shutdown za minut, services.exe u pitanju

1

shutdown za minut, services.exe u pitanju

offline
  • Pridružio: 20 Jul 2008
  • Poruke: 197

Napisano: 01 Dec 2010 22:37

Pise da ce da se ugasi nakon minuta, medjutim ne ugasi se, ali je potpuno neupotrebljiv.

Kad prodje oko 20-30 sekundi, prozori se dupliraju kad se pomeraju.

Imam avast koji do sad nista nije prijavio.

Sve ove izvestaje sam radio iz safe mode-a jer je jedino tad kompjuter normalan. smešak




DDS (Ver_10-11-27.01) - NTFSx86 NETWORK
Run by Administrator at 21:10:44,28 on sre 01.12.2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.557 [GMT 1:00]

AV: avast! antivirus 4.7.1098 [VPS 080214-0] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: {4c6dac00-224d-40ab-9f81-c143923b72bf} - c:\windows\system32\cmpbk3.dll
uRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [<NO NAME>]
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BMISR] c:\program files\kye\webmate\BM.exe
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [RegistryMonitor1] c:\windows\system32\qtplugin.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ra2pugze.default\
FF - prefs.js: network.proxy.type - 0
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-11-8 20480]
S1 jlh5f77;jlh5f77;c:\windows\system32\drivers\jlh5f77.sys [2010-11-17 138272]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-11-21 140664]
S2 vwqhcyso;System Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S2 xuhdly;System Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-11-21 247160]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-11-21 345464]
S3 bnptsez;bnptsez;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [2010-6-11 616064]

=============== Created Last 30 ================

2010-12-01 19:59:52 40960 ----a-w- c:\windows\system32\x.exe
2010-11-21 12:44:40 53760 ----a-w- c:\windows\ExplorerSrv.exe
2010-11-21 12:37:33 53760 ----a-w- c:\program files\messenger\msmsgsSrv.exe
2010-11-21 11:40:08 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla
2010-11-21 11:30:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-11-17 12:07:42 138272 ----a-w- c:\windows\system32\drivers\jlh5f77.sys
2010-11-16 21:12:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\aDoPd02100
2010-11-11 14:13:13 1451520 ----a-w- c:\windows\system32\qtplugin.exe
2010-11-08 20:55:24 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys

==================== Find3M ====================


============= FINISH: 21:11:31,73 ===============


mycity.rs/must-login.png

GMER je na pocetku postavio upit> Primecena je sistemska promena koju je uzrokovao ROOTKIT. Zelite li full system scan. Kliknuo sam na NE, prateci uputstvo iz teme.



mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

Dopuna: 01 Dec 2010 23:19

Mali update.

Za ovo vreme sam skenirao avastom pri boot-u.

Ovo je izvestaj.

12/01/2010 22:46
Skenira sve lokalne diskove
Datoteka: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O066IXIO\x[1] je inficirana sa Win32:Virtob, Popravi: Greška 42060 {Datoteka nije popravljena.}, Obrisan
Datoteka: C:\WINDOWS\system32\x.exe je inficirana sa Win32:Virtob

Broj skeniranih fascikla: 4145
Broj testiranih datoteka: 74060
Broj inficiranih datoteka: 2

Ovaj drugi fajl, nije diran, samo je ignorisan.

Dopuna: 01 Dec 2010 23:26

Ramnit:B, sada je i taj virus nasao.

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Pozdrav Wink

Posto si vec pokrenuo avast-ov boot-time scan,dovrsi ga.

Arrow Kad Avast zavrsi potrebno je da mi okacis log uz poruku, koji se nalazi na sledecoj lokaciji:
Citat:C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt

Koristi opciju Prikaci fajl,

Arrow Zatim ponovo pokreni DDS i postavi mi svez DDS.txt.

Arrow Takodje,nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budes dobio uputstvo i
u toku intervencije ne koristi USB memorijske uredjaje, dok to ne budem zatrazio.

offline
  • Pridružio: 20 Jul 2008
  • Poruke: 197

Ovo je jedino sto pise u logu avasta:

12/01/2010 22:46
Skenira sve lokalne diskove
Datoteka: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O066IXIO\x[1] je inficirana sa Win32:Virtob, Popravi: Greška 42060 {Datoteka nije popravljena.}, Obrisan
Datoteka: C:\WINDOWS\system32\x.exe je inficirana sa Win32:Virtob

Broj skeniranih fascikla: 4145
Broj testiranih datoteka: 74060
Broj inficiranih datoteka: 2

Jos nesto, pise kad se odbrojava pred gasenje
services.exe status 1073741819

Onaj DDS scan mi je trajao sto godina.
Ima li nacina da ga ubrzam malo?
Kad se skenira, vidim da ceo c:\ prodje.

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Odradi sledece:

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.



Arrow Ukoliko budes imao problema sa pokretanjem ComboFix-a,pokreni ga u Safe Modu.

offline
  • Pridružio: 20 Jul 2008
  • Poruke: 197

Iz safe mode-a pokrenut, ali je dovrsio u normalu.


mycity.rs/must-login.png


ComboFix 10-12-02.01 - Administrator 02.12.2010 22:02:30.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.715 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.7.1098 [VPS 101201-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\aDoPd02100
c:\documents and settings\All Users\Application Data\aDoPd02100\aDoPd02100
c:\documents and settings\All Users\Application Data\aDoPd02100\aDoPd02100.exe
c:\documents and settings\Korisnik\_tmpf
c:\documents and settings\Korisnik\Application Data\download2
c:\documents and settings\Korisnik\Application Data\download2\svcnost.exe
c:\documents and settings\Korisnik\Application Data\updates\updates.exe
c:\documents and settings\Korisnik\drvsign.exe
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\quicktime\qttasksrv.exe
c:\program files\Realtek\InstallShield\Alcmtr.exe
c:\program files\XviD\StatsReader.exe
c:\windows\ExplorerSrv.exe
c:\windows\system32\drivers\jlh5f77.sys
c:\windows\system32\qtplugin.exe
c:\windows\system32\x.exe
c:\program files\Microsoft\DesktopLayer.exe . . . . Failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_jlh5f77
-------\Service_jlh5f77


((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
.

2010-12-02 20:47 . 2010-12-02 20:49 -------- d-----w- c:\program files\Mozilla Firefox new
2010-12-01 19:45 . 2010-04-27 10:04 381816 ----a-w- c:\windows\system32\PsExec.exe
2010-12-01 19:45 . 2010-04-27 10:04 333176 ----a-w- c:\windows\system32\PsGetsid.exe
2010-12-01 19:45 . 2010-04-27 10:04 178040 ----a-w- c:\windows\system32\psloglist.exe
2010-12-01 19:45 . 2010-04-27 10:04 390520 ----a-w- c:\windows\system32\PsInfo.exe
2010-12-01 19:45 . 2010-04-27 10:04 231288 ----a-w- c:\windows\system32\PsList.exe
2010-12-01 19:45 . 2010-04-27 10:04 183160 ----a-w- c:\windows\system32\PsLoggedon.exe
2010-12-01 19:45 . 2010-04-27 10:04 169848 ----a-w- c:\windows\system32\PsService.exe
2010-12-01 19:45 . 2009-12-01 09:52 621944 ----a-w- c:\windows\system32\pskill.exe
2010-12-01 19:45 . 2006-12-04 16:53 207664 ----a-w- c:\windows\system32\psshutdown.exe
2010-12-01 19:45 . 2006-12-04 16:53 187184 ----a-w- c:\windows\system32\pssuspend.exe
2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\pspasswd.exe
2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\psfile.exe
2010-11-21 12:37 . 2010-12-01 22:40 53760 ----a-w- c:\program files\Messenger\msmsgsSrv.exe
2010-11-21 12:24 . 2010-11-21 12:24 -------- d-----w- c:\documents and settings\Korisnik\Application Data\sorrypeople
2010-11-21 11:42 . 2007-12-04 14:53 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-21 11:42 . 2007-12-04 14:51 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-21 11:42 . 2007-12-04 14:49 26624 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-21 11:42 . 2007-12-04 14:56 93264 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-21 11:42 . 2007-12-04 14:55 94544 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-21 11:42 . 2007-12-04 12:54 95608 ----a-w- c:\windows\system32\AvastSS.scr
2010-11-21 11:41 . 2007-12-04 13:04 837496 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-21 11:41 . 2004-01-09 09:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2010-11-21 11:30 . 2010-11-21 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-11-21 11:29 . 2010-11-21 11:29 -------- d-----w- c:\documents and settings\Administrator
2010-11-16 06:10 . 2010-12-02 21:04 -------- d-----w- c:\documents and settings\Korisnik\Application Data\updates
2010-11-08 20:55 . 2010-11-08 20:55 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-11-08 20:55 . 2010-11-08 20:55 20480 ----a-w- c:\documents and settings\Korisnik\ndisrd.sys
2010-11-08 20:55 . 2010-11-08 20:55 13824 ----a-w- c:\documents and settings\Korisnik\snetcfg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-27 212992]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^Quick Data Copy.lnk]
path=c:\documents and settings\Korisnik\Start Menu\Programs\Startup\Quick Data Copy.lnk
backup=c:\windows\pss\Quick Data Copy.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2010-10-27 12:13 401408 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2010-10-27 12:15 299008 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-10-27 12:15 106496 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-10-27 12:15 335872 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2010-11-21 12:31 1749504 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-01-12 01:45 4898816 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2010-10-27 12:13 1994752 ----a-w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-10-27 12:17 212992 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2010-10-27 12:14 90112 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2006-12-18 16:32 25365032 ----a-w- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2010-10-27 12:15 94208 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2010-10-27 12:15 212992 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5625:TCP"= 5625:TCP:vbupvjdo

R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [8.11.2010 21:55 20480]
S2 vwqhcyso;System Universal;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S2 xuhdly;System Windows;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S3 bnptsez;bnptsez;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [11.6.2010 22:30 616064]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vwqhcyso
xuhdly

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10bb11c4-c3b2-11dc-8588-e1986ae817f6}]
\Shell\Auto\command - G:\AdobeR.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b0844ea-d6d9-11da-9a43-806d6172696f}]
\Shell\AutoRun\command - F:\install.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\8sxf8hvl.default\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox new\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-download - c:\documents and settings\Korisnik\Application Data\download2\svcnost.exe
HKCU-Run-engel - c:\documents and settings\Korisnik\Application Data\updates\updates.exe
HKCU-Run-Rapport - c:\documents and settings\Korisnik\Application Data\sorrypeople2\smss.exe
HKLM-Run-BMISR - c:\program files\KYE\WebMate\BM.exe
MSConfigStartUp-nod32kui - c:\program files\Eset\nod32kui.exe
AddRemove-Doninno2 - c:\documents and settings\All Users\Documents\Doninno2\uninstall.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bnptsez]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vwqhcyso]
"ServiceDll"="c:\windows\system32\ffrkyql.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xuhdly]
"ServiceDll"="c:\windows\system32\ffrkyql.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-12-02 22:10:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-02 21:10

Pre-Run: 9.606.049.792 bytes free
Post-Run: 13.309.222.912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 28AA01150832A98C64CDDAF787D86314

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\program files\Messenger\msmsgsSrv.exe
c:\program files\microsoft\desktoplayer.exe
c:\windows\system32\ffrkyql.dll
c:\windows\system32\01.tmp
c:\windows\system32\drivers\ndisrd.sys
c:\documents and settings\Korisnik\ndisrd.sys
c:\documents and settings\Korisnik\snetcfg.exe

Folder::
c:\documents and settings\Korisnik\Application Data\sorrypeople

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5625:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10bb11c4-c3b2-11dc-8588-e1986ae817f6}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

Driver::
vwqhcyso
xuhdly
bnptsez
ndisrd

NetSvc::
vwqhcyso
xuhdly


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 20 Jul 2008
  • Poruke: 197

Kad sam prevukao CFScript preko combofixa, on je svoje odradio i restartovao komp i opet nesto svoje radio.

Medjutim, posle toga mi net nije radio. Modem je bio u redu.
Na network connection mi pise connected, a vidim da je sent 0 i received 0.
Kliknem dalje na vise informacija, kad ono nit pise ip, nit dns, niti icega.

Vec je proslo 10 sati da bih mogao operatera da zovem, a osecaj mi kaze da nije do njih.

Odem ja korak dalje, u commanderu ukucam ipconfig, ono prikaze samo svoj prvi red, tacnije, naziv "windows IP configuration".
To mi sumnjivo. Ukucam ja ipconfig /all
opet nista.

Kucao ja svasta nesto, ali nema informacija o netu.

Sta bi to moglo biti?

ComboFix 10-12-02.01 - Administrator 03.12.2010 21:39:27.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.821 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.7.1098 [VPS 101201-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\Korisnik\ndisrd.sys"
"c:\documents and settings\Korisnik\snetcfg.exe"
"c:\program files\Messenger\msmsgsSrv.exe"
"c:\program files\microsoft\desktoplayer.exe"
"c:\windows\system32\01.tmp"
"c:\windows\system32\drivers\ndisrd.sys"
"c:\windows\system32\ffrkyql.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Korisnik\Application Data\sorrypeople
c:\documents and settings\Korisnik\ndisrd.sys
c:\documents and settings\Korisnik\snetcfg.exe
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Messenger\msmsgsSrv.exe
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\ExplorerSrv.exe
c:\windows\system\servicers.exe
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\ffrkyql.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BNPTSEZ
-------\Legacy_VWQHCYSO
-------\Legacy_XUHDLY
-------\Service_bnptsez
-------\Service_ndisrd
-------\Service_vwqhcyso
-------\Service_xuhdly
-------\Legacy_evelfisj
-------\Legacy_seccenHelp
-------\Service_evelfisj
-------\Service_seccenHelp


((((((((((((((((((((((((( Files Created from 2010-11-03 to 2010-12-03 )))))))))))))))))))))))))))))))
.

2010-12-03 20:36 . 2010-12-03 20:36 47616 ----a-w- c:\windows\system32\fgtu.exe
2010-12-02 20:47 . 2010-12-02 20:49 -------- d-----w- c:\program files\Mozilla Firefox new
2010-12-01 19:45 . 2010-04-27 10:04 381816 ----a-w- c:\windows\system32\PsExec.exe
2010-12-01 19:45 . 2010-04-27 10:04 333176 ----a-w- c:\windows\system32\PsGetsid.exe
2010-12-01 19:45 . 2010-04-27 10:04 178040 ----a-w- c:\windows\system32\psloglist.exe
2010-12-01 19:45 . 2010-04-27 10:04 390520 ----a-w- c:\windows\system32\PsInfo.exe
2010-12-01 19:45 . 2010-04-27 10:04 231288 ----a-w- c:\windows\system32\PsList.exe
2010-12-01 19:45 . 2010-04-27 10:04 183160 ----a-w- c:\windows\system32\PsLoggedon.exe
2010-12-01 19:45 . 2010-04-27 10:04 169848 ----a-w- c:\windows\system32\PsService.exe
2010-12-01 19:45 . 2009-12-01 09:52 621944 ----a-w- c:\windows\system32\pskill.exe
2010-12-01 19:45 . 2006-12-04 16:53 207664 ----a-w- c:\windows\system32\psshutdown.exe
2010-12-01 19:45 . 2006-12-04 16:53 187184 ----a-w- c:\windows\system32\pssuspend.exe
2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\pspasswd.exe
2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\psfile.exe
2010-11-21 11:42 . 2007-12-04 14:53 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-21 11:42 . 2007-12-04 14:51 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-21 11:42 . 2007-12-04 14:49 26624 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-21 11:42 . 2007-12-04 14:56 93264 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-21 11:42 . 2007-12-04 14:55 94544 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-21 11:42 . 2007-12-04 12:54 95608 ----a-w- c:\windows\system32\AvastSS.scr
2010-11-21 11:41 . 2007-12-04 13:04 837496 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-21 11:41 . 2004-01-09 09:13 380928 ----a-w- c:\windows\system32\actskin4.ocx
2010-11-21 11:30 . 2010-11-21 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-11-21 11:29 . 2010-11-21 11:29 -------- d-----w- c:\documents and settings\Administrator
2010-11-16 06:10 . 2010-12-02 21:04 -------- d-----w- c:\documents and settings\Korisnik\Application Data\updates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-27 212992]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^Quick Data Copy.lnk]
path=c:\documents and settings\Korisnik\Start Menu\Programs\Startup\Quick Data Copy.lnk
backup=c:\windows\pss\Quick Data Copy.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2010-10-27 12:13 401408 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2010-10-27 12:15 299008 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-10-27 12:15 106496 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-10-27 12:15 335872 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2010-11-21 12:31 1749504 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-01-12 01:45 4898816 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2010-10-27 12:13 1994752 ----a-w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-10-27 12:17 212992 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2010-10-27 12:14 90112 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2006-12-18 16:32 25365032 ----a-w- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2010-10-27 12:15 94208 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2010-10-27 12:15 212992 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 evelfisj;System Windows;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336]
S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [11.6.2010 22:30 616064]
S3 ytxmgn;ytxmgn;\??\c:\windows\system32\013.tmp --> c:\windows\system32\013.tmp [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
evelfisj
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.rs/
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\8sxf8hvl.default\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox new\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2010-12-03 21:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ytxmgn]
"ImagePath"="\??\c:\windows\system32\013.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\evelfisj]
"ServiceDll"="c:\windows\system32\ffrkyql.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(348-)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\Iac25_32.ax
c:\windows\system32\DivXa32.acm

- - - - - - - > 'explorer.exe'(1028-)
c:\windows\system32\msi.dll
.
Completion time: 2010-12-03 21:46:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-03 20:45
ComboFix2.txt 2010-12-02 21:10

Pre-Run: 14.776.066.048 bytes free
Post-Run: 14.628.294.656 bytes free

- - End Of File - - 4029E585CD0AB3A43EA57F4D126B0F8A

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Idemo jedno po jedno Wink

Arrow Privremeno deaktiviraj zastitni softver(uputstvo);

Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\fgtu.exe

DirLook::
c:\program files\Mozilla Firefox new

Driver::
evelfisj
ytxmgn

NetSvc::
evelfisj

Rootkit::
c:\windows\system32\ffrkyql.dll
c:\windows\system32\013.tmp


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 20 Jul 2008
  • Poruke: 197

Sorry, ali avast ne moze da se deaktivira iz prostog razloga sto ga je virus naceo i onda je avast sam sebe detektovao i sam sebi nesto "otkinuo".
Stoga, ne pise nigde da je avast pokrenut, ali kad se pokrene combofix, tek onda pise da je avast pokrenut.

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Privremeno ga reinstaliraj ili deinstaliraj pa nastavi po uputstvu.

Ko je trenutno na forumu
 

Ukupno su 728 korisnika na forumu :: 31 registrovanih, 3 sakrivenih i 694 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Aleksandar Tomić, Apok, Bane san, djo97, dragon986, Drug pukovnik, goxin, ivica976, Jovan Nenad, krlebgd77, kybonacci, L A Z A R, Libertas, manda87, MB120mm, mercedesamg, MikeHammer, milenko crazy north, mnn2, nemkea71, ruan, S-lash, Sass Drake, Skywhaler, Srki98, tacija, Toni, Vlada78, x9, YU-UKI