urdvxc.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ostao je urdvxc.exe... Evo ovako ćemo:

Prvo moramo da zaustavimo i obrišemo servis. Iskopiraj ovo u Notepad:

@echo off
sc stop "MSWindows"
sc delete "MSWindows"
exit

Sačuvaj ga kao All Files, nazovi ga ServicesFix.bat i sačuvaj ga na desktop. Klikni na fajl ServicesFix.bat koji se nalazi na desktopu. Brzo će se otvoriti i zatvoriti, ali to je normalno...

Uđi u Safe Mode
[Link mogu videti samo ulogovani korisnici]

Trebalo bi da podesiš da se vide hidden fajlovi i ekstenzije. To možeš uraditi na sledeći način:
- Klikneš na My Computer
- Klikneš na Tools, pa zatim Folder Options
- Zatim klikni na tab View
- Štikliraj Show hidden files and folders
- Odštikliraj Hide extensions for known file types
- Klikni Ok

U My Computer, potraži folder C:\WINDOWS\System32 i obriši fajl urdvxc.exe.

Restartuj računar u normal modu.
Skini ComboFix sa ove adrese:
[Link mogu videti samo ulogovani korisnici]
i sačuvaj ga na Desktopu.

- Klikni na Combo.exe i prati dalja uputstva
- Kada završi, napraviće log koji se nalazi na C:\ComboFix.txt

Postuj mi kompetan sadržaj ComboFix loga kao i novi HijackThis log...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uh...sve ucinih kao sto je napisano, bas sve...ali problem je nastao sto ne mogu da nadjem urdvxc.exe...podesila sam i hidden files i sve sto si mi rekao a u System32 ga nema...Ne znam da li je do mene, ali mi nije jasno...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Preskoci taj deo sa nalazenjem tog fajla.
Odradi nam zadnji deo - Combofix i njegov log.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

A evo...
ComboFix 07-02-08.2 - Running from: "C:\Documents and Settings\Sestre S\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-10 to 2007-02-10 ))))))))))))))))))))))))))))))))))


2007-02-09 02:18 <DIR> d-------- C:\Program Files\New Folder (2)
2007-02-08 00:35 <DIR> d-------- C:\Program Files\New Folder
2007-01-31 01:33 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-01-29 22:09 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-28 19:26 0 --a------ C:\WINDOWS\winstart.bat
2007-01-26 15:11 57,344 --a------ C:\WINDOWS\system32\HookAPINT.dll
2007-01-26 15:11 49,152 --a------ C:\WINDOWS\system32\mydll.dll
2007-01-26 15:11 <DIR> d-------- C:\Program Files\gamespeed


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-17 23:46 618496 --a------ C:\WINDOWS\system32\raindrop screensaver.scr
2007-02-08 01:39 -------- d-------- C:\Program Files\screensavers
2007-02-06 00:55 -------- d-------- C:\DOCUME~1\SESTRE~1\Application Data\adobe
2007-02-05 15:33 -------- dr------- C:\Program Files\esetnod32
2007-01-31 01:38 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-01-30 22:47 -------- d-------- C:\DOCUME~1\SESTRE~1\Application Data\lavasoft
2007-01-30 22:46 -------- dr------- C:\Program Files\lavasoft
2007-01-30 22:46 -------- d-------- C:\Program Files\winamp
2007-01-30 13:45 141312 --ahs---- C:\Program Files\thumbs.db
2007-01-28 02:39 -------- d-------- C:\Program Files\google
2007-01-24 16:28 -------- dr------- C:\Program Files\dnj recnik 1.00
2007-01-03 11:49 -------- d-------- C:\DOCUME~1\SESTRE~1\Application Data\wildfire
2006-12-25 02:26 11761 --a------ C:\WINDOWS\system32\klwk.sys
2006-12-18 23:33 -------- d-------- C:\DOCUME~1\SESTRE~1\Application Data\adobeum


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"Free Download Manager"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MMTray"="MMTray.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpotdd01"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb09"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_Magentic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="magentic_install"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\SESTRE~1\\LOCALS~1\\Temp\\ImInstaller\\Magentic\\magentic_install.exe -startup -product Magentic"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMCTRAY"
"hkey"="HKCU"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SMTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"inimapping"="0"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Update"="msconfg.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Microsoft Update"="msconfg.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
[Link mogu videti samo ulogovani korisnici]

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Pa HijackThis log...
Logfile of HijackThis v1.99.1
Scan saved at 2:28:20, on 10.2.2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MMTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Sestre S\Desktop\ht3\ht3.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - [Link mogu videti samo ulogovani korisnici]\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [Link mogu videti samo ulogovani korisnici]
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SESTRE~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nadji sledece fajlove na disku:
C:\WINDOWS\winstart.bat
C:\WINDOWS\system32\HookAPINT.dll
C:\WINDOWS\system32\mydll.dll

Spakuj ih u jedan ZIP i uploaduj na:
[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

[Link mogu videti samo ulogovani korisnici]


...evo valda sam uspela...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ovo je izgleda neki cheat za neku igricu.
Jel imas instaliran neki cheat?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Da, game speed adjuster...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Zadnje pitanje bi bilo vezano za sledeci fajl:
C:\WINDOWS\system32\raindrop screensaver.scr

Jel to namerno instaliran fajl (trebao bi da je neki screensaver)?

Ovo moram da proverim, posto ponekada malware moze biti sakriven u obliku screensavera.

Ukoliko nisi sigurna, uploaduj taj fajl na [Link mogu videti samo ulogovani korisnici] i pogledaj rezultate, tj. da li ga neki antivirus prepoznaje kao malware ili je cist.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Da, namerno je instaliran screensaver, medjutim deinstalirala sam ga pre nekog vremena, a pored toga kada udjem u Control Panel, Add or remove program jos uvek stoji Raindrop i kada kliknem remove, pojavi se prozor sa obavestenjem da ne moze da pokrene fajl za deinstalaciju...
Svejedno, sad cu da uradim sta si rekao pa se javim...

Dopuna: 10 Feb 2007 17:13

Malo se oduzilo....Raindrop je cist...