MyCity » Ambulanta -> Arhiva Ambulante » shutdown za minut, services.exe u pitanju

shutdown za minut, services.exe u pitanju

Napisano na dan: 1.12.2010

Strana:
1
2

shutdown za minut, services.exe u pitanju

Sledeća strana

Pagination

Odgovori

Strana:
1
2

AleX Poslao: 01 Dec 2010 23:26 Idi na vrh
offline AleX Građanin Pridružio: 20 Jul 2008 Poruke: 197	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Napisano: 01 Dec 2010 22:37 Pise da ce da se ugasi nakon minuta, medjutim ne ugasi se, ali je potpuno neupotrebljiv. Kad prodje oko 20-30 sekundi, prozori se dupliraju kad se pomeraju. Imam avast koji do sad nista nije prijavio. Sve ove izvestaje sam radio iz safe mode-a jer je jedino tad kompjuter normalan. DDS (Ver_10-11-27.01) - NTFSx86 NETWORK Run by Administrator at 21:10:44,28 on sre 01.12.2010 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.557 [GMT 1:00] AV: avast! antivirus 4.7.1098 [VPS 080214-0] On-access scanning enabled (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe svchost.exe svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\WINDOWS\System32\svchost.exe -k netsvcs ============== Pseudo HJT Report =============== mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL BHO: {4c6dac00-224d-40ab-9f81-c143923b72bf} - c:\windows\system32\cmpbk3.dll uRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent mRun: [<NO NAME>] mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [BMISR] c:\program files\kye\webmate\BM.exe mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe mRun: [RegistryMonitor1] c:\windows\system32\qtplugin.exe mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: AtiExtEvent - Ati2evxx.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ra2pugze.default\ FF - prefs.js: network.proxy.type - 0 FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ============= SERVICES / DRIVERS =============== R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-11-8 20480] S1 jlh5f77;jlh5f77;c:\windows\system32\drivers\jlh5f77.sys [2010-11-17 138272] S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-11-21 140664] S2 vwqhcyso;System Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336] S2 xuhdly;System Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-11-21 247160] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-11-21 345464] S3 bnptsez;bnptsez;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?] S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [2010-6-11 616064] =============== Created Last 30 ================ 2010-12-01 19:59:52 40960 ----a-w- c:\windows\system32\x.exe 2010-11-21 12:44:40 53760 ----a-w- c:\windows\ExplorerSrv.exe 2010-11-21 12:37:33 53760 ----a-w- c:\program files\messenger\msmsgsSrv.exe 2010-11-21 11:40:08 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla 2010-11-21 11:30:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files 2010-11-17 12:07:42 138272 ----a-w- c:\windows\system32\drivers\jlh5f77.sys 2010-11-16 21:12:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\aDoPd02100 2010-11-11 14:13:13 1451520 ----a-w- c:\windows\system32\qtplugin.exe 2010-11-08 20:55:24 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys ==================== Find3M ==================== ============= FINISH: 21:11:31,73 =============== mycity.rs/must-login.png GMER je na pocetku postavio upit> Primecena je sistemska promena koju je uzrokovao ROOTKIT. Zelite li full system scan. Kliknuo sam na NE, prateci uputstvo iz teme. mycity.rs/must-login.png mycity.rs/must-login.png mycity.rs/must-login.png Dopuna: 01 Dec 2010 23:19 Mali update. Za ovo vreme sam skenirao avastom pri boot-u. Ovo je izvestaj. 12/01/2010 22:46 Skenira sve lokalne diskove Datoteka: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O066IXIO\x[1] je inficirana sa Win32:Virtob, Popravi: Greška 42060 {Datoteka nije popravljena.}, Obrisan Datoteka: C:\WINDOWS\system32\x.exe je inficirana sa Win32:Virtob Broj skeniranih fascikla: 4145 Broj testiranih datoteka: 74060 Broj inficiranih datoteka: 2 Ovaj drugi fajl, nije diran, samo je ignorisan. Dopuna: 01 Dec 2010 23:26 Ramnit:B, sada je i taj virus nasao.

Profil

magna86 Poslao: 01 Dec 2010 23:57 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pozdrav Posto si vec pokrenuo avast-ov boot-time scan,dovrsi ga. Kad Avast zavrsi potrebno je da mi okacis log uz poruku, koji se nalazi na sledecoj lokaciji: Citat:C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt Koristi opciju Prikaci fajl, Zatim ponovo pokreni DDS i postavi mi svez DDS.txt. Takodje,nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budes dobio uputstvo i u toku intervencije ne koristi USB memorijske uredjaje, dok to ne budem zatrazio.

Profil

AleX Poslao: 02 Dec 2010 00:22 Idi na vrh
offline AleX Građanin Pridružio: 20 Jul 2008 Poruke: 197	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Ovo je jedino sto pise u logu avasta: 12/01/2010 22:46 Skenira sve lokalne diskove Datoteka: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O066IXIO\x[1] je inficirana sa Win32:Virtob, Popravi: Greška 42060 {Datoteka nije popravljena.}, Obrisan Datoteka: C:\WINDOWS\system32\x.exe je inficirana sa Win32:Virtob Broj skeniranih fascikla: 4145 Broj testiranih datoteka: 74060 Broj inficiranih datoteka: 2 Jos nesto, pise kad se odbrojava pred gasenje services.exe status 1073741819 Onaj DDS scan mi je trajao sto godina. Ima li nacina da ga ubrzam malo? Kad se skenira, vidim da ceo c:\ prodje.

Profil

magna86 Poslao: 02 Dec 2010 00:31 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Odradi sledece: Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop: Bleeping Computer Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu); Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save. Kada preuzimanje programa bude završeno: deaktiviraj zaštitni softver (uputstvo); zatvori pokrenute programe; dvoklikom pokreni program ComboFix. U toku rada, ComboFix će:proveriti postoji li novija verzija programa: klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE: klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju: obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja: prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta); na kraju rada, otvoriti Notepad sa izveštajem o skeniranju. Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu: klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All; klikni desnim tasterom miša na obeleženi tekst i izaberi Copy; klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste. Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt); Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku. Ukoliko budes imao problema sa pokretanjem ComboFix-a,pokreni ga u Safe Modu.

Profil

AleX Poslao: 02 Dec 2010 22:14 Idi na vrh
offline AleX Građanin Pridružio: 20 Jul 2008 Poruke: 197	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Iz safe mode-a pokrenut, ali je dovrsio u normalu. mycity.rs/must-login.png ComboFix 10-12-02.01 - Administrator 02.12.2010 22:02:30.1.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.715 [GMT 1:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: avast! antivirus 4.7.1098 [VPS 101201-1] On-access scanning enabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\aDoPd02100 c:\documents and settings\All Users\Application Data\aDoPd02100\aDoPd02100 c:\documents and settings\All Users\Application Data\aDoPd02100\aDoPd02100.exe c:\documents and settings\Korisnik\_tmpf c:\documents and settings\Korisnik\Application Data\download2 c:\documents and settings\Korisnik\Application Data\download2\svcnost.exe c:\documents and settings\Korisnik\Application Data\updates\updates.exe c:\documents and settings\Korisnik\drvsign.exe c:\program files\Internet Explorer\dmlconf.dat c:\program files\quicktime\qttasksrv.exe c:\program files\Realtek\InstallShield\Alcmtr.exe c:\program files\XviD\StatsReader.exe c:\windows\ExplorerSrv.exe c:\windows\system32\drivers\jlh5f77.sys c:\windows\system32\qtplugin.exe c:\windows\system32\x.exe c:\program files\Microsoft\DesktopLayer.exe . . . . Failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_jlh5f77 -------\Service_jlh5f77 ((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 ))))))))))))))))))))))))))))))) . 2010-12-02 20:47 . 2010-12-02 20:49 -------- d-----w- c:\program files\Mozilla Firefox new 2010-12-01 19:45 . 2010-04-27 10:04 381816 ----a-w- c:\windows\system32\PsExec.exe 2010-12-01 19:45 . 2010-04-27 10:04 333176 ----a-w- c:\windows\system32\PsGetsid.exe 2010-12-01 19:45 . 2010-04-27 10:04 178040 ----a-w- c:\windows\system32\psloglist.exe 2010-12-01 19:45 . 2010-04-27 10:04 390520 ----a-w- c:\windows\system32\PsInfo.exe 2010-12-01 19:45 . 2010-04-27 10:04 231288 ----a-w- c:\windows\system32\PsList.exe 2010-12-01 19:45 . 2010-04-27 10:04 183160 ----a-w- c:\windows\system32\PsLoggedon.exe 2010-12-01 19:45 . 2010-04-27 10:04 169848 ----a-w- c:\windows\system32\PsService.exe 2010-12-01 19:45 . 2009-12-01 09:52 621944 ----a-w- c:\windows\system32\pskill.exe 2010-12-01 19:45 . 2006-12-04 16:53 207664 ----a-w- c:\windows\system32\psshutdown.exe 2010-12-01 19:45 . 2006-12-04 16:53 187184 ----a-w- c:\windows\system32\pssuspend.exe 2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\pspasswd.exe 2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\psfile.exe 2010-11-21 12:37 . 2010-12-01 22:40 53760 ----a-w- c:\program files\Messenger\msmsgsSrv.exe 2010-11-21 12:24 . 2010-11-21 12:24 -------- d-----w- c:\documents and settings\Korisnik\Application Data\sorrypeople 2010-11-21 11:42 . 2007-12-04 14:53 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-11-21 11:42 . 2007-12-04 14:51 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-11-21 11:42 . 2007-12-04 14:49 26624 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-11-21 11:42 . 2007-12-04 14:56 93264 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-11-21 11:42 . 2007-12-04 14:55 94544 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-11-21 11:42 . 2007-12-04 12:54 95608 ----a-w- c:\windows\system32\AvastSS.scr 2010-11-21 11:41 . 2007-12-04 13:04 837496 ----a-w- c:\windows\system32\aswBoot.exe 2010-11-21 11:41 . 2004-01-09 09:13 380928 ----a-w- c:\windows\system32\actskin4.ocx 2010-11-21 11:30 . 2010-11-21 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2010-11-21 11:29 . 2010-11-21 11:29 -------- d-----w- c:\documents and settings\Administrator 2010-11-16 06:10 . 2010-12-02 21:04 -------- d-----w- c:\documents and settings\Korisnik\Application Data\updates 2010-11-08 20:55 . 2010-11-08 20:55 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys 2010-11-08 20:55 . 2010-11-08 20:55 20480 ----a-w- c:\documents and settings\Korisnik\ndisrd.sys 2010-11-08 20:55 . 2010-11-08 20:55 13824 ----a-w- c:\documents and settings\Korisnik\snetcfg.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-27 212992] "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488] "Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^Quick Data Copy.lnk] path=c:\documents and settings\Korisnik\Start Menu\Programs\Startup\Quick Data Copy.lnk backup=c:\windows\pss\Quick Data Copy.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2010-10-27 12:13 401408 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] 2010-10-27 12:15 299008 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2010-10-27 12:15 106496 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-10-27 12:15 335872 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2010-11-21 12:31 1749504 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] 2007-01-12 01:45 4898816 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] 2010-10-27 12:13 1994752 ----a-w- c:\program files\Ahead\Nero BackItUp\NBJ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-10-27 12:17 212992 ----a-w- c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2010-10-27 12:14 90112 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2006-12-18 16:32 25365032 ----a-w- c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient] 2010-10-27 12:15 94208 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup] 2010-10-27 12:15 212992 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5625:TCP"= 5625:TCP:vbupvjdo R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [8.11.2010 21:55 20480] S2 vwqhcyso;System Universal;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336] S2 xuhdly;System Windows;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336] S3 bnptsez;bnptsez;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?] S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [11.6.2010 22:30 616064] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs vwqhcyso xuhdly [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10bb11c4-c3b2-11dc-8588-e1986ae817f6}] \Shell\Auto\command - G:\AdobeR.exe e \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b0844ea-d6d9-11da-9a43-806d6172696f}] \Shell\AutoRun\command - F:\install.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\8sxf8hvl.default\ FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox new\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} . - - - - ORPHANS REMOVED - - - - HKCU-Run-download - c:\documents and settings\Korisnik\Application Data\download2\svcnost.exe HKCU-Run-engel - c:\documents and settings\Korisnik\Application Data\updates\updates.exe HKCU-Run-Rapport - c:\documents and settings\Korisnik\Application Data\sorrypeople2\smss.exe HKLM-Run-BMISR - c:\program files\KYE\WebMate\BM.exe MSConfigStartUp-nod32kui - c:\program files\Eset\nod32kui.exe AddRemove-Doninno2 - c:\documents and settings\All Users\Documents\Doninno2\uninstall.exe ************************************************************************ scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bnptsez] "ImagePath"="\??\c:\windows\system32\01.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vwqhcyso] "ServiceDll"="c:\windows\system32\ffrkyql.dll" -- [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xuhdly] "ServiceDll"="c:\windows\system32\ffrkyql.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(904) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2544) c:\windows\system32\msi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Internet Explorer\iexplore.exe c:\windows\system32\Ati2evxx.exe c:\windows\RTHDCPL.EXE c:\windows\system32\rundll32.exe . ************************************************************************ . Completion time: 2010-12-02 22:10:23 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-02 21:10 Pre-Run: 9.606.049.792 bytes free Post-Run: 13.309.222.912 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 28AA01150832A98C64CDDAF787D86314

Profil

magna86 Poslao: 03 Dec 2010 20:01 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Otvoriti Notepad i iskopirati sledeci tekst: File:: c:\program files\Messenger\msmsgsSrv.exe c:\program files\microsoft\desktoplayer.exe c:\windows\system32\ffrkyql.dll c:\windows\system32\01.tmp c:\windows\system32\drivers\ndisrd.sys c:\documents and settings\Korisnik\ndisrd.sys c:\documents and settings\Korisnik\snetcfg.exe Folder:: c:\documents and settings\Korisnik\Application Data\sorrypeople Registry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5625:TCP"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10bb11c4-c3b2-11dc-8588-e1986ae817f6}] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe" Driver:: vwqhcyso xuhdly bnptsez ndisrd NetSvc:: vwqhcyso xuhdly Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Profil

AleX Poslao: 04 Dec 2010 00:59 Idi na vrh
offline AleX Građanin Pridružio: 20 Jul 2008 Poruke: 197	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Kad sam prevukao CFScript preko combofixa, on je svoje odradio i restartovao komp i opet nesto svoje radio. Medjutim, posle toga mi net nije radio. Modem je bio u redu. Na network connection mi pise connected, a vidim da je sent 0 i received 0. Kliknem dalje na vise informacija, kad ono nit pise ip, nit dns, niti icega. Vec je proslo 10 sati da bih mogao operatera da zovem, a osecaj mi kaze da nije do njih. Odem ja korak dalje, u commanderu ukucam ipconfig, ono prikaze samo svoj prvi red, tacnije, naziv "windows IP configuration". To mi sumnjivo. Ukucam ja ipconfig /all opet nista. Kucao ja svasta nesto, ali nema informacija o netu. Sta bi to moglo biti? ComboFix 10-12-02.01 - Administrator 03.12.2010 21:39:27.2.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.821 [GMT 1:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: avast! antivirus 4.7.1098 [VPS 101201-1] On-access scanning enabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FILE :: "c:\documents and settings\Korisnik\ndisrd.sys" "c:\documents and settings\Korisnik\snetcfg.exe" "c:\program files\Messenger\msmsgsSrv.exe" "c:\program files\microsoft\desktoplayer.exe" "c:\windows\system32\01.tmp" "c:\windows\system32\drivers\ndisrd.sys" "c:\windows\system32\ffrkyql.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Korisnik\Application Data\sorrypeople c:\documents and settings\Korisnik\ndisrd.sys c:\documents and settings\Korisnik\snetcfg.exe c:\program files\Internet Explorer\dmlconf.dat c:\program files\Messenger\msmsgsSrv.exe c:\program files\Microsoft\DesktopLayer.exe c:\windows\ExplorerSrv.exe c:\windows\system\servicers.exe c:\windows\system32\drivers\ndisrd.sys c:\windows\system32\ffrkyql.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BNPTSEZ -------\Legacy_VWQHCYSO -------\Legacy_XUHDLY -------\Service_bnptsez -------\Service_ndisrd -------\Service_vwqhcyso -------\Service_xuhdly -------\Legacy_evelfisj -------\Legacy_seccenHelp -------\Service_evelfisj -------\Service_seccenHelp ((((((((((((((((((((((((( Files Created from 2010-11-03 to 2010-12-03 ))))))))))))))))))))))))))))))) . 2010-12-03 20:36 . 2010-12-03 20:36 47616 ----a-w- c:\windows\system32\fgtu.exe 2010-12-02 20:47 . 2010-12-02 20:49 -------- d-----w- c:\program files\Mozilla Firefox new 2010-12-01 19:45 . 2010-04-27 10:04 381816 ----a-w- c:\windows\system32\PsExec.exe 2010-12-01 19:45 . 2010-04-27 10:04 333176 ----a-w- c:\windows\system32\PsGetsid.exe 2010-12-01 19:45 . 2010-04-27 10:04 178040 ----a-w- c:\windows\system32\psloglist.exe 2010-12-01 19:45 . 2010-04-27 10:04 390520 ----a-w- c:\windows\system32\PsInfo.exe 2010-12-01 19:45 . 2010-04-27 10:04 231288 ----a-w- c:\windows\system32\PsList.exe 2010-12-01 19:45 . 2010-04-27 10:04 183160 ----a-w- c:\windows\system32\PsLoggedon.exe 2010-12-01 19:45 . 2010-04-27 10:04 169848 ----a-w- c:\windows\system32\PsService.exe 2010-12-01 19:45 . 2009-12-01 09:52 621944 ----a-w- c:\windows\system32\pskill.exe 2010-12-01 19:45 . 2006-12-04 16:53 207664 ----a-w- c:\windows\system32\psshutdown.exe 2010-12-01 19:45 . 2006-12-04 16:53 187184 ----a-w- c:\windows\system32\pssuspend.exe 2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\pspasswd.exe 2010-12-01 19:45 . 2006-12-04 16:53 105264 ----a-w- c:\windows\system32\psfile.exe 2010-11-21 11:42 . 2007-12-04 14:53 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-11-21 11:42 . 2007-12-04 14:51 42912 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-11-21 11:42 . 2007-12-04 14:49 26624 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-11-21 11:42 . 2007-12-04 14:56 93264 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-11-21 11:42 . 2007-12-04 14:55 94544 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-11-21 11:42 . 2007-12-04 12:54 95608 ----a-w- c:\windows\system32\AvastSS.scr 2010-11-21 11:41 . 2007-12-04 13:04 837496 ----a-w- c:\windows\system32\aswBoot.exe 2010-11-21 11:41 . 2004-01-09 09:13 380928 ----a-w- c:\windows\system32\actskin4.ocx 2010-11-21 11:30 . 2010-11-21 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2010-11-21 11:29 . 2010-11-21 11:29 -------- d-----w- c:\documents and settings\Administrator 2010-11-16 06:10 . 2010-12-02 21:04 -------- d-----w- c:\documents and settings\Korisnik\Application Data\updates . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-10-27 212992] "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488] "Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-01-12 4898816] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Korisnik^Start Menu^Programs^Startup^Quick Data Copy.lnk] path=c:\documents and settings\Korisnik\Start Menu\Programs\Startup\Quick Data Copy.lnk backup=c:\windows\pss\Quick Data Copy.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2010-10-27 12:13 401408 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] 2010-10-27 12:15 299008 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2010-10-27 12:15 106496 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-10-27 12:15 335872 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2010-11-21 12:31 1749504 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] 2007-01-12 01:45 4898816 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] 2010-10-27 12:13 1994752 ----a-w- c:\program files\Ahead\Nero BackItUp\NBJ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-10-27 12:17 212992 ----a-w- c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2010-10-27 12:14 90112 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2006-12-18 16:32 25365032 ----a-w- c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient] 2010-10-27 12:15 94208 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup] 2010-10-27 12:15 212992 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= S2 evelfisj;System Windows;c:\windows\system32\svchost.exe -k netsvcs [3.8.2004 23:56 14336] S3 PAC207;Eye 110;c:\windows\system32\drivers\PFC027.SYS [11.6.2010 22:30 616064] S3 ytxmgn;ytxmgn;\??\c:\windows\system32\013.tmp --> c:\windows\system32\013.tmp [?] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs evelfisj . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.rs/ FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\8sxf8hvl.default\ FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox new\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net Rootkit scan 2010-12-03 21:44 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ytxmgn] "ImagePath"="\??\c:\windows\system32\013.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\evelfisj] "ServiceDll"="c:\windows\system32\ffrkyql.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(348-) c:\windows\system32\Ati2evxx.dll c:\windows\system32\Iac25_32.ax c:\windows\system32\DivXa32.acm - - - - - - - > 'explorer.exe'(1028-) c:\windows\system32\msi.dll . Completion time: 2010-12-03 21:46:01 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-03 20:45 ComboFix2.txt 2010-12-02 21:10 Pre-Run: 14.776.066.048 bytes free Post-Run: 14.628.294.656 bytes free - - End Of File - - 4029E585CD0AB3A43EA57F4D126B0F8A

Profil

magna86 Poslao: 04 Dec 2010 01:37 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Idemo jedno po jedno Privremeno deaktiviraj zastitni softver(uputstvo); Otvoriti Notepad i iskopirati sledeci tekst: `File:: c:\windows\system32\fgtu.exe DirLook:: c:\program files\Mozilla Firefox new Driver:: evelfisj ytxmgn NetSvc:: evelfisj Rootkit:: c:\windows\system32\ffrkyql.dll c:\windows\system32\013.tmp` Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Profil

AleX Poslao: 04 Dec 2010 02:21 Idi na vrh
offline AleX Građanin Pridružio: 20 Jul 2008 Poruke: 197	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Sorry, ali avast ne moze da se deaktivira iz prostog razloga sto ga je virus naceo i onda je avast sam sebe detektovao i sam sebi nesto "otkinuo". Stoga, ne pise nigde da je avast pokrenut, ali kad se pokrene combofix, tek onda pise da je avast pokrenut.

Profil

magna86 Poslao: 04 Dec 2010 02:37 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Privremeno ga reinstaliraj ili deinstaliraj pa nastavi po uputstvu.

Profil

MyCity » Ambulanta -> Arhiva Ambulante » shutdown za minut, services.exe u pitanju

Ko je trenutno na forumu

Ukupno su 635 korisnika na forumu :: 5 registrovanih, 1 sakriven i 629 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: 9k38, mean_machine, nenad81, SlaKoj, voja64

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by