MyCity » Ambulanta -> Arhiva Ambulante » U system32\drivers\karrxn.sys postoji malware

U system32\drivers\karrxn.sys postoji malware

Napisano na dan: 6.3.2010

U system32\drivers\karrxn.sys postoji malware
Sledeća strana Pagination

Idi na vrh

Poslao: 06 Mar 2010 02:09
Idi na vrh
offline
  • noom 
  • Novi MyCity građanin
  • Pridružio: 04 Mar 2010
  • Poruke: 5

Pre mesec dana instaliran je 32-bitni XP SP2. Koristim ADSL preko mrezne karte. Antivirusna zastita je sophos.
Pre nekoliko dana racunar je poceo sporo da radi, a u task menadzeru CPU usage 100%.



Zatim je sophos pronasao sledece:





Jedina akcija je clean up koju nisam izvrsio jer bih nekoga konsultovao, znaci nisam pokusavao da sam resim problem.

Evo i ostalih fajlova:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Aleksandar at 23:56:01.67 on Fri 03/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256.60 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aleksandar\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [Link mogu videti samo ulogovani korisnici]
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\aleksandar\start menu\programs\startup\winesm32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {042D0244-055C-4909-9076-0D96932AFFF1} = 85.222.160.162,213.244.255.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aleksa~1\applic~1\mozilla\firefox\profiles\odj1sxkb.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-2-10 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-2-10 38528]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-2-10 14976]

=============== Created Last 30 ================

2010-03-05 19:35:23 130104 ---ha-w- c:\windows\system32\37de045f.stf
2010-03-05 19:35:23 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2010-03-05 19:34:00 0 d-----w- c:\program files\common files\Cisco Systems
2010-03-05 19:33:29 23552 ----a-w- c:\windows\system32\SophosBootTasks.exe
2010-03-05 19:33:13 0 d-----w- c:\program files\Sophos
2010-03-05 19:33:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Sophos
2010-03-04 15:35:07 0 d-----w- c:\windows\pss
2010-03-04 15:09:10 0 d-----w- c:\windows\system32\appmgmt
2010-03-02 14:57:56 0 d-s---w- c:\documents and settings\aleksandar\UserData
2010-02-28 17:04:37 792064 ----a-w- c:\windows\system32\drivers\karrxn.sys
2010-02-28 17:04:21 12 ----a-w- c:\docume~1\aleksa~1\applic~1\rbuwzv.dat
2010-02-28 17:04:17 4 ----a-w- c:\docume~1\aleksa~1\applic~1\avdrn.dat
2010-02-26 18:54:29 25600 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-02-26 18:54:29 25600 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-02-26 18:54:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-02-26 18:54:13 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-02-26 18:54:04 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-02-26 18:54:00 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-26 18:42:21 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-02-26 18:42:08 0 d-----w- c:\program files\PC Connectivity Solution
2010-02-26 18:42:04 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-02-26 18:42:03 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-02-26 18:42:02 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-02-26 18:42:00 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-02-26 18:42:00 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-02-26 18:42:00 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-02-26 18:41:59 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-02-26 18:41:59 0 d-----w- c:\program files\Nokia
2010-02-24 18:19:25 0 d-----w- c:\program files\The KMPlayer
2010-02-23 16:49:13 0 d-----w- c:\program files\common files\ODBC
2010-02-23 16:49:11 0 d-----w- c:\program files\common files\SpeechEngines
2010-02-23 16:48:49 0 d-----r- c:\documents and settings\all users\Documents
2010-02-23 16:42:38 0 d-----w- c:\program files\VideoLAN
2010-02-23 16:42:07 0 d-----w- c:\program files\K-Lite Codec Pack
2010-02-23 16:41:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-02-23 16:40:53 0 d-----w- c:\docume~1\aleksa~1\applic~1\Foxit
2010-02-23 16:40:52 0 d-----w- c:\program files\Foxit Software
2010-02-23 16:27:23 0 d-----w- c:\program files\ACD
2010-02-23 16:05:31 0 d-----w- c:\program files\Analog Devices
2010-02-23 15:57:55 0 d-sh--w- c:\documents and settings\all users\DRM
2010-02-23 15:57:34 0 d--h--w- c:\program files\WindowsUpdate
2010-02-23 15:56:48 0 d-----w- c:\program files\common files\MSSoap
2010-02-23 15:55:32 0 d-----w- c:\program files\Online Services
2010-02-23 15:55:26 0 d-----w- c:\program files\Messenger
2010-02-23 15:55:23 0 d-----w- c:\program files\MSN Gaming Zone
2010-02-23 15:54:52 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-02-23 15:55:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:57:22.37 ===============

[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]



Poslao: 06 Mar 2010 02:56
Idi na vrh
offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Slobodno dopusti sophosu da ga obrise..U pitanju je malware.



Poslao: 06 Mar 2010 11:47
Idi na vrh
offline
  • noom 
  • Novi MyCity građanin
  • Pridružio: 04 Mar 2010
  • Poruke: 5

Nakon sto sma pustio clean up i ponovo skenirao dobio sam ovo:


I dalje je CPU 100% i radi usporeno.

Poslao: 06 Mar 2010 12:40
Idi na vrh
offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder

Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:

 
Files to delete:
c:\documents and settings\aleksandar\start menu\programs\startup\winesm32.exe
c:\windows\system32\drivers\karrxn.sys
c:\docume~1\aleksa~1\applic~1\rbuwzv.dat
c:\docume~1\aleksa~1\applic~1\avdrn.dat

Drivers to delete:
karrxn


Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u
Iskopiraj sadržaj dobijenog loga u temu na forumu.

Poslao: 06 Mar 2010 13:42
Idi na vrh
offline
  • noom 
  • Novi MyCity građanin
  • Pridružio: 04 Mar 2010
  • Poruke: 5

Odradjeno.
Logfile of The Avenger Version 2.0, (c) by Swandog46
[Link mogu videti samo ulogovani korisnici]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\documents and settings\aleksandar\start menu\programs\startup\winesm32.exe" deleted successfully.
File "c:\windows\system32\drivers\karrxn.sys" deleted successfully.
File "c:\docume~1\aleksa~1\applic~1\rbuwzv.dat" deleted successfully.
File "c:\docume~1\aleksa~1\applic~1\avdrn.dat" deleted successfully.
Driver "karrxn" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Procesor je sad ok. Komp radi savrseno.
Stvarno si mi mnogo pomogao, hvala.

Poslao: 06 Mar 2010 14:10
Idi na vrh
offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Nema na cemu Wink

To bi bilo to. Pozz Smile

MyCity » Ambulanta -> Arhiva Ambulante » U system32\drivers\karrxn.sys postoji malware

Ko je trenutno na forumu
 

Ukupno su 967 korisnika na forumu :: 74 registrovanih, 8 sakrivenih i 885 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Akiro, amadeus, antonije64, Apok, ArchaBasha, Arsenije, babaroga, Bojan198527, Borski1977, bpvl, Bubimir, Car89, Carl Gustaf, Dejan_vw, dejanbenkovic, dekan.m, Dimitrise93, Dioniss, DonRumataEstorski, Džekson, ekser222, ElvisP, FGR, Folkstar, Gargamel008, Goran 0000, Goran_, goranjovic, Iskander, ivan1973, jon istvan, Jose, kolle.the.kid, komsija1, krkalon, Kubovac, ladro, Limeni91, LUDI, marko.markovic, max power, Metanoja, Miki281, MILJEVINAC, miso2709, mladen.zovko, MountAndBlade, Mrav Obrad, mrvica78, Mzee, nextyamb, Nikolajevic, niksa517, Oscar, ping15, Pururin, Ranutovac, rebro1974, Sioux7674, Siti2, Smajser, Stoilkovic, strela, strn, The Boss, tuja, Vanderx, Velizar Laro, vidra boy, vidra1, Vladoj, Zorge, šumar bk2, Čivi