Nemogu pokrenuti combofix

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Poslije citanja ovog foruma
odlucio sam na poslu na rcunaru da pokrenem combofix i da ocistim racunar
ako ima sta ,
medjutim skinuo sam combofix ali ga uopste nemogu pokrenuti
sta je sad ? zna li neko

Dopuna: 26 Jan 2009 12:17

nemoze se pokrenuti ni
HJTInstall
ni NOD
nista
bas zanimljivo
pomzazite

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Hmmm... jel ti Nod nesto detektovao u poslednje vreme ili iz cista mira prestao da radi...

Jel imas probleme samo sa zastitnim softverom ili ti se jos neki program ne odaziva...

Probaj da pokrenes ovaj program :

http://amf.mycity.rs/programs/mirrored/C-F.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

uspio sam i dobio ovoj log
ali poslije skeniranja nemogu opet pokrenuti nista od antivirusni softvera

Dopuna: 26 Jan 2009 13:49

ComboFix 09-01-21.04 - Administrator 2009-01-26 13:40:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.994.683 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\C-F.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-12-26 to 2009-01-26 )))))))))))))))))))))))))))))))
.

2009-01-26 12:10 . 2009-01-26 12:10 <DIR> d-------- c:\program files\Trend Micro
2009-01-26 08:40 . 2009-01-26 08:40 <DIR> d-------- C:\_OTMoveIt
2009-01-20 09:18 . 2009-01-20 09:18 11,776 --ah----- c:\documents and settings\Administrator\atevdq.exe
2009-01-13 10:12 . 2009-01-13 10:12 11,776 --ah----- c:\documents and settings\Administrator\ckkvr.exe
2009-01-13 09:59 . 2009-01-13 09:59 11,776 --ah----- c:\documents and settings\Administrator\oone.exe
2009-01-13 09:55 . 2009-01-13 09:55 11,776 --ah----- c:\documents and settings\Administrator\dgqmv.exe
2009-01-13 09:47 . 2009-01-13 09:47 11,776 --ah----- c:\documents and settings\Administrator\qlr.exe
2009-01-13 09:31 . 2009-01-13 09:31 11,776 --ah----- c:\documents and settings\Administrator\syblp.exe
2009-01-12 14:26 . 2009-01-12 14:26 11,776 --ah----- c:\documents and settings\Administrator\cpmvgi.exe
2009-01-08 08:51 . 2009-01-08 08:51 11,776 --ah----- c:\documents and settings\Administrator\iuhk.exe
2009-01-05 09:06 . 2009-01-05 09:06 11,264 --ah----- c:\documents and settings\Administrator\armv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 08:18 52,992 ----a-w c:\windows\system32\drivers\ndisio.sys
2008-12-23 09:49 11,776 ---ha-w c:\documents and settings\Administrator\gupjx.exe
2008-12-14 15:47 32,768 ---h--w c:\documents and settings\Administrator\dvlg.exe
2008-12-14 15:47 32,768 ------w c:\windows\system32\hdf.exe
2008-12-14 15:47 32,768 ------w c:\documents and settings\Administrator\qdwe.exe
2008-12-14 15:44 32,768 ---h--w c:\documents and settings\Administrator\vuuy.exe
2008-12-14 15:44 32,768 ------w c:\windows\system32\baejr.exe
2008-12-14 15:44 32,768 ------w c:\documents and settings\Administrator\yad.exe
2008-12-14 15:01 32,768 ---h--w c:\documents and settings\Administrator\ikyrc.exe
2008-12-14 15:01 32,768 ------w c:\windows\system32\bynq.exe
2008-12-14 15:01 32,768 ------w c:\documents and settings\Administrator\vctx.exe
2008-12-14 14:45 44,288 ----a-w c:\windows\system32\drivers\saruqxxp.sys
2008-12-14 14:44 32,768 ---h--w c:\documents and settings\Administrator\ejew.exe
2008-12-14 14:44 32,768 ---h--w c:\documents and settings\Administrator\ayefb.exe
2008-12-14 14:44 32,768 ----a-w c:\documents and settings\Administrator\wiwpl.exe
2008-12-14 14:44 32,768 ----a-w c:\documents and settings\Administrator\tpb.exe
2008-12-14 14:44 32,768 ----a-w c:\documents and settings\Administrator\irrlvo.exe
2008-12-14 14:44 32,768 ------w c:\windows\system32\thi.exe
2008-12-14 14:44 32,768 ------w c:\windows\system32\emoih.exe
2008-12-14 14:44 32,768 ------w c:\documents and settings\Administrator\roxx.exe
2008-12-14 14:44 32,768 ------w c:\documents and settings\Administrator\dfbu.exe
2008-12-14 14:43 32,768 ----a-w c:\documents and settings\Administrator\obkstx.exe
2008-12-14 14:43 32,768 ----a-w c:\documents and settings\Administrator\mofqny.exe
2008-12-14 14:43 32,768 ----a-w c:\documents and settings\Administrator\jdj.exe
2008-12-14 14:42 32,768 ---h--w c:\documents and settings\Administrator\sshwqqw.exe
2008-12-14 14:42 32,768 ----a-w c:\documents and settings\Administrator\ohn.exe
2008-12-14 14:42 32,768 ----a-w c:\documents and settings\Administrator\crju.exe
2008-12-14 14:42 32,768 ------w c:\windows\system32\mvlmdis.exe
2008-12-14 14:42 32,768 ------w c:\documents and settings\Administrator\yyds.exe
2008-09-09 20:15 56,320 --sh--r c:\windows\system32\svcpanel.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-26 1015808]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-07 408344]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-08-07 331288]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-02-04 949376]
"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2005-01-06 225280]
"Service Restore Panel"="svcpanel.exe" [2008-09-09 c:\windows\system32\svcpanel.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Personal.lnk - c:\program files\Personal\bin\Personal.exe [2008-02-04 735016]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Disabletaskmgr"= 1 (0x1)
"Disableregistrytools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)
"NoRun"= 1 (0x1)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:TCP"= 4899:TCP:radmin

R0 saruqxxp;saruqxxp;c:\windows\system32\drivers\saruqxxp.sys [2008-12-14 44288]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-02-04 15424]
R3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys [2002-08-02 47660]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-01-23 41216]
R3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [2008-02-04 23936]
R4 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [2005-12-13 53248]
R4 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [2004-05-12 143360]
R4 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-01-24 540184]
R4 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2008-01-24 2521880]
S3 Actrpcsc;Actrpcsc;c:\windows\system32\DRIVERS\actrpcsc.sys --> c:\windows\system32\DRIVERS\actrpcsc.sys [?]
S3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akpcsc.sys --> c:\windows\system32\DRIVERS\akpcsc.sys [?]
S4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-12CFG914-K641-26SF-N31P - c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0850\vsse32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {E992E202-EB81-499F-B729-599234C175D2} = 10.0.1.1,217.23.192.9
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************
scanning hidden processes ...

c:\windows\system32\svcpanel.exe [1184] 0x84CA58A8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(384)
c:\program files\Personal\bin\personal.dll

- - - - - - - > 'lsass.exe'(440)
c:\windows\system32\imon.dll
.
Completion time: 2009-01-26 13:42:24
ComboFix-quarantined-files.txt 2009-01-26 12:42:23

The command prompt has been disabled by your administrator.

Press any key to continue . . .
The command prompt has been disabled by your administrator.

Press any key to continue . . . Press any key to continue . . .
152 --- E O F --- 2008-03-13 10:00:54

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pre nastavka, skini WinSock XP Fix 1.2 :
http://www.majorgeeks.com/WinSock_XP_Fix_d4372.html

Za sada nemoj da ga pokrećeš - ukoliko nakon sledećeg postupka budeš imao probleme sa internet konekcijom, dvoklikom pokreni program i klikni Fix.

Znači, to je samo u slučaju da zatreba...

Takodje skini i ovaj program:
http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

Pokreni ga i prati uputstva...

Zatim kad zavrsis sa tim programom uradi sledece :



Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\ndisio.sys
c:\documents and settings\Administrator\atevdq.exe
c:\documents and settings\Administrator\ckkvr.exe
c:\documents and settings\Administrator\oone.exe
c:\documents and settings\Administrator\dgqmv.exe
c:\documents and settings\Administrator\qlr.exe
c:\documents and settings\Administrator\syblp.exe
c:\documents and settings\Administrator\cpmvgi.exe
c:\documents and settings\Administrator\iuhk.exe
c:\documents and settings\Administrator\armv.exe
c:\documents and settings\Administrator\gupjx.exe
c:\documents and settings\Administrator\dvlg.exe
c:\windows\system32\hdf.exe
c:\windows\system32\drivers\saruqxxp.sys
c:\documents and settings\Administrator\qdwe.exe
c:\documents and settings\Administrator\vuuy.exe
c:\windows\system32\baejr.exe
c:\documents and settings\Administrator\yad.exe
c:\documents and settings\Administrator\ikyrc.exe
c:\windows\system32\bynq.exe
c:\documents and settings\Administrator\vctx.exe
c:\documents and settings\Administrator\ejew.exe
c:\documents and settings\Administrator\ayefb.exe
c:\documents and settings\Administrator\wiwpl.exe
c:\documents and settings\Administrator\tpb.exe
c:\documents and settings\Administrator\irrlvo.exe
c:\windows\system32\thi.exe
c:\windows\system32\emoih.exe
c:\documents and settings\Administrator\roxx.exe
c:\documents and settings\Administrator\dfbu.exe
c:\documents and settings\Administrator\obkstx.exe
c:\documents and settings\Administrator\mofqny.exe
c:\documents and settings\Administrator\jdj.exe
c:\documents and settings\Administrator\sshwqqw.exe
c:\documents and settings\Administrator\ohn.exe
c:\documents and settings\Administrator\crju.exe
c:\windows\system32\mvlmdis.exe
c:\documents and settings\Administrator\yyds.exe

Rootkit::
c:\windows\system32\svcpanel.exe

Driver::
saruqxxp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Service Restore Panel"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions"= 0
"NoRun"= 0
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Disabletaskmgr"= 0
"Disableregistrytools"= 0

Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

nista nije uspjelo
bio je format
u svakom slucaju mnogo ti hvala