Problem - vise rootkitova/malware programa

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

E pa ovako. Supruga mi se požalila da joj se laptop strašno čudno ponaša i posumnjala je na viruse. Uzeo sam da pogledam i vidio da je pun svega i svačega. Pri samom startovanju Windowsa, računar prijavljuje poruku "Retrieving personalized settings from" i onda neka gomila brojeva i slova (kasnije sam shvatio da ucitava fajl igfxsrvo.exe koji se nalazi u Recycle binu - problem br. 1 pretpostavljam). Pokušao sam da ga očistim iz Registryja, ali kada restartujem računar ponovo se pojavi.

Ranije sam i sam uspijevao da očistim po nešto od malwarea uglavnom koristeći HiJackThis, ali u ovom slučaju mi računar uopšte ne da da ga pokrenem. Slično je i sa RootRepealom - oba programa se sami gase posle 3-4 sekunde. Pored toga, računar blokira mnoge sajtove (uključujući i ovaj forum - čestitke ) tako da sam sve što sam mislio da je potrebno prebacio na flash i onda prenio na laptop.

Na žalost GMER ne radi na tom računaru, a kao što sam već rekao RootRepeal neki od rootkita gasi sam poslije najviše 3-4 sekunde.

Fajlovi koje sam našao da su sigurno problemi su:

brac.exe

uapss.exe

sawe.exe

sawery.exe

473.exe

820.exe

igfxsrvo.exe

Naravno, nijedan ne može ručno da se izbriše. Računar neće da se podigne u safe modeu (sam se resetuje na pola inicijalizacije drajvera), a ni command prompt neće da se podigne.

Jedino što sam uspio da dobijem su DDS izvještaji. Nadam se da ćete imati više uspjeha od mene.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin at 22:18:42.03 on 17/03/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.503.99 [GMT 1:00]

AV: Norton AntiVirus 2005 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [Link mogu videti samo ulogovani korisnici]
uSearch Page = [Link mogu videti samo ulogovani korisnici]
uSearch Bar = [Link mogu videti samo ulogovani korisnici]
mDefault_Page_URL = [Link mogu videti samo ulogovani korisnici]
mDefault_Search_URL = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uSearchAssistant = [Link mogu videti samo ulogovani korisnici]
uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]
mSearchAssistant = [Link mogu videti samo ulogovani korisnici]
uURLSearchHooks: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
mWinlogon: Taskman=c:\documents and settings\admin\application data\brac.exe
uWinlogon: Shell=c:\documents and settings\admin\csrss.exe,c:\documents and settings\admin\application data\uapss.exe,explorer.exe,c:\documents and settings\admin\application data\brac.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [sealmon] c:\program files\sealedmedia\sealmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ctfmon.exe] ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &ICQ Toolbar Search - c:\program files\icqtoolbar\toolbaru.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [Link mogu videti samo ulogovani korisnici]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
mASetup: {92GOM5C0-6FCB-13HJ-LKX5-81CTYK99850309} - c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\igfxsrvo.exe
IFEO: ctfmon.exe - wmiexecxz.exe
Hosts: 18.250.56.11 msnfix.changelog.fr
Hosts: 18.250.56.11 www.incodesolutions.com
Hosts: 18.250.56.11 virusinfo.prevx.com
Hosts: 18.250.56.11 download.bleepingcomputer.com
Hosts: 18.250.56.11 www.dazhizhu.cn

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\smwgzdem.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-3-17 30280]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\SAVRTPEL.SYS [2004-7-24 50312]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-14 198248]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-14 181864]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-3-17 50504]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-9-22 817304]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?]
R3 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2004-8-18 177264]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100303.005\NAVENG.Sys [2010-3-5 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100303.005\NavEx15.Sys [2010-3-5 1324720]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-3-17 24368]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\SAVRT.SYS [2004-7-24 338056]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-3-17 18816]
S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-3-17 6300592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-3 135664]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-18 67184]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-14 79464]
S3 musbehco;musbehco;c:\docume~1\admin\locals~1\temp\musbehco.sys [2004-4-29 29696]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2004-7-24 198368]

=============== Created Last 30 ================

2010-03-17 21:18:02 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-03-17 21:04:02 0 d-----w- c:\program files\Sophos
2010-03-17 17:14:35 55184 ----a-w- c:\windows\system32\PxSecure.dll
2010-03-17 17:14:33 50504 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-17 17:14:33 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-03-17 17:14:32 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-17 17:14:31 0 d-----w- c:\program files\Prevx
2010-03-17 17:14:26 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-03-17 16:20:55 0 d-----w- c:\program files\Trend Micro
2010-03-17 12:18:17 0 ----a-w- c:\documents and settings\admin\Desktop.ini
2010-03-16 21:59:15 143360 --sh--r- c:\windows\system32\wmiexecxz.exe
2010-03-10 22:46:21 102912 ---h--w- c:\docume~1\admin\applic~1\uapss.exe
2010-03-10 22:46:10 102912 ----a-w- c:\documents and settings\admin\sawe.exe
2010-03-10 22:38:42 97280 ---h--w- c:\docume~1\admin\applic~1\brac.exe
2010-03-10 22:38:35 97280 ----a-w- c:\documents and settings\admin\sawery.exe
2010-03-09 20:18:25 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-04 09:40:38 143360 --sh--r- c:\documents and settings\admin\csrss.exe
2010-02-26 14:54:55 0 d-----w- c:\documents and settings\admin\Application DataPDFcreator

==================== Find3M ====================

2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2005-11-16 17:59:28 868 ----a-w- c:\program files\INSTALL.LOG

============= FINISH: 22:19:58.53 ===============




[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav i dobrodosao na forum

Isprati pazljivo sledece uputstvo :

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\wmiexecxz.exe
c:\documents and settings\Admin\Application Data\uapss.exe
c:\documents and settings\Admin\sawe.exe
c:\documents and settings\Admin\Application Data\brac.exe .
c:\documents and settings\Admin\sawery.exe
c:\docume~1\Admin\LOCALS~1\Temp\musbehco.sys
c:\windows\system32\drivers\rr.sys

Driver::
rr
musbehco

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\wmiexecxz.exe"= -


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Napisano: 17 Mar 2010 23:56

Hvala na dobrodošlici. :-) Odavno sam lurker na ovom forumu, ali je ovo prvi put da sam imao veći problem pa sam morao da se registrujem...

Elem, i Combofix je "odbijao poslušnost" kao i ostali programi i proradio je tek kada sam ubio jedan malware proces sa sa GMER-om. Usput, uspio sam iz 10-ak pokusaja da izvučem neke GMER logs. Prva je nepotpuna, druge dvije potpune, ali su napravljene prije Combofixa.

ComboFix 10-03-16.05 - Admin 17/03/2010 23:30:20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.503.205 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\documents and settings\Admin\csrss.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\igfxsrvo.exe
c:\windows\eSellerateEngine.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 21:31 . 2010-03-17 21:48 34816 ----a-w- c:\windows\system32\drivers\rr.sys
2010-03-17 21:18 . 2009-06-18 11:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-03-17 21:04 . 2010-03-17 21:04 -------- d-----w- c:\program files\Sophos
2010-03-17 17:14 . 2010-03-17 17:14 55184 ----a-w- c:\windows\system32\PxSecure.dll
2010-03-17 17:14 . 2010-03-17 17:14 50504 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-17 17:14 . 2010-03-17 17:14 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-03-17 17:14 . 2010-03-17 17:14 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-17 17:14 . 2010-03-17 17:14 -------- d-----w- c:\program files\Prevx
2010-03-17 17:14 . 2010-03-17 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-03-17 16:20 . 2010-03-17 16:20 -------- d-----w- c:\program files\Trend Micro
2010-03-16 21:59 . 2010-03-16 21:59 143360 --sh--r- c:\windows\system32\wmiexecxz.exe
2010-03-10 22:46 . 2010-03-10 22:46 102912 --sh--r- c:\documents and settings\Admin\Application Data\uapss.exe
2010-03-10 22:46 . 2010-03-10 22:46 102912 ----a-w- c:\documents and settings\Admin\sawe.exe
2010-03-10 22:38 . 2010-03-10 22:38 97280 --sh--r- c:\documents and settings\Admin\Application Data\brac.exe
2010-03-10 22:38 . 2010-03-10 22:38 97280 ----a-w- c:\documents and settings\Admin\sawery.exe
2010-03-09 20:18 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 10:45 . 2010-03-08 10:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-03 15:17 . 2010-03-03 15:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-26 14:54 . 2010-02-26 14:54 -------- d-----w- c:\documents and settings\Admin\Application DataPDFcreator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 22:15 . 2005-12-05 19:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype
2010-03-17 17:04 . 2005-06-09 12:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-03 15:17 . 2005-09-22 15:37 -------- d-----w- c:\program files\Google
2010-03-03 12:21 . 2005-11-25 20:50 -------- d-----w- c:\program files\ICQToolbar
2010-01-01 12:12 . 2010-01-01 12:12 79488 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-31 16:14 . 2004-08-04 08:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:42 . 2004-08-04 08:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2005-10-24 14892072]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-23 68856]
"Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-21 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 88363]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-09 790528]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-09-04 100056]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2006-06-19 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-27 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"ctfmon.exe"="ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2005-9-22 184320]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2004-3-16 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe]
"Debugger"=wmiexecxz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wmiexecxz.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [17/03/2010 18:14 30280]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [17/03/2010 22:18 18816]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [17/03/2010 18:14 50504]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [03/05/2004 17:26 80384]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [17/03/2010 18:14 24368]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [17/03/2010 18:14 6300592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2010 16:17 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?]
S3 musbehco;musbehco;\??\c:\docume~1\Admin\LOCALS~1\Temp\musbehco.sys --> c:\docume~1\Admin\LOCALS~1\Temp\musbehco.sys [?]
S3 rr;rr;c:\windows\system32\drivers\rr.sys [17/03/2010 22:31 34816]

--- Other Services/Drivers In Memory ---

*Deregistered* - pwldrfob
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 15:16]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 15:16]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951824921-2737178999-3325866196-1006Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 19:33]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951824921-2737178999-3325866196-1006UA.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 19:33]

2010-03-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-18 11:54]
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uSearch Page = [Link mogu videti samo ulogovani korisnici]
uSearch Bar = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uSearchAssistant = [Link mogu videti samo ulogovani korisnici]
uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\smwgzdem.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{92GOM5C0-6FCB-13HJ-LKX5-81CTYK99850309} - c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\igfxsrvo.exe
AddRemove-Digital Overlay Demo - c:\windows\unvise32.exe
AddRemove-QuickTime - c:\windows\unvise32qt.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2010-03-17 23:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

c:\windows\system32\wmiexecxz.exe [1616] 0xFEB06020

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?7?8?9??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\35.tmp"
.
Completion time: 2010-03-17 23:48:39
ComboFix-quarantined-files.txt 2010-03-17 22:48

Pre-Run: 41,562,906,624 bytes free
Post-Run: 42,764,042,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CDFD9953A7882D366F3C85A51E3301D2

[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

Dopuna: 18 Mar 2010 0:11

Izvinjavam se za double post, ali ne vidim nigdje edit dugme.

Proces koji sam morao da "ubijem" da bi Combofix proradio je ovaj na kraju GMER1 loga C:\WINDOWS\system32\wmiexecxz.exe (*** hidden *** ) i koliko vidim i dalje je aktivan.

Dopuna: 18 Mar 2010 0:42

Rekao bih da je sve čisto, ali čekam zvaničnu potvrdu stručnjaka prije hvalospjeva.


ComboFix 10-03-17.04 - Admin 18/03/2010 0:18.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.503.106 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point

FILE ::
"c:\docume~1\Admin\LOCALS~1\Temp\musbehco.sys"
"c:\documents and settings\Admin\Application Data\brac.exe ."
"c:\documents and settings\Admin\Application Data\uapss.exe"
"c:\documents and settings\Admin\sawe.exe"
"c:\documents and settings\Admin\sawery.exe"
"c:\windows\system32\drivers\rr.sys"
"c:\windows\system32\wmiexecxz.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\rr.sys
c:\windows\system32\wmiexecxz.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MUSBEHCO
-------\Service_musbehco
-------\Service_rr


((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 21:18 . 2009-06-18 11:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-03-17 21:04 . 2010-03-17 21:04 -------- d-----w- c:\program files\Sophos
2010-03-17 17:14 . 2010-03-17 17:14 55184 ----a-w- c:\windows\system32\PxSecure.dll
2010-03-17 17:14 . 2010-03-17 17:14 50504 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-17 17:14 . 2010-03-17 17:14 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-03-17 17:14 . 2010-03-17 17:14 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-17 17:14 . 2010-03-17 17:14 -------- d-----w- c:\program files\Prevx
2010-03-17 17:14 . 2010-03-17 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-03-17 16:20 . 2010-03-17 16:20 -------- d-----w- c:\program files\Trend Micro
2010-03-09 20:18 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 10:45 . 2010-03-08 10:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-03-03 15:17 . 2010-03-03 15:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-26 14:54 . 2010-02-26 14:54 -------- d-----w- c:\documents and settings\Admin\Application DataPDFcreator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 23:29 . 2005-12-05 19:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype
2010-03-17 17:04 . 2005-06-09 12:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-03 15:17 . 2005-09-22 15:37 -------- d-----w- c:\program files\Google
2010-03-03 12:21 . 2005-11-25 20:50 -------- d-----w- c:\program files\ICQToolbar
2010-01-01 12:12 . 2010-01-01 12:12 79488 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-31 16:14 . 2004-08-04 08:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:42 . 2004-08-04 08:00 662016 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2005-10-24 14892072]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-23 68856]
"Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-21 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 88363]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-09 790528]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-09-04 100056]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2006-06-19 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-27 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2005-9-22 184320]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2004-3-16 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [17/03/2010 18:14 30280]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [17/03/2010 22:18 18816]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [17/03/2010 18:14 6300592]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [17/03/2010 18:14 50504]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [03/05/2004 17:26 80384]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [17/03/2010 18:14 24368]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/03/2010 16:17 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 15:16]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 15:16]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951824921-2737178999-3325866196-1006Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 19:33]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1951824921-2737178999-3325866196-1006UA.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 19:33]

2010-03-05 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-18 11:54]
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uSearch Page = [Link mogu videti samo ulogovani korisnici]
uSearch Bar = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uSearchAssistant = [Link mogu videti samo ulogovani korisnici]
uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\smwgzdem.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2010-03-18 00:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\35.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\AGRSMMSG.exe
c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2010-03-18 00:39:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 23:39
ComboFix2.txt 2010-03-17 22:48

Pre-Run: 42,748,555,264 bytes free
Post-Run: 42,524,540,928 bytes free

- - End Of File - - 1F1044714D85C199DE2AB24163BEBDE7

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Kolko ja vidim, ovde je sve cisto i ne bi trebalo biti vise nikakvih problema sa startom i usporenoscu sistema.

Dalje, nije preporucljivo gomilati zastitni softwer.(tipa prevx,sophos)..Dovovaljan je AV, Antyspyware i eventualno Firewall(ako smatras da ti je potreban)>> vise o tome imas u zastita podforumu.



I jos je potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

ComboFix /Uninstall

Primeti da postoji razmak između "ComboFix" i "/Uninstall".



a zatim klikni OK (ili pritisni Enter).

Sačekaj da se proces deinstalacije završi.

To bi bilo to.. POzzz

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Definitivno je sve u redu. Hvala puno na pomoći!

Inače programe sam instalirao jer sam pokušavao da očistim neke od gluposti. Sada ću poskidati sve i instalirati vjerovatno Avast + Comodo.

Još jednom puno hvala na ekspresnoj pomoći. Ovo može u arhivu.