio par cudnih stvari na kompu. Imam brzu vezu i flat rate tako da sam stalno ne netu. Windowi xp profesional,avast antivirus kojim otprilike jednom mjesecno cistim komp. Ocistio sam ga i sada i nista nije nasao, ni na disku ni na usb-u.

Dakle,
-Ponekad mi javi da mi je firefox ukljucen i da ga prvo iskljucim kako bi mogao nastaviti sa updateom.
Firefox mi u tom trenutku uopce nije ukljucen?!

-kod prijatelja sam ukljucio usb na njegov komp i bitdefender pronadje neki CSRSS file (worm,virus ili sta je vec) na njemu i izbrise ga bez problema. Kad sam ga prikljucio na moj komp, taj isti file se opet pojavi.
Pokusao ga brisati, svaki put se vrati skupa sa autorun fileom.

-pokusao sam cistiti ccleaner-om i on to svasta nesto nadje i ocistim ali csrss file se nisam mogao rijestit ali sam i vidio preko cccleanera da je podeseno da se pokrece s racunalom. Takoder sam pronasao i u task menageru da je aktivan.

-jos jedna cudna stvar, zadnje vrijeme kad preko mycomputer-a zelim otvoriti taj isti usb stick, nista se ne desava i ne mogu ga otvoriti dvoklikom ili opcijom OPEN vec samo EXPLORE

Prema uputama sa foruma sam napravio sve radnje za 32 bitni windows i svi potrebni izvjestaji su tu.

Ako jos sta treba samo javite a ako koji put kazem nesto glupo nemojte se previse rugati. Smile

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Pozdrav i dobrodosao na forum Smile

Uradi sledece :


Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 03 Nov 2009
  • Poruke: 8

Pozdrav,

evo izvjestaj slijedi:


ComboFix 09-11-03.03 - Saša 04.11.2009 11:37.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.2038.1519 [GMT 1:00]
Running from: c:\documents and settings\Saša\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091103-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Saša\Application Data\Microsoft\csrss.exe
c:\program files\AskSearch\bin\DefaultSearch.dll
C:\test.txt
c:\windows\qpprqr.ini
c:\windows\server.exe
c:\windows\tsrsru.ini
c:\windows\uxxbdd.ini
c:\windows\vyxxay.ini
c:\windows\ybdggh.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-03 11:21 . 2009-11-03 11:21 -------- d-----w- c:\program files\Trend Micro
2009-10-26 19:50 . 2009-10-26 19:50 -------- d-----w- c:\program files\PowerISO
2009-10-24 22:40 . 2009-10-24 22:40 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 09:58 . 2007-02-03 18:44 3348 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-20 13:27 . 2009-09-20 13:27 -------- d-----w- c:\documents and settings\Guest\Application Data\Outertech
2009-09-20 12:33 . 2009-09-20 12:33 -------- d-----w- c:\documents and settings\Guest\Application Data\Winamp
2009-09-15 11:59 . 2007-01-13 17:15 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-15 11:56 . 2007-01-13 17:15 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-15 11:56 . 2007-01-13 17:15 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 11:55 . 2008-04-12 14:44 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 11:55 . 2008-04-12 14:44 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 11:54 . 2007-01-13 17:15 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-15 11:54 . 2007-01-13 17:15 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-15 11:53 . 2007-01-13 17:15 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-15 11:53 . 2007-01-13 17:15 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-09-07 09:41 . 2009-09-07 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-27 11:42 . 2009-08-27 11:42 148736 ----a-w- c:\documents and settings\All Users\Application Data\hpeBE.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-03 21:56 . 2004-08-03 21:56 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-03 21:56 . 2004-08-03 21:56 15360 c:\windows\system32\ctfmon.exe

2007-01-13 16:22 . 2001-07-09 09:50 155648 c:\windows\system32\bak\NeroCheck.exe

2007-01-13 16:39 . 2006-03-23 04:17 94208 c:\windows\system32\bak\igfxtray.exe

2007-01-13 16:39 . 2006-03-23 04:13 77824 c:\windows\system32\bak\hkcmd.exe

2007-01-13 16:39 . 2006-03-23 04:17 118784 c:\windows\system32\bak\igfxpers.exe

2005-08-11 15:30 . 2005-08-11 15:30 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

2005-08-11 15:30 . 2005-08-11 15:30 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2007-01-13 17:15 . 2007-01-12 11:24 108160 c:\program files\Alwil Software\Avast4\bak\ashDisp.exe
2007-01-13 17:15 . 2009-09-15 11:56 81000 c:\program files\Alwil Software\Avast4\ashDisp.exe

2007-01-13 17:17 . 2006-08-23 15:21 3208192 c:\program files\Ashampoo\Ashampoo FireWall\bak\FireWall.exe

2007-01-18 19:18 . 2005-12-21 07:02 53248 c:\program files\Realtek\InstallShield\bak\AzMixerSel.exe

2007-01-23 18:03 . 2006-03-06 23:52 36864 c:\program files\Ulead Systems\Ulead VideoStudio 10\bak\uvPL.exe

2007-01-23 18:05 . 2007-01-23 18:05 155648 c:\program files\QuickTime\bak\qttask.exe
2006-09-01 14:57 . 2006-09-01 14:57 282624 c:\program files\QuickTime\qttask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 16:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-27 321344]
"Google Update"="c:\documents and settings\Saša\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-29 133104]
"Windows Defender"="c:\windows\server.exe" [N/A]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-06-23 434176]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-07 39408]
"csrss.exe"="c:\documents and settings\Saša\Application Data\Microsoft\csrss.exe" [N/A]
"AdobeBridge"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"PD0620 STISvc"="P0620Pin.dll" - c:\windows\system32\P0620Pin.dll [2005-05-10 36864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Microsoft Corp"="c:\windows\server.exe" [N/A]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-7-20 2913584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-1-13 303104]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\Saša\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Saša\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\FreshWebmaster\\FreshFTP\\freshftp.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12.4.2008 15:44 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12.4.2008 15:44 20560]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [27.8.2009 12:43 27632]
S2 gupdate1ca2f971662db28;Usluga Google ažuriranje (gupdate1ca2f971662db28-);c:\program files\Google\Update\GoogleUpdate.exe [7.9.2009 10:42 133104]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [27.8.2009 12:42 90112]
S3 Msc7filrc;Msc7filrc; [x]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [27.8.2009 12:42 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [27.8.2009 12:42 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [27.8.2009 12:42 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [27.8.2009 12:42 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [27.8.2009 12:42 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [27.8.2009 12:42 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [27.8.2009 12:42 109736]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{RVV2Q1Y7-X2FT-B4F2-6S7L-W7E8O1027L7C}]
"c:\windows\server.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2004-09-29 09:41]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 09:42]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.hr/search?source=ig&hl=hr&rlz=&q=yourube&meta=lr=&aq=f&oq=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101728&gct=&gc=1&q=%s
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Saša\Application Data\Mozilla\Firefox\Profiles\nizwb8wd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.hr/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101728&gct=&gc=1&q=
FF - component: c:\documents and settings\Saša\Application Data\Mozilla\Firefox\Profiles\nizwb8wd.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{788edcfa-e001-4712-aed0-fc2deb34852a} - (no file)
Notify-danops - danops.dll
Notify-winmyy32 - winmyy32.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-11-04 11:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1688-)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\RunDLL32.exe
c:\docume~1\SAŠA\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-04 11:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 10:46

Pre-Run: 5.268.553.728 bytes free
Post-Run: 5.137.678.336 bytes free

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Otvoriti Notepad i iskopirati sledeci tekst:

FileLook::
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\QuickTime\qttask.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=-
"csrss.exe"=-
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Microsoft Corp"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{RVV2Q1Y7-X2FT-B4F2-6S7L-W7E8O1027L7C}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 03 Nov 2009
  • Poruke: 8

evo ga novi log:

ComboFix 09-11-03.03 - Saša 04.11.2009 18:04.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.2038.1585 [GMT 1:00]
Running from: c:\documents and settings\Saša\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Saša\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091103-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-03 11:21 . 2009-11-03 11:21 -------- d-----w- c:\program files\Trend Micro
2009-10-26 19:50 . 2009-10-26 19:50 -------- d-----w- c:\program files\PowerISO
2009-10-24 22:40 . 2009-10-24 22:40 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 09:58 . 2007-02-03 18:44 3348 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-20 13:27 . 2009-09-20 13:27 -------- d-----w- c:\documents and settings\Guest\Application Data\Outertech
2009-09-20 12:33 . 2009-09-20 12:33 -------- d-----w- c:\documents and settings\Guest\Application Data\Winamp
2009-09-15 11:59 . 2007-01-13 17:15 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-15 11:56 . 2007-01-13 17:15 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-15 11:56 . 2007-01-13 17:15 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 11:55 . 2008-04-12 14:44 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 11:55 . 2008-04-12 14:44 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 11:54 . 2007-01-13 17:15 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-15 11:54 . 2007-01-13 17:15 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-15 11:53 . 2007-01-13 17:15 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-15 11:53 . 2007-01-13 17:15 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-09-07 09:41 . 2009-09-07 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-27 11:42 . 2009-08-27 11:42 148736 ----a-w- c:\documents and settings\All Users\Application Data\hpeBE.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\program files\Alwil Software\Avast4\ashDisp.exe ---
Company: ALWIL Software
File Description: avast! service GUI component
File Version: 4, 8, 1356, 0
Product Name: avast! Antivirus
Copyright: Copyright (c) 2009 ALWIL Software
Original Filename: aswDisp.exe
File size: 81000
Created time: 2007-01-13 17:15
Modified time: 2009-09-15 11:56
MD5: 28E9092D50AE450662EEA4719E5AA304
SHA1: 6D3D8D527A330B7FE0DC9E88076DE410EB75F6F1


--- c:\program files\QuickTime\qttask.exe ---
Company: Apple Computer, Inc.
File Description: QuickTime Task
File Version: 7.1.3
Product Name: QuickTime
Copyright: Copyright Apple Computer, Inc. 1989-2006
Original Filename: QTTask.exe
File size: 282624
Created time: 2006-09-01 14:57
Modified time: 2006-09-01 14:57
MD5: CAF03357DE72F8F19FA099581A685C1A
SHA1: 33F6F26E068AAEEF1012DE235F71CBA7BEE61754


((((((((((((((((((((((((((((( SnapShot@2009-11-04_10.43.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-04 13:54 . 2009-11-04 13:54 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-03 21:56 . 2004-08-03 21:56 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-03 21:56 . 2004-08-03 21:56 15360 c:\windows\system32\ctfmon.exe

2007-01-13 16:22 . 2001-07-09 09:50 155648 c:\windows\system32\bak\NeroCheck.exe

2007-01-13 16:39 . 2006-03-23 04:17 94208 c:\windows\system32\bak\igfxtray.exe

2007-01-13 16:39 . 2006-03-23 04:13 77824 c:\windows\system32\bak\hkcmd.exe

2007-01-13 16:39 . 2006-03-23 04:17 118784 c:\windows\system32\bak\igfxpers.exe

2005-08-11 15:30 . 2005-08-11 15:30 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

2005-08-11 15:30 . 2005-08-11 15:30 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2007-01-13 17:15 . 2007-01-12 11:24 108160 c:\program files\Alwil Software\Avast4\bak\ashDisp.exe
2007-01-13 17:15 . 2009-09-15 11:56 81000 c:\program files\Alwil Software\Avast4\ashDisp.exe

2007-01-13 17:17 . 2006-08-23 15:21 3208192 c:\program files\Ashampoo\Ashampoo FireWall\bak\FireWall.exe

2007-01-18 19:18 . 2005-12-21 07:02 53248 c:\program files\Realtek\InstallShield\bak\AzMixerSel.exe

2007-01-23 18:03 . 2006-03-06 23:52 36864 c:\program files\Ulead Systems\Ulead VideoStudio 10\bak\uvPL.exe

2007-01-23 18:05 . 2007-01-23 18:05 155648 c:\program files\QuickTime\bak\qttask.exe
2006-09-01 14:57 . 2006-09-01 14:57 282624 c:\program files\QuickTime\qttask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 16:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-27 321344]
"Google Update"="c:\documents and settings\Saša\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-29 133104]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-06-23 434176]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-07 39408]
"AdobeBridge"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"PD0620 STISvc"="P0620Pin.dll" - c:\windows\system32\P0620Pin.dll [2005-05-10 36864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-7-20 2913584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-1-13 303104]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\Saša\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Saša\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\FreshWebmaster\\FreshFTP\\freshftp.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12.4.2008 15:44 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12.4.2008 15:44 20560]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [27.8.2009 12:43 27632]
S2 gupdate1ca2f971662db28;Usluga Google ažuriranje (gupdate1ca2f971662db28-);c:\program files\Google\Update\GoogleUpdate.exe [7.9.2009 10:42 133104]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [27.8.2009 12:42 90112]
S3 Msc7filrc;Msc7filrc; [x]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [27.8.2009 12:42 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [27.8.2009 12:42 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [27.8.2009 12:42 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [27.8.2009 12:42 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [27.8.2009 12:42 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [27.8.2009 12:42 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [27.8.2009 12:42 109736]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2004-09-29 09:41]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 09:42]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.hr/search?source=ig&hl=hr&rlz=&q=yourube&meta=lr=&aq=f&oq=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101728&gct=&gc=1&q=%s
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Saša\Application Data\Mozilla\Firefox\Profiles\nizwb8wd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.hr/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101728&gct=&gc=1&q=
FF - component: c:\documents and settings\Saša\Application Data\Mozilla\Firefox\Profiles\nizwb8wd.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-11-04 18:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(1240)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-04 18:09
ComboFix-quarantined-files.txt 2009-11-04 17:09
ComboFix2.txt 2009-11-04 10:46

Pre-Run: 5.157.683.200 bytes free
Post-Run: 5.121.277.952 bytes free

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Kakvo je sad stanje? Smile

offline
  • Pridružio: 03 Nov 2009
  • Poruke: 8

Stanje isto.
Sa usb-a ne mogu izbrisat (skrivena file-a, vidi sliku-bolju nisam uspio dobit) a kad komp prepozna usb ne mogu ga otvorit ni dvoklikom ni desni klik pa open, nego samo explore.

U task manageru su jos uvijek dva csrss.exe file-a, jedan je csrss.exe drugi CSRSS.EXE (slika prilozena).

Mozda da instaliram bit defender i pokusam s njim ocistit komp??


offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Nema potrebe za bitdefenderom trenutno.....


Izvadi taj usb, zatim ponovo pokreni Combofix log i okaci mi izvestaj...

Posle toga

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

offline
  • Pridružio: 03 Nov 2009
  • Poruke: 8

Napisano: 05 Nov 2009 21:02

Evo ga prvo ComboFix:
USBnorisk log ide odma ispod ovo log-a:



ComboFix 09-11-03.03 - Saša 05.11.2009 20:47.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.2038.1595 [GMT 1:00]
Running from: c:\documents and settings\Saša\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091105-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Saša\Application Data\Microsoft\csrss.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-03 11:21 . 2009-11-03 11:21 -------- d-----w- c:\program files\Trend Micro
2009-10-26 19:50 . 2009-10-26 19:50 -------- d-----w- c:\program files\PowerISO
2009-10-24 22:40 . 2009-10-24 22:40 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 09:58 . 2007-02-03 18:44 3348 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-20 13:27 . 2009-09-20 13:27 -------- d-----w- c:\documents and settings\Guest\Application Data\Outertech
2009-09-20 12:33 . 2009-09-20 12:33 -------- d-----w- c:\documents and settings\Guest\Application Data\Winamp
2009-09-15 11:59 . 2007-01-13 17:15 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-15 11:56 . 2007-01-13 17:15 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-15 11:56 . 2007-01-13 17:15 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 11:55 . 2008-04-12 14:44 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 11:55 . 2008-04-12 14:44 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 11:54 . 2007-01-13 17:15 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-15 11:54 . 2007-01-13 17:15 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-15 11:53 . 2007-01-13 17:15 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-15 11:53 . 2007-01-13 17:15 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-09-07 09:41 . 2009-09-07 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-27 11:42 . 2009-08-27 11:42 148736 ----a-w- c:\documents and settings\All Users\Application Data\hpeBE.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-04_10.43.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-04 19:58 . 2009-11-04 19:58 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-08-03 21:56 . 2004-08-03 21:56 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-03 21:56 . 2004-08-03 21:56 15360 c:\windows\system32\ctfmon.exe

2007-01-13 16:22 . 2001-07-09 09:50 155648 c:\windows\system32\bak\NeroCheck.exe

2007-01-13 16:39 . 2006-03-23 04:17 94208 c:\windows\system32\bak\igfxtray.exe

2007-01-13 16:39 . 2006-03-23 04:13 77824 c:\windows\system32\bak\hkcmd.exe

2007-01-13 16:39 . 2006-03-23 04:17 118784 c:\windows\system32\bak\igfxpers.exe

2005-08-11 15:30 . 2005-08-11 15:30 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

2005-08-11 15:30 . 2005-08-11 15:30 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2007-01-13 17:15 . 2007-01-12 11:24 108160 c:\program files\Alwil Software\Avast4\bak\ashDisp.exe
2007-01-13 17:15 . 2009-09-15 11:56 81000 c:\program files\Alwil Software\Avast4\ashDisp.exe

2007-01-13 17:17 . 2006-08-23 15:21 3208192 c:\program files\Ashampoo\Ashampoo FireWall\bak\FireWall.exe

2007-01-18 19:18 . 2005-12-21 07:02 53248 c:\program files\Realtek\InstallShield\bak\AzMixerSel.exe

2007-01-23 18:03 . 2006-03-06 23:52 36864 c:\program files\Ulead Systems\Ulead VideoStudio 10\bak\uvPL.exe

2007-01-23 18:05 . 2007-01-23 18:05 155648 c:\program files\QuickTime\bak\qttask.exe
2006-09-01 14:57 . 2006-09-01 14:57 282624 c:\program files\QuickTime\qttask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 16:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-27 321344]
"Google Update"="c:\documents and settings\Saša\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-29 133104]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-06-23 434176]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-07 39408]
"csrss.exe"="c:\documents and settings\Saša\Application Data\Microsoft\csrss.exe" [N/A]
"AdobeBridge"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"PD0620 STISvc"="P0620Pin.dll" - c:\windows\system32\P0620Pin.dll [2005-05-10 36864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-7-20 2913584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-1-13 303104]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///c:\docume~1\SAŠA\LOCALS~1\Temp\msohtml1\01\clip_image002.jpg
FriendlyName=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\Saša\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Saša\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\FreshWebmaster\\FreshFTP\\freshftp.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12.4.2008 15:44 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12.4.2008 15:44 20560]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [27.8.2009 12:43 27632]
S2 gupdate1ca2f971662db28;Usluga Google ažuriranje (gupdate1ca2f971662db28-);c:\program files\Google\Update\GoogleUpdate.exe [7.9.2009 10:42 133104]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [27.8.2009 12:42 90112]
S3 Msc7filrc;Msc7filrc; [x]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [27.8.2009 12:42 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [27.8.2009 12:42 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [27.8.2009 12:42 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [27.8.2009 12:42 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [27.8.2009 12:42 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [27.8.2009 12:42 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [27.8.2009 12:42 109736]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2004-09-29 09:41]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 09:42]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 09:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.hr/search?source=ig&hl=hr&rlz=&q=yourube&meta=lr=&aq=f&oq=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101728&gct=&gc=1&q=%s
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Saša\Application Data\Mozilla\Firefox\Profiles\nizwb8wd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.hr/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101728&gct=&gc=1&q=
FF - component: c:\documents and settings\Saša\Application Data\Mozilla\Firefox\Profiles\nizwb8wd.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-11-05 20:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-05 20:52
ComboFix-quarantined-files.txt 2009-11-05 19:52
ComboFix2.txt 2009-11-04 17:09
ComboFix3.txt 2009-11-04 10:46

Pre-Run: 5.022.957.568 bytes free
Post-Run: 4.985.061.376 bytes free













USBNoRisk 2.5 (26 July 2009) by bobby

Started at 5.11.2009 20:57:22

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {ac2d61bd-a35f-11db-822e-806d6172696f}
D: {ac2d61be-a35f-11db-822e-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for ac2d61bd-a35f-11db-822e-806d6172696f
----------------------------------------
Desktop.ini found at C:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Otvori CCleaner...\command,@ = C:\Program Files\CCleaner\ccleaner.exe
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Pokreni CCleaner\command,@ = C:\Program Files\CCleaner\ccleaner.exe /AUTO
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Otvori CCleaner...\command,@ = C:\Program Files\CCleaner\ccleaner.exe
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Pokreni CCleaner\command,@ = C:\Program Files\CCleaner\ccleaner.exe /AUTO
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for ac2d61be-a35f-11db-822e-806d6172696f
----------------------------------------
Desktop.ini found at D:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Otvori CCleaner...\command,@ = C:\Program Files\CCleaner\ccleaner.exe
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Pokreni CCleaner\command,@ = C:\Program Files\CCleaner\ccleaner.exe /AUTO
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Otvori CCleaner...\command,@ = C:\Program Files\CCleaner\ccleaner.exe
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Pokreni CCleaner\command,@ = C:\Program Files\CCleaner\ccleaner.exe /AUTO
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 5.11.2009 20:58:05

Scanning for connected USB mass storage...
----------------------------------------
I: {2e0ed46e-4062-11dc-abfb-005056c00008}
Added I:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on I:
----------------------------------------
autorun.inf found on I:
----------------------------------------
File I:\autorun.inf renamed successfully

Content of I:\autorun.inf.blocked
----------------------------------------
[autorun]
open=csrss.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=csrss.exe
shell\open\default=1
----------------------------------------

Files referenced from I:\autorun.inf.blocked
----------------------------------------
I:\csrss.exe ---h- 1136164
----------------------------------------

Sanitized mountpoint for 2e0ed46e-4062-11dc-abfb-005056c00008
----------------------------------------

No Desktop.ini files found on I:
----------------------------------------

No mimics found on drive I:
========================================

========================================
Removed I:
========================================


New device connected at 5.11.2009 20:58:49

Scanning for connected USB mass storage...
----------------------------------------
H: {5b854920-412b-11de-ae6b-0016d45cca62}
Added H:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on H:
----------------------------------------
No Autorun.inf files found on H:
No mountpoint found for H:
No mountpoint found for 5b854920-412b-11de-ae6b-0016d45cca62
----------------------------------------

No Desktop.ini files found on H:
----------------------------------------

No mimics found on drive H:
========================================

========================================
Removed H:
========================================

Dopuna: 05 Nov 2009 21:17

situacija je sad sljedeca:

nakonos sto sam sve oodradio po uputama, restartao sam komp (za svaki slucaj) i ponovo spojio usb te sam ga uspio otvoriti dvoklikom!!! :-))

Na njemu je jos uvijek csrss.exe file i autorun koji je blokiran.

Trecu promjenu sam primjetio u task manageru sada postoji samo jedan csrss.exe file i to samo onaj cije ime je ispisano velikim slovima
(zbilja nemam pojma jel format slova nesto znaci ali onaj pisan malim slovima je nestao).

Sta dalje?

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Pokreni ponovo USBNoRisk..Sacekaj da se zavrsi inicijalno skeniranje...Ubaci zarazeni USB
Sacekaj par sekundi
Klikni na karticu/tab Script
U beli okvir prozora kopiraj sledece :


{2e0ed46e-4062-11dc-abfb-005056c00008}
f_delete: %DRIVE%csrss.exe
delete_blocked:


Klikni na Run Skript;
Kada te program prebaci na karticu/tab Monitor, klikni desnim klikom negde unutar belog okvira koji sadrzi log i izaberi Save Log
Automatski ce se otvoriti Notepad sa textom koji ces iskopirati na forum;

Ko je trenutno na forumu
 

Ukupno su 774 korisnika na forumu :: 29 registrovanih, 9 sakrivenih i 736 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aleksmajstor, Bili 032, celeron2, Drug pukovnik, Georgius2, gile58, ivica976, Kubovac, lacko, ljuba, Lox, Marko Marković, MB120mm, pera bager, Profica2, repac, S-lash, Shomy, Srki94, TowerGuard, Van, VJ, vlvl, Yellow Pinky, yrraf, yufighter, zlaya011, zoran-ruma