MyCity » Ambulanta -> Arhiva Ambulante » shvost.exe Problem !!

shvost.exe Problem !!

Napisano na dan: 4.3.2009
3

shvost.exe Problem !!
Pagination Prethodna strana
Sledeća strana Pagination

Idi na vrh

Poslao: 05 Mar 2009 23:29
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ActiveWndTrkTimeout"=dword:00000000
"AutoEndTasks"="0"
"CaretWidth"=dword:00000001
"CoolSwitch"="1"
"CoolSwitchColumns"="7"
"CoolSwitchRows"="3"
"CursorBlinkRate"="530"
"DragFullWindows"="1"
"DragHeight"="4"
"DragWidth"="4"
"FontSmoothing"="2"
"FontSmoothingOrientation"=dword:00000001
"FontSmoothingType"=dword:00000001
"ForegroundFlashCount"=dword:00000003
"ForegroundLockTimeout"=dword:00030d40
"GridGranularity"="0"
"HungAppTimeout"="5000"
"LowPowerActive"="0"
"LowPowerTimeOut"="0"
"MenuShowDelay"="400"
"PaintDesktopVersion"=dword:00000000
"PowerOffActive"="0"
"PowerOffTimeOut"="1200"
"ScreenSaverIsSecure"="0"
"ScreenSaveTimeOut"="600"
"ScreenSaveActive"="1"
"TileWallpaper"="0"
"UserPreferencesMask"=hex:9e,3e,07,80
"WaitToKillAppTimeout"="20000"
"Wallpaper"="D:\\Documents\\Moje Obrazki\\CANTWO\\wall8.bmp"
"WallpaperStyle"="2"
"OriginalWallpaper"="C:\\Documents and Settings\\Ziska\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp"
"WheelScrollLines"="3"
"Pattern Upgrade"="TRUE"
"ConvertedWallpaper"="C:\\WINDOWS\\Web\\Wallpaper\\Windows XP.jpg"
"ConvertedWallpaper Last WriteTime"=hex:00,20,7c,22,cb,2b,c1,01

[HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics]
"BorderWidth"="0"
"CaptionFont"=hex:f4,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,\
00,00,00,01,00,00,00,00,54,00,72,00,65,00,62,00,75,00,63,00,68,00,65,00,74,\
00,20,00,4d,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CaptionHeight"="-375"
"CaptionWidth"="-270"
"IconFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"IconSpacing"="-1125"
"IconTitleWrap"="1"
"IconVerticalspacing"="-1125"
"MenuFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"MenuHeight"="-285"
"MenuWidth"="-270"
"MessageFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
00,00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"ScrollHeight"="-285"
"ScrollWidth"="-285"
"Shell Icon BPP"="16"
"SmCaptionFont"=hex:f4,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,\
00,00,00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"SmCaptionHeight"="-285"
"SmCaptionWidth"="-285"
"StatusFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
00,00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"AppliedDPI"=dword:00000060
"Shell Icon Size"="32"
"MinAnimate"="1"

潎桴湩⹧⸮ഠ

Dopuna: 05 Mar 2009 23:29

sad???????

Poslao: 05 Mar 2009 23:48
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini program AVZ sa sledećeg linka:

http://devbuilds.kaspersky-labs.com/devbuilds/AVZ/avz4.zip

Raspakuj taj zip file (obavezno ga raspakuj - nemoj program da pokrećeš iz zip-a).


Otvori folder u koji je arhiva raspakovana i pokreni avz.exe.

Klikni File, pa Custom scripts.


U prozor koji se otvori iskopiraj sve što se nalazi unutar Kod polja:

var a, b:dword;


Procedure AddAlarm(AFileName, AMsg : string);

begin
  AddtoLog('>>>>>  '+AFileName+AMsg);
end;


Procedure ScanFile(AFileName : string);

begin
  b:=b+1;
  SetStatusBarText(AFileName);
  LoadFileToBuffer(AFileName);
  If SearchSign('8B 45 F8 6B C0 28 8B 4D 14 83 7C 01 0C 00',0, 0) >= 0 Then
    begin
      AddAlarm(AFileName, '');
      a:=a+1;
    end;
  FreeBuffer;
end;


Procedure ScanDir(ADirName : string; AScanSubDir : boolean);

var FS : TFileSearch;

begin
  ADirName := NormalDir(ADirName);
  FS := TFileSearch.Create(nil);
  FS.FindFirst(ADirName + '*.*');
  While FS.Found do
    begin
      If FS.IsDir Then
        begin
          If AScanSubDir and (FS.FileName <> '.') and (FS.FileName <> '..') then
            ScanDir(ADirName + FS.FileName, AScanSubDir)
        end
      Else
        ScanFile(ADirName + FS.FileName);
      FS.FindNext;
    end;
  FS.Free;
end;



begin
  a:=0;
  b:=0;
  ScanDir('C:\WINDOWS', true);
  AddToLog('');
  AddToLog('Files scanned: ' + IntToStr(b));
  AddToLog('Files detected:' + IntToStr(a));
  SaveLog('c:\scan_log.txt');
  ExecuteFile ('notepad.exe', 'c:\scan_log.txt', 1, 0, false);
end.


Klikni Run taster.


Kada skeniranje bude završeno, logfile će se otvoriti u Notepad-u.

Iskopiraj ovde sadržaj tog loga.

Poslao: 06 Mar 2009 00:06
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

Script error: ';' expected, position [59:1]
Script error: ';' expected, position [59:1]
Script error: ';' expected, position [59:1]
Script error: 'BEGIN' expected, position [1:1]
Script error: 'BEGIN' expected, position [1:1]
Script error: 'BEGIN' expected, position [1:1]
Script error: 'BEGIN' expected, position [1:1]
>>>>> C:\WINDOWS\system\msile.exe
>>>>> C:\WINDOWS\system32\00.scr
>>>>> C:\WINDOWS\system32\01.scr
>>>>> C:\WINDOWS\system32\04.scr
>>>>> C:\WINDOWS\system32\28.scr
>>>>> C:\WINDOWS\system32\43.scr
>>>>> C:\WINDOWS\system32\50.scr
>>>>> C:\WINDOWS\system32\68.scr
>>>>> C:\WINDOWS\system32\82.scr

Files scanned: 10031
Files detected:9
Ewo ae doktore malo brze ako moze ! Jel moze da se poprawi?Odo ja da spavam cujem ose sutra !

Poslao: 06 Mar 2009 14:05
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ponovo pokreni AVZ. Klikni File > Custom scripts.

U prozor koji se otvori iskopiraj sve što se nalazi unutar Kod polja:



var a, b:dword;


Procedure AddAlarm(AFileName, AMsg : string);

begin
  BC_QrFile(AFileName);
  BC_DeleteFile(AFileName)
end;


Procedure ScanFile(AFileName : string);

begin
  b:=b+1;
  SetStatusBarText(AFileName);
  LoadFileToBuffer(AFileName);
  If SearchSign('8B 45 F8 6B C0 28 8B 4D 14 83 7C 01 0C 00',0, 0) >= 0 Then
    begin
      AddAlarm(AFileName, '');
      a:=a+1;
    end;
  FreeBuffer;
end;


Procedure ScanDir(ADirName : string; AScanSubDir : boolean);

var FS : TFileSearch;

begin
  ADirName := NormalDir(ADirName);
  FS := TFileSearch.Create(nil);
  FS.FindFirst(ADirName + '*.*');
  While FS.Found do
    begin
      If FS.IsDir Then
        begin
          If AScanSubDir and (FS.FileName <> '.') and (FS.FileName <> '..') then
            ScanDir(ADirName + FS.FileName, AScanSubDir)
        end
      Else
        ScanFile(ADirName + FS.FileName);
      FS.FindNext;
    end;
  FS.Free;
end;



begin
  a:=0;
  b:=0;
  SearchRootkit(true, true);
  SetAVZGuardStatus(True);
  ScanDir('C:\WINDOWS', true);
  SaveLog('C:\izvestaj.log');
  BC_DeleteSvc('msile');
  BC_DeleteSvc('sysdrv32');
  BC_LogFile('C:\izvestaj.log');
  BC_Activate;
  RebootWindows(True)
end.




Pažljivo pri kopiranju, svaki znak je bitan.

Zatim isključi sve programe i, u AVZ-ovom prozoru, klikni Run taster.

Na kraju postupka, doći će do restarta kompjutera.

Nakon ponovnog pokretanja sistema, iskopiraj ovde sadržaj file-a C:\izvestaj.log.

Poslao: 06 Mar 2009 17:42
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

Quarantine path: \??\C:\Documents and Settings\Ziska\Desktop\avz4\avz4\Quarantine\2009-03-06\
QuarantineFile \??\C:\WINDOWS\system\msile.exe - succeeded
QuarantineFile \??\C:\WINDOWS\system32\00.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\01.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\04.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\10.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\11.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\28.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\30.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\34.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\35.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\43.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\44.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\50.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\51.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\54.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\58.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\62.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\68.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\75.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\77.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\82.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\85.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\86.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\87.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\88.scr - succeeded
DeleteFile \??\C:\WINDOWS\system\msile.exe - failed (0xC0000121)
DeleteFile \??\C:\WINDOWS\system32\00.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\01.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\04.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\10.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\11.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\28.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\30.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\34.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\35.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\43.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\44.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\50.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\51.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\54.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\58.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\62.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\68.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\75.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\77.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\82.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\85.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\86.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\87.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\88.scr - succeeded
Delete File "C:\WINDOWS\system\msile.exe" - failed (0xC000003B)
Delete Service & File msile - failed (0xC0000121)
Delete File \??\C:\WINDOWS\system32\drivers\sysdrv32.sys - succeeded
Delete Service & File sysdrv32 - failed (0xC0000121)
-- End --

Dopuna: 06 Mar 2009 17:42

Sad mi izbacilo shvost samo pisalo i kad sam dao close nsita se nije dogodilo nije se iskljucilo iz neta !

Poslao: 06 Mar 2009 17:44
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Idemo još jednom...


Ponovo pokreni AVZ. Klikni File > Custom scripts.

U prozor koji se otvori iskopiraj sve što se nalazi unutar Kod polja:



var a, b:dword;


Procedure AddAlarm(AFileName, AMsg : string);

begin
  BC_QrFile(AFileName);
  BC_DeleteFile(AFileName)
end;


Procedure ScanFile(AFileName : string);

begin
  b:=b+1;
  SetStatusBarText(AFileName);
  LoadFileToBuffer(AFileName);
  If SearchSign('8B 45 F8 6B C0 28 8B 4D 14 83 7C 01 0C 00',0, 0) >= 0 Then
    begin
      AddAlarm(AFileName, '');
      a:=a+1;
    end;
  FreeBuffer;
end;


Procedure ScanDir(ADirName : string; AScanSubDir : boolean);

var FS : TFileSearch;

begin
  ADirName := NormalDir(ADirName);
  FS := TFileSearch.Create(nil);
  FS.FindFirst(ADirName + '*.*');
  While FS.Found do
    begin
      If FS.IsDir Then
        begin
          If AScanSubDir and (FS.FileName <> '.') and (FS.FileName <> '..') then
            ScanDir(ADirName + FS.FileName, AScanSubDir)
        end
      Else
        ScanFile(ADirName + FS.FileName);
      FS.FindNext;
    end;
  FS.Free;
end;



begin
  a:=0;
  b:=0;
  SearchRootkit(true, true);
  SetAVZGuardStatus(True);
  ScanDir('C:\WINDOWS', true);
  SaveLog('C:\izvestaj.log');
  BC_DisableSvc('sysdrv32');
  BC_DeleteSvc('sysdrv32');
  BC_DisableSvc('msile')
  BC_DeleteSvc('msile');
  BC_LogFile('C:\izvestaj.log');
  BC_Execute;
  BC_Activate;
  RebootWindows(True)
end.




Pažljivo pri kopiranju, svaki znak je bitan.

Zatim isključi sve programe i, u AVZ-ovom prozoru, klikni Run taster.

Na kraju postupka, doći će do restarta kompjutera.

Nakon ponovnog pokretanja sistema, iskopiraj ovde sadržaj file-a C:\izvestaj.log.

Poslao: 06 Mar 2009 18:43
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

Quarantine path: \??\C:\Documents and Settings\Ziska\Desktop\avz4\avz4\Quarantine\2009-03-06\
QuarantineFile \??\C:\WINDOWS\system\msile.exe - succeeded
QuarantineFile \??\C:\WINDOWS\system32\84.scr - succeeded
DeleteFile \??\C:\WINDOWS\system\msile.exe - failed (0xC0000121)
DeleteFile \??\C:\WINDOWS\system32\84.scr - succeeded
Delete File "C:\WINDOWS\system\msile.exe" - failed (0xC000003B)
Delete Service & File msile - failed (0xC0000121)
Delete File \??\C:\WINDOWS\system32\drivers\sysdrv32.sys - succeeded
Delete Service & File sysdrv32 - failed (0xC0000121)
-- End --

Dopuna: 06 Mar 2009 18:43

?????????????

Poslao: 06 Mar 2009 18:52
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Dvoklikom pokreni ComboFix i postavi log koji dobiješ.

Poslao: 07 Mar 2009 00:09
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

ComboFix 09-03-04.01 - Ziska 2009-03-06 18:53:36.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.61 [GMT 1:00]
Running from: c:\documents and settings\Ziska\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\svhost.exe
c:\windows\system32\drivers\sysdrv32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-06 18:37 . 2009-03-06 18:37 995,328 --a------ c:\windows\system32\77.scr
2009-03-06 18:24 . 2009-03-06 18:24 41,987 --a------ c:\windows\system32\26.scr
2009-03-06 18:08 . 2009-03-06 18:08 41,987 --a------ c:\windows\system32\80.scr
2009-03-06 17:47 . 2009-03-06 17:47 995,328 --a------ c:\windows\system32\15.scr
2009-03-06 17:34 . 2009-03-06 17:49 995,328 --a------ c:\windows\system32\51.scr
2009-03-06 15:05 . 2009-03-06 15:05 995,328 --a------ c:\windows\system32\07.scr
2009-03-06 14:49 . 2009-03-06 14:49 995,328 --a------ c:\windows\system32\13.scr
2009-03-06 13:45 . 2009-03-06 14:45 995,328 --a------ c:\windows\system32\32.scr
2009-03-06 13:39 . 2009-03-06 13:39 995,328 --a------ c:\windows\system32\74.scr
2009-03-06 12:56 . 2009-03-06 14:07 995,328 --a------ c:\windows\system32\42.scr
2009-03-06 11:50 . 2009-03-06 12:30 995,328 --a------ c:\windows\system32\20.scr
2009-03-06 11:40 . 2009-03-06 11:40 995,328 --a------ c:\windows\system32\65.scr
2009-03-06 11:19 . 2009-03-06 18:26 41,987 --a------ c:\windows\system32\05.scr
2009-03-06 11:11 . 2009-03-06 11:30 995,328 --a------ c:\windows\system32\53.scr
2009-03-06 10:32 . 2009-03-06 10:32 995,328 --a------ c:\windows\system32\55.scr
2009-03-06 10:29 . 2009-03-06 10:29 995,328 --a------ c:\windows\system32\76.scr
2009-03-06 10:19 . 2009-03-06 18:37 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-06 00:43 . 2009-03-06 00:44 <DIR> d-------- c:\program files\Croatian Mini-Dictionary
2009-03-05 21:35 . 2009-03-06 18:04 41,987 -r-hs---- c:\windows\system\msile.exe
2009-03-05 19:30 . 2009-03-05 19:54 250 --a------ c:\windows\gmer.ini
2009-03-05 12:35 . 2009-03-05 12:35 63 --a------ c:\windows\wininit.ini
2009-03-04 21:52 . 2009-03-04 21:52 <DIR> d-------- c:\program files\Trend Micro
2009-03-04 19:34 . 2009-03-04 19:34 <DIR> d-------- c:\program files\Stardock
2009-03-04 19:34 . 2009-03-04 19:34 <DIR> d-------- c:\program files\Common Files\Stardock
2009-03-04 19:17 . 2009-03-04 19:17 2,560 --a------ c:\windows\_MSRSTRT.EXE
2009-03-03 20:47 . 2009-03-04 19:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 20:47 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 20:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-01 14:22 . 2009-03-01 14:22 <DIR> d---s---- c:\documents and settings\Ziska\UserData
2009-03-01 13:23 . 2009-03-06 12:22 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-01 12:40 . 2009-03-06 09:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-01 12:40 . 2009-03-01 14:22 <DIR> d-------- c:\documents and settings\Ziska\Application Data\AVGTOOLBAR
2009-03-01 12:40 . 2009-03-01 12:40 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-01 12:40 . 2009-03-01 12:40 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-01 12:40 . 2009-03-01 12:40 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-01 12:39 . 2009-03-01 12:39 <DIR> d-------- c:\program files\AVG
2009-03-01 12:39 . 2009-03-01 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-01 02:24 . 2009-03-01 23:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-27 20:56 . 2009-03-01 01:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware(2)
2009-02-26 22:02 . 2009-02-26 22:02 <DIR> d-------- c:\documents and settings\Ziska\Application Data\Malwarebytes
2009-02-26 22:02 . 2009-02-26 22:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-14 18:46 . 2009-03-03 17:37 238 --a------ c:\windows\mafosav.INI
2009-02-14 15:55 . 2009-02-14 15:55 <DIR> d-------- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 17:24 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-03-06 17:16 --------- d-----w c:\program files\FlashGet
2009-03-06 16:36 --------- d-----w c:\program files\Windows Live
2009-02-07 15:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 12:02 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-25 18:12 --------- d-----w c:\program files\Common Files\Real
2009-01-24 11:34 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-23 21:31 --------- d-----w c:\documents and settings\Ziska\Application Data\HLSW
2009-01-16 22:24 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-12 19:58 --------- d-----w c:\documents and settings\Ziska\Application Data\NetSupport
2009-01-12 19:53 --------- d-----w c:\program files\NetSupport
2009-01-12 19:53 --------- d-----w c:\documents and settings\All Users\Application Data\NetSupport
2009-01-11 21:19 --------- d-----w c:\program files\MessengerDiscovery
2008-12-28 12:05 218,624 ----a-w c:\windows\system32\uxtheme.dll
2008-12-28 12:05 111,110 ----a-w c:\windows\BricoPackUninst.cmd
.

------- Sigcheck -------

2008-04-14 04:42 699904 8a513e79e7980018daedca586b866bc3 c:\windows\system32\wininet.dll
2008-04-14 04:42 699904 8a513e79e7980018daedca586b866bc3 c:\windows\system32\dllcache\wininet.dll

2008-04-14 04:42 975872 561a50497324f378e30f55d09b4e1258 c:\windows\explorer.exe
2008-04-14 04:42 975872 088a0cd3d4cd3b584f3a4150d6cf941e c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-04_23.24.58.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-05 18:30:17 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 20:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-12-28 15:07:56 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-03-05 23:42:33 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-03-05 22:14:17 58,945 ----a-r c:\windows\Installer\{7739A0FE-2D25-4298-9414-1EC8A410CD53}\wlmail.exe
+ 2009-03-05 18:30:17 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-09-25 2007088]
"ClocX"="c:\program files\ClocX\ClocX.exe" [2007-07-26 270336]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-01 1601304]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-01 12:40 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msile]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSNETDED]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\client32.exe"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\PCICTLUI.EXE"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\pcideply.exe"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\PCISA.EXE"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\pciscrui.exe"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\runscrip.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/1/2009 12:40:10 PM 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/1/2009 12:40:18 PM 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/1/2009 12:39:44 PM 298264]
S2 msile;microsoft install le;c:\windows\system\msile.exe [3/5/2009 9:35:24 PM 41987]
S2 MSNETDED;Network Monitor service;"c:\windows\system\svhost.exe" --> c:\windows\system\svhost.exe [?]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [12/26/2008 11:23:14 AM 670592]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {BCE8778D-1AE7-46C0-98F0-93CB5E6CF7BC} = 195.252.122.154
FF - ProfilePath - c:\documents and settings\Ziska\Application Data\Mozilla\Firefox\Profiles\nhsg24iv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.abakusbp.net/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-06 18:57:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Nf815c75f]
@Denied: (4) (Everyone)
@Denied: (4) (Administrators)
@Allowed: (A B C D Full GENERIC_EXECUTE GENERIC_WRITE Read 1 2 3 4 5 6) (LocalSystem)
"a"="M"
"InternetCode"="U52LDJMC37ONPGW35EG4SPJX45LFAJ6ESRKK7IY8"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'csrss.exe'(536)
c:\program files\NetSupport\NetSupport Manager\pcihooks.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NetSupport\NetSupport Manager\client32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-06 18:59:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-06 17:59:49
ComboFix2.txt 2009-03-05 21:25:57
ComboFix3.txt 2009-03-05 20:16:42
ComboFix4.txt 2009-03-05 17:45:26
ComboFix5.txt 2009-03-06 17:53:05

Pre-Run: 5,931,597,824 bytes free
Post-Run: 6,018,867,200 bytes free

199
Nisam mogao pre net mi se poprawljao !

Dopuna: 07 Mar 2009 0:09

Sta ce mo dalje?

Poslao: 07 Mar 2009 09:17
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Upload-uj sledeće file-ove:

c:\windows\system32\wininet.dll
c:\windows\explorer.exe


Upload link: http://www.mycity.rs/ambulanta-upload.php

MyCity » Ambulanta -> Arhiva Ambulante » shvost.exe Problem !!

Ko je trenutno na forumu
 

Ukupno su 1000 korisnika na forumu :: 33 registrovanih, 8 sakrivenih i 959 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Rade, cavatina, darionis, DeerHunter, dragoljub11987, ekser222, Georgius, HogarStrashni, HrcAk47, Još malo pa deda, kolle.the.kid, Koridor, Kriglord, Kubovac, kybonacci, laganini123, Leonov, Lieutenant, Lucije Kvint, mercedesamg, Mercury, mikrimaus, milenko crazy north, mkukoleca, MrNo, Sass Drake, Sirius, tubular, vathra, W123, Žoržo, Žrnov, 79693