svchost.exe uzima 50% CPU-a.

1

svchost.exe uzima 50% CPU-a.

offline
  • Pridružio: 21 Dec 2009
  • Poruke: 16

Pozdrav svima. Nov sam na forumu, ali vas pratim odavno.

#1 Posedujem racunar, intel pentium 4, 1gb ram, 160gb hdd, instaliran windows XP (32bitni naravno) sa service pack 2.
Od zastite koristim avast 4.8 home edition (apdejtuje se 2 puta dnevno), zone alarm firewall i spybot teatimer. Ne posecujem xxx ili (zabranjeno) sajtove, davno nisam koristio torrent ili limewire i stvarno ne znam gde sam ovo cudo mogao da zapatim.
Juce prepodne sam noramalno krstario netom: forumi, erepublik i facebook.
Racunar sam iskljucio oko 16h. Upalio sam ga ponovo oko 22h, kada sam primetio da radi sporo, kao i internet. Onda sam video u taskmanageru da mi svchost.exe uzima 50 CPUa. Kada sam isao na end process, restartovao mi je racunar (posle odrojavanja od 60 sek). Skenirao sam ga i avastom i spybotom, ali ne prijavljuju nista.
Onda sam startovao spybot i u sistem startup sam video ovo:

unchekirao sam ga, da se vise ne dize sa sistemom i obrisao doticni .tmp fajl. Jutros sam upalio racunar i jos uvek mi jede 50% procesora.
Inace, raspolazem telekomovim ADSLom rzine 1 mb, mada mi je sada internet usporen. HELP PLEASE!!!

#2


DDS (Ver_09-12-01.01) - NTFSx86
Run by vlada at 9:45:54,75 on pon 21.12.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.392 [GMT 1:00]

AV: avast! antivirus 4.8.1368 [VPS 091220-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\vlada\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\documents and settings\vlada\start menu\programs\startup\siszyd32.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Synchronizer.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\InterVideo WinCinema Manager.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech Desktop Messenger.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\VPN Client.lnk.disabled
IE: Add to Windows &Live Favorites
IE: E&xport to Microsoft Excel
IE: Open in new background tab
IE: Open in new foreground tab
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-e511cb286f66093c.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vlada\applic~1\mozilla\firefox\profiles\g5n7nz7b.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\all users\application data\nexoneu\ngm\npNxGameeu.dll
FF - plugin: c:\documents and settings\vlada\application data\mozilla\firefox\profiles\g5n7nz7b.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\vlada\application data\mozilla\firefox\profiles\g5n7nz7b.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2007-8-24 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2007-8-24 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-1 114768]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-8-2 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-2 395080]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-9-1 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-9-1 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-9-1 352920]
S2 DIG_TS;Pinnacle PCTV Sat TS;c:\windows\system32\drivers\dig_ts.sys --> c:\windows\system32\drivers\dig_ts.sys [?]
S2 DIG_V;Pinnacle PCTV Sat Analog;c:\windows\system32\drivers\dig_v.sys --> c:\windows\system32\drivers\dig_v.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\games\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [2007-2-3 6400]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-4-6 23064]

=============== Created Last 30 ================

2009-12-20 10:36:14 4 ----a-w- c:\docume~1\vlada\applic~1\avdrn.dat
2009-12-17 10:52:32 54156 ---ha-w- c:\windows\QTFont.qfn
2009-12-17 10:52:32 1409 ----a-w- c:\windows\QTFont.for
2009-12-15 14:22:29 0 d-----w- c:\docume~1\alluse~1\applic~1\BioWare
2009-12-15 12:01:18 0 d-----w- c:\windows\system32\AGEIA
2009-12-15 12:01:01 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-15 11:40:57 0 d-----w- c:\program files\common files\BioWare
2009-12-10 15:03:04 0 d-----w- c:\program files\Steinberg
2009-12-10 15:03:03 0 d-----w- c:\program files\FruityLoops 3.56
2009-12-06 10:24:26 60 ---h--w- c:\windows\popcreg.dat
2009-12-05 11:56:04 22 ----a-w- c:\windows\popcinfot.dat
2009-12-05 11:55:24 0 d-----w- c:\docume~1\alluse~1\applic~1\PopCap Games
2009-12-05 11:54:42 0 d-----w- c:\program files\PopCap Games

==================== Find3M ====================

2009-12-21 08:45:01 59789344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-21 00:19:55 704528 --sha-w- c:\windows\system32\drivers\fidbox.idx
2001-11-23 04:08:20 712704 ----a-w- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 9:47:39,59 ===============

mycity.rs/must-login.png


#3 GMER mi puca 10 sekundi nakon startovanja, pa sam skinuo ROOTREPEAL
mycity.rs/must-login.png

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Pozdrav.


Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 21 Dec 2009
  • Poruke: 16

Napisano: 21 Dec 2009 19:23

ComboFix 09-12-20.08 - vlada 21.12.2009 19:01:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.511 [GMT 1:00]
Running from: c:\documents and settings\vlada\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091221-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\vlada\Application Data\avdrn.dat
c:\documents and settings\vlada\Start Menu\Programs\Startup\siszyd32.exe
C:\LOG.TXT
C:\VDM19.tmp

.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-15 14:22 . 2009-12-15 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-12-15 12:01 . 2009-12-15 12:01 -------- d-----w- c:\windows\system32\AGEIA
2009-12-15 12:01 . 2009-12-15 12:01 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-15 12:01 . 2009-12-15 12:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-15 11:40 . 2009-12-15 11:59 -------- d-----w- c:\program files\Common Files\BioWare
2009-12-10 15:03 . 2009-12-10 15:03 -------- d-----w- c:\program files\Steinberg
2009-12-10 15:03 . 2009-12-10 15:06 -------- d-----w- c:\program files\FruityLoops 3.56
2009-12-06 10:24 . 2009-12-18 19:01 60 ---h--w- c:\windows\popcreg.dat
2009-12-05 11:56 . 2009-12-18 19:01 22 ----a-w- c:\windows\popcinfot.dat
2009-12-05 11:55 . 2009-12-05 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-12-05 11:54 . 2009-12-05 11:55 -------- d-----w- c:\program files\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 18:12 . 2009-08-02 08:23 59938848 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-21 18:08 . 2009-08-02 08:23 706496 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-21 17:40 . 2007-02-04 00:49 10 ----a-w- c:\windows\popcinfo.dat
2009-12-20 10:36 . 2009-12-20 10:36 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-12-15 22:55 . 2007-02-05 21:14 -------- d-----w- c:\documents and settings\vlada\Application Data\Skype
2009-12-15 14:02 . 2007-02-19 19:59 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-12 20:28 . 2008-11-19 18:01 -------- d-----w- c:\documents and settings\vlada\Application Data\Winamp
2009-12-12 20:20 . 2008-11-19 18:01 -------- d-----w- c:\program files\Winamp
2009-12-12 18:13 . 2008-01-09 22:12 -------- d-----w- c:\documents and settings\vlada\Application Data\uTorrent
2009-12-11 10:15 . 2007-02-03 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-24 23:54 . 2007-09-01 19:08 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2007-09-01 19:08 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2007-09-01 19:08 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-04-01 11:03 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-04-01 11:03 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2007-09-01 19:08 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2007-09-01 19:08 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2007-09-01 19:08 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2007-09-01 19:08 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-24 13:43 . 2007-02-04 15:35 -------- d-----w- c:\program files\Planplus
2009-11-21 22:23 . 2008-07-31 18:44 -------- d-----w- c:\documents and settings\vlada\Application Data\LimeWire
2009-11-21 10:30 . 2009-11-21 10:31 48640 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2009-11-21 10:28 . 2009-11-21 10:29 1364992 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-11-21 10:28 . 2009-11-21 10:29 781312 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-11-19 15:41 . 2007-11-19 11:46 177024 ----a-w- c:\documents and settings\vlada\Application Data\Mozilla\Firefox\Profiles\g5n7nz7b.default\FlashGot.exe
2009-11-16 13:06 . 2009-11-16 13:07 1358336 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-11-14 19:12 . 2009-11-14 19:12 2314335 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-11-14 19:08 . 2009-10-10 18:10 -------- d-----w- c:\program files\Microsoft
2009-11-09 21:02 . 2009-11-09 21:03 51200 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-11-09 18:15 . 2009-11-09 18:16 1349632 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-11-09 18:15 . 2009-11-09 18:16 1688576 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-11-08 18:06 . 2009-11-08 18:06 -------- d-----w- c:\program files\Sega
2009-10-25 22:10 . 2007-02-04 15:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-09 10:14 . 2009-10-09 10:15 150016 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-10-09 10:14 . 2009-10-09 10:15 1425408 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-10-09 10:13 . 2009-10-09 10:15 1424896 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-10-02 10:49 . 2009-10-02 10:50 758784 ----a-w- c:\windows\Internet Logs\xDB8.tmp
.

------- Sigcheck -------

[-] 2004-08-03 20:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-8-31 1746]
Adobe Reader Synchronizer.lnk.disabled [2007-2-18 1788]
InterVideo WinCinema Manager.lnk.disabled [2007-2-3 1781]
Logitech Desktop Messenger.lnk.disabled [2007-2-3 1885]
VPN Client.lnk.disabled [2007-8-10 2447]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe"
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"PCTVOICE"=pctspk.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe"
"PCSuiteTrayApplication"=c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"sysgif32"=c:\windows\TEMP\~TM43.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Games\\KKND Krossfire\\Kknd2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [24.8.2007 11:07 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [24.8.2007 11:07 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1.4.2008 12:03 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1.4.2008 12:03 20560]
S2 DIG_TS;Pinnacle PCTV Sat TS;c:\windows\system32\DRIVERS\dig_ts.sys --> c:\windows\system32\DRIVERS\dig_ts.sys [?]
S2 DIG_V;Pinnacle PCTV Sat Analog;c:\windows\system32\drivers\dig_v.sys --> c:\windows\system32\drivers\dig_v.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [15.12.2009 12:53 25832]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [3.2.2007 17:53 6400]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [6.4.2009 12:19 23064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: Add to Windows &Live Favorites
IE: E&xport to Microsoft Excel
IE: Open in new background tab
IE: Open in new foreground tab
FF - ProfilePath - c:\documents and settings\vlada\Application Data\Mozilla\Firefox\Profiles\g5n7nz7b.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\documents and settings\vlada\Application Data\Mozilla\Firefox\Profiles\g5n7nz7b.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\vlada\Application Data\Mozilla\Firefox\Profiles\g5n7nz7b.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{2D7E38A6-A604-45AE-9A87-4F5F25760650} - (no file)
Notify-AtiExtEvent - (no file)
AddRemove-Seven Kingdoms AA Patch - c:\program files\7kingdoms\Uninst.isu
AddRemove-Seven Kingdoms AA Update - c:\program files\7kingdoms\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-12-21 19:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x871A4690]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7552fc3
\Driver\ACPI -> ACPI.sys @ 0xf747dcb8
\Driver\atapi -> 0x871a4690
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\PnkBstrB.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-12-21 19:18:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 18:18

Pre-Run: 15.792.218.112 bytes free
Post-Run: 15.873.949.696 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,3,4,5
- - End Of File - - C71335D0E07898962F7E9EAB6A4ABE7A

Dopuna: 21 Dec 2009 19:29

Vidim da je u pitanju siszyd32.exe , koga je Combofix uspesno obrisao, ljubi ga batica.
svchost.exe vise ne uzima 50% CPU-a, racunar radi normalno, kao i internet.
1)Da li treba jos nesto da odradim?
2)Posto vidim da je ovaj worm napravio pravu pandemiju i da je 90% racunara koji se javaljaju ovde zarazeno sa njim, molim za savet, kako da izbegnem ponovnu zarazu.

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Korak 1.

Preuzmi DeFogger sa sledećeg linka... http://www.jpshortstuff.247fixes.com/Defogger.exe

Pokreni ga dvoklikom na ikonicu;

Pojaviće se MsgBox na kome ćeš kliknuti na taster Disable;

Ponovo će se pojaviti MsgBox na kome ćeš kliknuti na Yes;


Po završetku rada programa DeFogger isprati sledeće uputstvo.


Korak 2.


Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
c:\windows\TEMP\~TM43.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"sysgif32"=-



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 21 Dec 2009
  • Poruke: 16

ComboFix 09-12-21.04 - vlada 22.12.2009 10:40:38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.662 [GMT 1:00]
Running from: c:\documents and settings\vlada\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\vlada\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091222-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat"
"c:\windows\TEMP\~TM43.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Thunderbird\plc4.dll
c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat

.
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-15 14:22 . 2009-12-15 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-12-15 12:01 . 2009-12-15 12:01 -------- d-----w- c:\windows\system32\AGEIA
2009-12-15 12:01 . 2009-12-15 12:01 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-15 12:01 . 2009-12-15 12:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-15 11:40 . 2009-12-15 11:59 -------- d-----w- c:\program files\Common Files\BioWare
2009-12-10 15:03 . 2009-12-10 15:03 -------- d-----w- c:\program files\Steinberg
2009-12-10 15:03 . 2009-12-10 15:06 -------- d-----w- c:\program files\FruityLoops 3.56
2009-12-06 10:24 . 2009-12-18 19:01 60 ---h--w- c:\windows\popcreg.dat
2009-12-05 11:56 . 2009-12-18 19:01 22 ----a-w- c:\windows\popcinfot.dat
2009-12-05 11:55 . 2009-12-05 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-12-05 11:54 . 2009-12-05 11:55 -------- d-----w- c:\program files\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 09:46 . 2009-08-02 08:23 60217376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-22 09:45 . 2007-02-19 19:59 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-22 09:29 . 2009-08-02 08:23 708800 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-21 21:11 . 2007-02-04 00:49 10 ----a-w- c:\windows\popcinfo.dat
2009-12-15 22:55 . 2007-02-05 21:14 -------- d-----w- c:\documents and settings\vlada\Application Data\Skype
2009-12-12 20:28 . 2008-11-19 18:01 -------- d-----w- c:\documents and settings\vlada\Application Data\Winamp
2009-12-12 20:20 . 2008-11-19 18:01 -------- d-----w- c:\program files\Winamp
2009-12-12 18:13 . 2008-01-09 22:12 -------- d-----w- c:\documents and settings\vlada\Application Data\uTorrent
2009-12-11 10:15 . 2007-02-03 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-24 23:54 . 2007-09-01 19:08 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2007-09-01 19:08 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2007-09-01 19:08 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-04-01 11:03 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-04-01 11:03 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2007-09-01 19:08 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2007-09-01 19:08 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2007-09-01 19:08 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2007-09-01 19:08 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-24 13:43 . 2007-02-04 15:35 -------- d-----w- c:\program files\Planplus
2009-11-21 22:23 . 2008-07-31 18:44 -------- d-----w- c:\documents and settings\vlada\Application Data\LimeWire
2009-11-21 10:30 . 2009-11-21 10:31 48640 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2009-11-21 10:28 . 2009-11-21 10:29 1364992 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-11-21 10:28 . 2009-11-21 10:29 781312 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-11-19 15:41 . 2007-11-19 11:46 177024 ----a-w- c:\documents and settings\vlada\Application Data\Mozilla\Firefox\Profiles\g5n7nz7b.default\FlashGot.exe
2009-11-16 13:06 . 2009-11-16 13:07 1358336 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-11-14 19:12 . 2009-11-14 19:12 2314335 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-11-14 19:08 . 2009-10-10 18:10 -------- d-----w- c:\program files\Microsoft
2009-11-09 21:02 . 2009-11-09 21:03 51200 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-11-09 18:15 . 2009-11-09 18:16 1349632 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-11-09 18:15 . 2009-11-09 18:16 1688576 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-11-08 18:06 . 2009-11-08 18:06 -------- d-----w- c:\program files\Sega
2009-10-25 22:10 . 2007-02-04 15:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-09 10:14 . 2009-10-09 10:15 150016 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-10-09 10:14 . 2009-10-09 10:15 1425408 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-10-09 10:13 . 2009-10-09 10:15 1424896 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-10-02 10:49 . 2009-10-02 10:50 758784 ----a-w- c:\windows\Internet Logs\xDB8.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-12-21_18.10.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-22 09:30 . 2009-12-22 09:30 16384 c:\windows\Temp\Perflib_Perfdata_7c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-8-31 1746]
Adobe Reader Synchronizer.lnk.disabled [2007-2-18 1788]
InterVideo WinCinema Manager.lnk.disabled [2007-2-3 1781]
Logitech Desktop Messenger.lnk.disabled [2007-2-3 1885]
VPN Client.lnk.disabled [2007-8-10 2447]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe"
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"PCTVOICE"=pctspk.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe"
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe"
"PCSuiteTrayApplication"=c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Games\\KKND Krossfire\\Kknd2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1.4.2008 12:03 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1.4.2008 12:03 20560]
S2 DIG_TS;Pinnacle PCTV Sat TS;c:\windows\system32\DRIVERS\dig_ts.sys --> c:\windows\system32\DRIVERS\dig_ts.sys [?]
S2 DIG_V;Pinnacle PCTV Sat Analog;c:\windows\system32\drivers\dig_v.sys --> c:\windows\system32\drivers\dig_v.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [15.12.2009 12:53 25832]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [3.2.2007 17:53 6400]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [6.4.2009 12:19 23064]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [24.8.2007 11:07 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [24.8.2007 11:07 5248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: Add to Windows &Live Favorites
IE: E&xport to Microsoft Excel
IE: Open in new background tab
IE: Open in new foreground tab
FF - ProfilePath - c:\documents and settings\vlada\Application Data\Mozilla\Firefox\Profiles\g5n7nz7b.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\documents and settings\vlada\Application Data\Mozilla\Firefox\Profiles\g5n7nz7b.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\vlada\Application Data\Mozilla\Firefox\Profiles\g5n7nz7b.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-12-22 10:48:53
ComboFix-quarantined-files.txt 2009-12-22 09:48
ComboFix2.txt 2009-12-21 18:18

Pre-Run: 15.862.140.928 bytes free
Post-Run: 15.820.312.576 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,3,4,5
- - End Of File - - FE936313770C2FF10D303A53D21AB47F

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Pronnađi i Zip_uj ili rar_uj sledeći file:

C:\Qoobox\Quarantine\C\program files\Mozilla Thunderbird\plc4.dll.vir

Uradi upload tog file_a koji si arhivirao preko sledećeg linka:

http://www.mycity.rs/ambulanta-upload.php

offline
  • Pridružio: 21 Dec 2009
  • Poruke: 16

Uploadovan.

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Otvoriti Notepad i iskopirati sledeci tekst:

DeQuarantine::
C:\Qoobox\Quarantine\C\program files\Mozilla Thunderbird\plc4.dll.vir
Quit::



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 21 Dec 2009
  • Poruke: 16

Izvinjavam se sto me nije bilo par dana, ali bio sam prezauzet.


C:\Qoobox\Quarantine\C\program files\Mozilla Thunderbird\plc4.dll.vir -> C:\program files\Mozilla Thunderbird\plc4.dll ( 34416 bytes )

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Kakvo je sada stanje?

Ko je trenutno na forumu
 

Ukupno su 963 korisnika na forumu :: 16 registrovanih, 3 sakrivenih i 944 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Bubimir, hyla, ILGromovnik, indja, Istman, jukeboxer, koom0001, ladro, Mi lao shu, panzerwaffe, procesor, SlaKoj, suton, Tvrtko I, vathra, voja64