svchost.exe mi zauzima 90% CPU-a

1

svchost.exe mi zauzima 90% CPU-a

offline
  • Pridružio: 13 Dec 2009
  • Poruke: 84

Svchost.exe mi zauzima 90% CPU-a i kompijuter mi je usporio i pnekad mi se otvara prozorčić sa porukom:
Generic Host Process for Win32 services has encountered a problem and needs to close.
We are sorry for the inconvenience.
If you were in the middle of something,the information you were working on might be lost.
For more information obout this error.Click here.

Close.
Ne znam šta je u pitanju,vjerovatno virus.
Evo slijedio sam upustva za otvaranje teme ali imam problem DDS program kada pokrenem izbaci mi izvještaj sa nekim ne jasnim znakovima ne mogu uopšte da dobijem ona dva izvještaja evo šaljem vam taj izvještaj sa ne jasnim znakovima i gmer logove oni su u redu to sam uspijeo:

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png
Unaprijed zahvalan!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...

Skini DDS sa nekog drugog linka (tri su data), pokreni ga i postavi njegove logove.

offline
  • Pridružio: 13 Dec 2009
  • Poruke: 84

Evo i izvještaja DDS-a
DDS (Ver_09-12-01.01) - NTFSx86
Run by Dijuf at 23:35:59.14 on źet 24.12.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1014.194 [GMT 1:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\File Seeker\FSeekerDBUpdater.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\tsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Dijuf\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.Facemoods.com
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/cse?cx=partner-pub-6222736672146837:njo3fe-77ac&ie=UTF-8&sa=Search&q={searchTerms}
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [cdoosoft] c:\docume~1\dijuf\locals~1\temp\herss.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.0.15)_Gecko/2009101601_Firefox/3.0.15" -"http://www.zezamose.com/besplatne-igre-za-decu/game-dexters-laboratory-laser-lab.html"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [FileSeekerUpdater] "c:\program files\file seeker\FSeekerDBUpdater.exe" -start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Regedit32] c:\windows\system32\regedit.exe
StartupFolder: c:\docume~1\dijuf\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\documents and settings\dijuf\start menu\programs\startup\siszyd32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dijuf\applic~1\mozilla\firefox\profiles\y6pyp6l9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2215829&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://start.Facemoods.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2215829&q=
FF - component: c:\documents and settings\dijuf\application data\mozilla\firefox\profiles\y6pyp6l9.default\extensions\{0c391282-d066-45ec-92ab-a28c6d5bb611}\components\FFExternalAlert.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\dijuf\application data\mozilla\firefox\profiles\y6pyp6l9.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [2008-8-24 308248]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2005-2-23 53248]
S1 vdi3mtk2;AVZ-BC Kernel Driver;\??\c:\windows\system32\drivers\vdi3mtk2.sys --> c:\windows\system32\drivers\vdi3mtk2.sys [?]
S2 gupdate1ca50b44f5471b0;Google Update Service (gupdate1ca50b44f5471b0);c:\program files\google\update\GoogleUpdate.exe [2009-10-19 133104]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [2008-9-9 58288]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [2008-9-9 8336]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [2008-9-9 94064]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [2008-9-9 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [2008-9-9 83344]
S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [2009-1-13 451456]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\windows live\messenger\usnsvc.exe [2007-10-18 98328]

=============== Created Last 30 ================

2009-12-17 18:58:54 51 --sh--r- C:\autorun.inf
2009-12-17 18:58:54 115493 --sh--r- C:\86.exe
2009-12-17 10:48:22 114656 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2009-12-15 17:01:59 0 d-----w- c:\program files\trend micro
2009-12-12 21:47:11 24 ----a-w- c:\docume~1\dijuf\applic~1\fvgqad.dat
2009-12-12 21:46:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Magix
2009-12-12 21:46:40 0 d-----w- c:\docume~1\dijuf\applic~1\MAGIX
2009-12-12 21:46:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Xara
2009-12-10 21:42:15 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-12-10 20:51:34 0 d-----w- c:\docume~1\dijuf\applic~1\Uniblue
2009-12-07 15:47:45 148192 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-07 15:47:11 8 ----a-w- c:\docume~1\dijuf\applic~1\avdrn.dat
2009-11-29 20:27:14 0 d-----w- c:\docume~1\dijuf\applic~1\facemoods.com

==================== Find3M ====================

2009-12-24 13:57:42 114656 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-12-16 18:43:15 148192 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-10 16:17:16 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-10 16:17:16 348160 ----a-w- c:\windows\system32\msvcr71.dll
2008-09-02 17:12:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090220080903\index.dat

============= FINISH: 23:38:40.78 ===============

mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 13 Dec 2009
  • Poruke: 84

Napisano: 25 Dec 2009 1:09

Pojavio mi se problem tokom rada ComboFix kada je počeo da radi restartovao mi je računar.Posle restarta računar nije mogao da podigne sistem da se upali već me je stalno restartovao.Tako da sa ga nekako pokrenuo preko Safe mode pa sam ga tu restartovao i nekako uspjeo pokrenuti i sada mi nema onoog izvještaja na particiji C.

Dopuna: 25 Dec 2009 1:13

Samo mi se na C particiji pojavila ikonica sa slikom kompijutera i pored nje piše ComboFix kao i neki folder pod nazivom Qoobox i fajlovi sa ekstenzijom Boot.bak i fajl
cmldr.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ponovo pokreni ComboFix. Obavezno pre toga deaktiviraj antivirus program.

offline
  • Pridružio: 13 Dec 2009
  • Poruke: 84

Napisano: 25 Dec 2009 15:47

Pokrenu sam ga ponovo i deaktivirao sam antivirus program,i ComboFix mi je skenirao odnosno otvorio mi se plavi prozor i javio mi je da mi je sistem zaražen i posle toga pisalo je kao da briše neke fajlove Deleting files i tu mi je stao čekao sam sigurno tri sata i nije se ništa njenjala.Nisam imao nikakvih opcija samo mi je bila pozadina na ekranu i taj plavi prozor Combo Fix tako da nisam mogao ništa ni restartovati ni ništa.Pa sam izgasio komp i ponovo ga upalio i onda sam primjetio da na destopu imam neki izvještaj,a na C particiji nije bilo nikakvih promjena nisam dobio nikakav tekstualni izvještaj.Evo tog izvještaja što sam dobio na destopu:

mycity.rs/must-login.png

Dopuna: 25 Dec 2009 15:50

Hoću li opet pokrenuti ComboFix?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Hoćemo, ali na malo drugačiji način.



Otvoriti Notepad i iskopirati sledeci tekst:


KillAll::

StepDel::



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 13 Dec 2009
  • Poruke: 84

Evo loga kojeg sam dobio nakon skeniranja:

mycity.rs/must-login.png


ComboFix 09-12-24.02 - Dijuf 25.12.2009 23:32:42.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1014.645 [GMT 1:00]
Running from: c:\documents and settings\Dijuf\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dijuf\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dijuf\Start Menu\Programs\Startup\siszyd32.exe
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\EventSystem.log
c:\windows\system32\config\systemprofile\av_md.exe
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
D:\86.exe
D:\Autorun.inf

-- Previous Run --

c:\windows\system32\Drivers\atapi.sys . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

--------

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{0136BED5-CC65-4AD5-A212-9A2452C57063}\RP100\A0029281.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-25 to 2009-12-25 )))))))))))))))))))))))))))))))
.

2009-12-24 23:08 . 2009-12-24 23:08 -------- d--h--w- c:\windows\PIF
2009-12-15 17:01 . 2009-12-16 20:58 -------- d-----w- c:\program files\trend micro
2009-12-12 21:46 . 2009-12-12 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Magix
2009-12-12 21:46 . 2009-12-12 21:46 -------- d-----w- c:\documents and settings\Dijuf\Application Data\MAGIX
2009-12-12 21:46 . 2009-12-12 21:46 -------- d-----w- c:\documents and settings\Dijuf\Local Settings\Application Data\Xara
2009-12-12 21:46 . 2009-12-12 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Xara
2009-12-10 21:42 . 2009-12-10 21:42 121 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6030E61781384634B8F8C04C9E73B6CA.dll
2009-12-10 20:51 . 2009-12-10 20:51 -------- d-----w- c:\documents and settings\Dijuf\Application Data\Uniblue
2009-11-29 20:27 . 2009-11-29 20:27 -------- d-----w- c:\documents and settings\Dijuf\Application Data\facemoods.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-25 22:39 . 2009-10-19 12:26 -------- d-----w- c:\documents and settings\Dijuf\Application Data\Skype
2009-12-25 22:38 . 2009-10-19 12:30 -------- d-----w- c:\documents and settings\Dijuf\Application Data\skypePM
2009-12-23 23:30 . 2008-09-02 22:08 -------- d-----w- c:\program files\File Seeker
2009-12-16 18:31 . 2008-09-02 18:06 104456 ----a-w- c:\documents and settings\Dijuf\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 00:52 . 2009-02-15 11:46 -------- d-----w- c:\documents and settings\Dijuf\Application Data\uTorrent
2009-12-15 10:01 . 2009-12-12 21:47 24 ----a-w- c:\documents and settings\Dijuf\Application Data\fvgqad.dat
2009-12-10 22:03 . 2009-12-10 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-12-10 21:42 . 2009-12-10 21:42 41 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5A6FB34A0F5DAAA4FB1456990536CE44.dll
2009-12-08 11:22 . 2009-12-08 11:22 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-12-07 15:47 . 2009-12-07 15:47 20 ----a-w- c:\documents and settings\NetworkService\Application Data\fvgqad.dat
2009-11-29 23:07 . 2009-10-10 16:15 -------- d-----w- c:\program files\Google
2009-11-05 16:35 . 2009-11-05 16:32 -------- d-----w- c:\program files\PowerFolder.com
2009-10-19 12:30 . 2009-10-19 12:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-10 16:17 . 2008-09-02 21:54 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-10 16:17 . 2008-09-02 21:54 348160 ----a-w- c:\windows\system32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"FileSeekerUpdater"="c:\program files\File Seeker\FSeekerDBUpdater.exe" [2007-01-12 603648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"snpstd3"="c:\windows\vsnpstd3.exe" [2007-05-10 835584]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-04-21 270336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-10 198160]

c:\documents and settings\Dijuf\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 iastor78;iastor78;c:\windows\system32\drivers\iastor78.sys [24.8.2008 3:32 308248]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2.9.2008 22:41 682232]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [21.12.2007 8:21 33800]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [1.2.2008 16:24 41456]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21.12.2007 8:21 468224]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [23.2.2005 16:56 53248]
S1 vdi3mtk2;AVZ-BC Kernel Driver;\??\c:\windows\system32\Drivers\vdi3mtk2.sys --> c:\windows\system32\Drivers\vdi3mtk2.sys [?]
S2 gupdate1ca50b44f5471b0;Google Update Service (gupdate1ca50b44f5471b0);c:\program files\Google\Update\GoogleUpdate.exe [19.10.2009 13:04 133104]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [9.9.2008 20:24 58288]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [9.9.2008 20:24 8336]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [9.9.2008 20:24 94064]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [9.9.2008 20:24 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [9.9.2008 20:24 83344]
S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [13.1.2009 2:00 451456]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 10:31 98328]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.Facemoods.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Dijuf\Application Data\Mozilla\Firefox\Profiles\y6pyp6l9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2215829&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://start.Facemoods.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2215829&q=
FF - component: c:\documents and settings\Dijuf\Application Data\Mozilla\Firefox\Profiles\y6pyp6l9.default\extensions\{0c391282-d066-45ec-92ab-a28c6d5bb611}\components\FFExternalAlert.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Dijuf\Application Data\Mozilla\Firefox\Profiles\y6pyp6l9.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-12-25 23:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86DD31E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75f4f28
\Driver\ACPI -> ACPI.sys @ 0xf7387cb8
\Driver\atapi -> atapi.sys @ 0xf731cb40
\Driver\iaStor -> 0x86dd31e8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7096bd4
PacketIndicateHandler -> NDIS.sys @ 0xf70a2b21
SendHandler -> NDIS.sys @ 0xf7096d44
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1767777339-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3456)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-25 23:40:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-25 22:40

Pre-Run: 32,435,630,080 bytes free
Post-Run: 32,434,962,432 bytes free

- - End Of File - - C1835E2BEA648FEAA12FA5182C94614E

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:


File::
c:\documents and settings\Dijuf\Application Data\fvgqad.dat
c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
c:\documents and settings\NetworkService\Application Data\fvgqad.dat



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 826 korisnika na forumu :: 4 registrovanih, 1 sakriven i 821 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Bo96, Milos ZA, mrav pesadinac, Penzula