scvhost.exe - No disk

scvhost.exe - No disk

offline
  • Zora
  • Pridružio: 22 Okt 2004
  • Poruke: 1370
  • Gde živiš: ni na nebu ni na zemlji

Eto sad jos i to mi se desava u ovoj indijskoj pustinji-Rajasthan.
na novom laptopu sam uspela dobiti tvrdoglavu poruku koju ne mogu ukloniti..
svchost.exe No disk...i jos svasta

evo moj log file sa hijack this..
neznam kako uci u safe mode..mozda nadjem kako dok vi pregledate log..
hvala vam
Logfile of HijackThis v1.99.1
Scan saved at 10:05:42 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\scvhost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\for anil\video\video.exe
E:\for anil\video\video.exe
E:\for anil\video\video.exe
E:\for anil\video\video.exe
E:\for anil\video\video.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\scvhost.exe
H:\WINDOWS.EXE
H:\WINDOWS.EXE
H:\WINDOWS.EXE
D:\program-installation\HijackThis.exe

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [TempCom] C:\WINDOWS\FONTS\73ED8.com
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...



Skini ComboFix sa jedne od sledecih adresa na Desktop:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.

Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Zora
  • Pridružio: 22 Okt 2004
  • Poruke: 1370
  • Gde živiš: ni na nebu ni na zemlji

skinula sam combo fix sa oba linka ali ne mogu otvoriti..

dobijem poruku
Windows cannot find '327882R2FWJFWVnircmd.com' make sure that you typed correctly..
jos sam dobila External protokol request
An external file must be launched to handle file:link...
i stalno mi se pojavljuje Thread Detected (Imam AVG antivirus..)

could be infected VBS /Unknown

uh..
sta da radim... Question
svi kompjutori su zarazeni ..nalazim se u internet cafe-u (moj prijatelj je vlasnik a ja malo pomazem..

Dopuna: 26 Mar 2008 5:37

na mom laptopu koji nije trenutno on-line
dobijem samo jedan bljesak kad pokusam startovati combo Fix.
uopce ne vidim ekran niti mogu pratiti skaniranje.
prenela sam ComboFix (copy/Paste) na moj laptop ,sa kompjutera na koji sam ga skinula ...(zasad je samo jedan kompjuter on-line)

Dopuna: 26 Mar 2008 5:47

izvinite na panici ali uspela sam na laptopu startovati ComboFix..
Scan je u toku.. Smile

ali u momentu Rebooting windows ...please wait..
zablokirao se program
Autolt v3
imam 2 opcije ili 'end program' ili cancel sta da radim?
bojim se necu dobiti log file ..

Dopuna: 26 Mar 2008 6:12

konacno sam dobila log file na laptopu koji nije on-line.


ComboFix 08-03-25.2 - OWNER 2008-03-26 10:22:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.676 [GMT -8:00]
Running from: C:\Documents and Settings\OWNER\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\RECYCLER.exe
C:\WINDOWS\scvhost.exe
D:\RECYCLER\RECYCLER.exe
E:\RECYCLER\RECYCLER.exe
.
---- Previous Run -------
.
C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\setting.ini
C:\WINDOWS\windows.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 21:15 . 2008-03-25 21:15 937 ---hs---- C:\folder.htt
2008-03-25 21:15 . 2001-10-04 11:16 2 ---hs---- C:\desktop.ini
2008-03-24 22:41 . 2008-03-24 22:42 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-03-24 22:19 . 2008-01-18 05:59 57,344 ---h----- C:\WINDOWS.EXE
2008-03-24 22:19 . 2008-01-18 05:59 57,344 ---h----- C:\Program Files\Program Files.exe
2008-03-24 22:19 . 2008-01-18 05:59 57,344 --a------ C:\Ghost.bat
2008-03-24 22:10 . 2007-12-09 16:48 225,792 -ra------ C:\WINDOWS\hinhem.scr
2008-03-24 15:36 . 2008-03-24 15:36 299 --a------ C:\WINDOWS\SOF2.INI
2008-03-24 11:20 . 2008-03-24 11:20 <DIR> d-------- C:\Documents and Settings\OWNER\Application Data\AdobeUM
2008-03-24 11:18 . 2008-03-24 11:19 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-23 16:04 . 2004-01-05 23:13 36,864 -r------- C:\WINDOWS\system32\ctrldll.dll
2008-03-23 16:04 . 2004-01-05 23:13 32,768 -r------- C:\WINDOWS\system32\rmctrl.exe
2008-03-23 15:43 . 2008-03-23 15:43 <DIR> d-------- C:\Documents and Settings\OWNER\Application Data\dvdcss
2008-03-21 20:59 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-21 20:59 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-21 20:59 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-21 20:59 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-19 20:43 . 2005-04-17 10:57 182,538,240 --a------ C:\Osho - Hari Om Tat Sat - To Be The Master Of One Self(1).avi
2008-03-19 18:44 . 2008-03-19 18:44 <DIR> d-------- C:\Program Files\Easy Video Joiner
2008-03-19 18:15 . 2008-03-19 18:15 <DIR> d-------- C:\Documents and Settings\OWNER\Application Data\vlc
2008-03-19 18:06 . 2008-03-19 18:06 <DIR> d-------- C:\Program Files\Winamp
2008-03-19 18:01 . 2008-03-19 18:01 <DIR> d-------- C:\Program Files\GlobFX Technologies
2008-03-19 18:00 . 2008-03-19 18:00 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-19 17:57 . 2008-03-19 17:57 <DIR> d-------- C:\WINDOWS\FLV Player
2008-03-19 17:57 . 2008-03-19 17:57 <DIR> d-------- C:\Program Files\FLV Player
2008-03-19 17:15 . 2008-03-19 17:15 <DIR> d-------- C:\Program Files\CDex_150
2008-03-19 15:48 . 2008-03-19 15:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-19 14:27 . 2008-03-19 14:27 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-03-19 14:27 . 2008-03-25 21:15 <DIR> d-------- C:\Downloads
2008-03-19 14:27 . 2008-03-22 21:17 <DIR> d-------- C:\Documents and Settings\OWNER\Application Data\Orbit
2008-03-19 14:10 . 2008-03-19 14:10 <DIR> d---s---- C:\Documents and Settings\OWNER\UserData
2008-03-18 13:51 . 2008-03-18 13:51 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-18 13:51 . 2008-03-18 13:51 <DIR> d-------- C:\Documents and Settings\OWNER\Application Data\Lavasoft
2008-03-18 13:50 . 2008-03-25 21:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-18 13:50 . 2008-03-18 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-18 13:47 . 2008-03-18 13:47 <DIR> d-------- C:\Program Files\ffdshow
2008-03-18 13:47 . 2007-07-29 17:51 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-03-18 13:47 . 2007-07-29 17:51 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2008-03-18 13:47 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-03-18 13:45 . 2008-03-18 13:45 <DIR> d-------- C:\Program Files\XviD
2008-03-18 13:45 . 2008-03-18 13:45 <DIR> d-------- C:\Program Files\illiminable
2008-03-18 12:46 . 2008-03-21 11:38 <DIR> d-------- C:\Documents and Settings\OWNER\Application Data\DivX
2008-03-18 12:41 . 2008-03-18 12:42 <DIR> d-------- C:\Program Files\DivX
2008-03-18 12:10 . 2008-03-18 15:21 <DIR> d-------- C:\Program Files\Total Video Converter
2008-03-18 09:35 . 2008-03-25 21:15 <DIR> dr------- C:\OSHOBOOK
2008-03-18 09:35 . 2008-03-18 09:35 <DIR> d-------- C:\Documents and Settings\OWNER\WINDOWS
2008-03-18 09:35 . 2008-03-23 20:18 1,063 --a------ C:\WINDOWS\VIP.INI
2008-03-18 09:35 . 2008-03-18 09:35 68 --a------ C:\WINDOWS\LNAME.INI
2008-03-16 08:43 . 2008-03-16 08:43 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-03-15 18:23 . 2008-03-15 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-15 16:48 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-15 16:48 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-15 16:48 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-15 16:48 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-14 19:50 . 2008-03-14 19:50 <DIR> d-------- C:\Program Files\ACD Systems
2008-03-14 12:57 . 2008-03-14 12:57 268 --ah----- C:\sqmdata02.sqm
2008-03-14 12:57 . 2008-03-14 12:57 244 --ah----- C:\sqmnoopt02.sqm
2008-03-14 12:29 . 2008-03-14 12:29 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-13 23:47 . 2008-03-13 23:47 268 --ah----- C:\sqmdata01.sqm
2008-03-13 23:47 . 2008-03-13 23:47 244 --ah----- C:\sqmnoopt01.sqm
2008-03-13 23:42 . 2008-03-25 12:22 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-13 21:07 . 2008-03-13 21:07 268 --ah----- C:\sqmdata00.sqm
2008-03-13 21:07 . 2008-03-13 21:07 244 --ah----- C:\sqmnoopt00.sqm
2008-03-13 21:06 . 2008-03-13 21:06 <DIR> d-------- C:\Program Files\PIXresizer
2008-03-13 21:06 . 2001-08-23 15:25 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-03-13 21:06 . 2000-05-22 00:00 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-03-13 21:06 . 2000-12-05 23:00 209,608 --a------ C:\WINDOWS\system32\tabctl32.ocx
2008-03-13 21:06 . 1996-01-12 00:00 200,704 --a------ C:\WINDOWS\system32\threed32.ocx
2008-03-13 21:06 . 1998-06-24 00:00 164,144 --a------ C:\WINDOWS\system32\comct232.ocx
2008-03-13 21:06 . 1999-09-16 09:04 151,552 --a------ C:\WINDOWS\system32\ccrpfd6.ocx
2008-03-13 21:06 . 1998-06-24 00:00 140,096 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-03-13 21:06 . 2000-05-01 23:02 110,592 --a------ C:\WINDOWS\system32\ccrpbds6.dll
2008-03-13 21:06 . 2000-07-09 18:15 106,496 --a------ C:\WINDOWS\system32\mbprgbar.ocx
2008-03-13 21:06 . 2004-01-12 11:05 69,632 --a------ C:\WINDOWS\system32\imageviewer2.ocx
2008-03-13 21:03 . 2008-03-24 17:09 <DIR> d-------- C:\Documents and Settings\OWNER\Application Data\Ahead
2008-03-13 21:02 . 2008-03-13 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-13 21:01 . 2008-03-13 21:01 <DIR> d-------- C:\Program Files\Nero
2008-03-13 21:01 . 2008-03-13 21:02 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-13 21:01 . 2008-03-13 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-13 20:54 . 2008-03-13 20:54 <DIR> d-------- C:\Program Files\Skype
2008-03-13 20:54 . 2008-03-14 18:10 <DIR> d-------- C:\Program Files\Google
2008-03-13 20:52 . 2008-03-13 20:52 <DIR> d-------- C:\Program Files\AskTBar
2008-03-13 20:47 . 2008-03-13 20:47 <DIR> d-------- C:\Program Files\Siber Systems
2008-03-13 15:18 . 2008-03-26 08:55 <DIR> d-------- C:\Documents and Settings\OWNER\Application Data\AVG7
2008-03-13 15:18 . 2008-03-13 15:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-13 15:18 . 2008-03-13 15:18 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-03-13 15:18 . 2008-03-13 15:18 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-03-13 15:17 . 2008-03-13 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-13 15:17 . 2008-03-14 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-11 02:07 . 2004-08-03 16:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-11 02:07 . 2004-08-03 14:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-11 02:07 . 2004-08-03 14:58 23,040 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2008-03-11 02:07 . 2004-08-03 14:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-03-11 02:07 . 2004-08-03 15:07 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2008-03-11 02:07 . 2001-08-17 05:57 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-03-11 02:07 . 2001-08-17 05:58 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2008-03-11 02:07 . 2004-08-03 15:07 8,832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys
2008-03-11 02:05 . 2008-03-25 21:19 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-03-11 02:05 . 2008-03-24 11:18 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-03-11 02:04 . 2008-03-11 10:17 261 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 18:06 943 --sh--w C:\Program Files\folder.htt
2008-03-24 00:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-24 00:04 --------- d-----w C:\Program Files\CyberLink
2008-03-11 18:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-11 18:38 --------- d-----w C:\Program Files\Broadcom
2008-03-11 18:37 --------- d-----w C:\Program Files\Realtek
2008-03-11 18:36 --------- d-----w C:\Program Files\Intel
2008-03-11 18:26 --------- d-----w C:\Program Files\CONEXANT
2008-03-11 18:15 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-18 13:59 57,344 ----a-w C:\WINDOWS\Fonts\73ED8.com
2001-10-04 19:16 2 --sh--w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-14 11:54 171448]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 14:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-07 21:18 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-07 21:18 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-07 21:17 131072]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-16 23:13 218408]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-13 07:12 579072]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"RemoteControl"="C:\WINDOWS\system32\rmctrl.exe" [2004-01-05 23:13 32768]
"TempCom"="C:\WINDOWS\FONTS\73ED8.com" [2008-01-18 05:59 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-13 15:18 219136]
"Yahoo Messengger"="C:\WINDOWS\system32\scvhost.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4da0b274-f6cf-11dc-bf2d-001b38f216aa}]
\Shell\AutoRun\command - H:\ekugb3.bat
\Shell\explore\Command - H:\ekugb3.bat
\Shell\open\Command - H:\ekugb3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84a5681c-f384-11dc-bf16-001b38f216aa}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe maskrider2001.vbs

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 18:10:04 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\blastclnnn.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 10:24:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-03-26 10:25:38 - machine was rebooted [OWNER]
ComboFix-quarantined-files.txt 2008-03-26 18:25:35

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Prvo da razjasnimo neke stvari...


Ovde čistimo samo tvoj privatni kompjuter i ništa više.

Uputstva koja dobiješ su samo za tvoj kompjuter i ne mogu se primeniti za čišćenje ostalih pomenutih kompjutera.


Treba prvo da pročitaš kompletan ovaj post i da skineš sve potrebne programe te da ih preneseš na Desktop svog laptopa.

Uputstva isprati redosledom kojim su napisana.


Na kompjuteru, između ostaloga, imaš i infekciju koja se prenosi putem USB drive-ova, stoga je potrebno da ''sredimo'' i sve USB drive-ove koje koristiš (i da nakon toga na kompjuter ne spajaš bilo koji drugi drive koji bi mogao biti inficiran).

Takođe, ako koristiš USB drive za prenos podataka/programa na laptop, nemoj ga otvarati dvoklikom, već koristi desni klik mišem i izaberi opciju Open.



1. Prvo skini sve programe iz daljeg dela teksta na Desktop, a zatim restartuj kompjuter u Safe Mode po sledećem uputstvu:

http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-uci-u-SAFE-MODE.html


-------------------------------------------------------------------------------------



2. Dok si u Safe Mode-u, isprati sledeća uputstva:

Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.



Isključi USB drive-ove i nemoj restartovati kompjuter.

-------------------------------------------------------------------------------------



3. Pokreni HijackThis, skeniraj i čekiraj sledeće linije:

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [TempCom] C:\WINDOWS\FONTS\73ED8.com
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Klikni Fix Checked.


-------------------------------------------------------------------------------------



4. Skinuti SDFix na Desktop.

Dupli klik na SDFix.exe ce raspakovati program u folder C:\SDFix, osim ukoliko putanja nije drugacije odredjena pri raspakovanju.


Uci u folder u kojem je raspakovan SDFix i startovati RunThis.bat
Stisnuti Y da bi se zapocelo skeniranje
Nakon skeniranja ce se pojaviti poruka da ce kompjuter biti restartovan
Pritisnuti bilo koji taster da bi se kompjuter restartovao
Nakon restarta ce se automatski pokrenuti jos jedno skeniranje, i po njegovom zavrsetku ce se pojaviti poruka Finished
Nakon ucitavanja desktop ikonica, na ekranu ce se pojaviti izvestaj. Izvestaj ce ujedno biti snimljen i kao Report.txt u folderu u kojem je SDFix raspakovan
Iskopirati izvestaj u poruku na forumu



-------------------------------------------------------------------------------------



5. (Ovde je već Windows u Normal Mode-u...)

Obriši folder: C:\qoobox

Isključi antivirus program: AVG Control Center > AVG Resident Shield > dečekiraj Turn on AVG Resident Shield.



Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\folder.htt
C:\desktop.ini
C:\WINDOWS.EXE
C:\Program Files\Program Files.exe
C:\Ghost.bat
C:\WINDOWS\hinhem.scr
C:\Program Files\folder.htt
C:\WINDOWS\Fonts\73ED8.com
C:\Program Files\desktop.ini
C:\WINDOWS\Tasks\At1.job

Folder::
C:\Program Files\AskTBar

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4da0b274-f6cf-11dc-bf2d-001b38f216aa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84a5681c-f384-11dc-bf16-001b38f216aa}]




Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.

Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


-------------------------------------------------------------------------------------


Znači, u idućoj poruci postavi sledeće logove:

- SDFix log > C:\SDFix\Raport.txt

- ComboFix log > C:\ComboFix.txt

Ko je trenutno na forumu
 

Ukupno su 539 korisnika na forumu :: 10 registrovanih, 1 sakriven i 528 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: DPera, Koridor, kybonacci, Marko Marković, Mixelotti, Ognjen D., Tas011, Titan, vranjanac29, zhuki8