MyCity » Ambulanta -> Arhiva Ambulante » shvost.exe Problem !!

shvost.exe Problem !!

Napisano na dan: 4.3.2009
3

shvost.exe Problem !!
Pagination Prethodna strana
Sledeća strana Pagination

Idi na vrh

Poslao: 05 Mar 2009 23:29
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ActiveWndTrkTimeout"=dword:00000000
"AutoEndTasks"="0"
"CaretWidth"=dword:00000001
"CoolSwitch"="1"
"CoolSwitchColumns"="7"
"CoolSwitchRows"="3"
"CursorBlinkRate"="530"
"DragFullWindows"="1"
"DragHeight"="4"
"DragWidth"="4"
"FontSmoothing"="2"
"FontSmoothingOrientation"=dword:00000001
"FontSmoothingType"=dword:00000001
"ForegroundFlashCount"=dword:00000003
"ForegroundLockTimeout"=dword:00030d40
"GridGranularity"="0"
"HungAppTimeout"="5000"
"LowPowerActive"="0"
"LowPowerTimeOut"="0"
"MenuShowDelay"="400"
"PaintDesktopVersion"=dword:00000000
"PowerOffActive"="0"
"PowerOffTimeOut"="1200"
"ScreenSaverIsSecure"="0"
"ScreenSaveTimeOut"="600"
"ScreenSaveActive"="1"
"TileWallpaper"="0"
"UserPreferencesMask"=hex:9e,3e,07,80
"WaitToKillAppTimeout"="20000"
"Wallpaper"="D:\\Documents\\Moje Obrazki\\CANTWO\\wall8.bmp"
"WallpaperStyle"="2"
"OriginalWallpaper"="C:\\Documents and Settings\\Ziska\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp"
"WheelScrollLines"="3"
"Pattern Upgrade"="TRUE"
"ConvertedWallpaper"="C:\\WINDOWS\\Web\\Wallpaper\\Windows XP.jpg"
"ConvertedWallpaper Last WriteTime"=hex:00,20,7c,22,cb,2b,c1,01

[HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics]
"BorderWidth"="0"
"CaptionFont"=hex:f4,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,\
00,00,00,01,00,00,00,00,54,00,72,00,65,00,62,00,75,00,63,00,68,00,65,00,74,\
00,20,00,4d,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CaptionHeight"="-375"
"CaptionWidth"="-270"
"IconFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"IconSpacing"="-1125"
"IconTitleWrap"="1"
"IconVerticalspacing"="-1125"
"MenuFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"MenuHeight"="-285"
"MenuWidth"="-270"
"MessageFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
00,00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"ScrollHeight"="-285"
"ScrollWidth"="-285"
"Shell Icon BPP"="16"
"SmCaptionFont"=hex:f4,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,\
00,00,00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"SmCaptionHeight"="-285"
"SmCaptionWidth"="-285"
"StatusFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
00,00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"AppliedDPI"=dword:00000060
"Shell Icon Size"="32"
"MinAnimate"="1"

潎桴湩⹧⸮ഠ

Dopuna: 05 Mar 2009 23:29

sad???????

Poslao: 05 Mar 2009 23:48
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini program AVZ sa sledećeg linka:

http://devbuilds.kaspersky-labs.com/devbuilds/AVZ/avz4.zip

Raspakuj taj zip file (obavezno ga raspakuj - nemoj program da pokrećeš iz zip-a).


Otvori folder u koji je arhiva raspakovana i pokreni avz.exe.

Klikni File, pa Custom scripts.


U prozor koji se otvori iskopiraj sve što se nalazi unutar Kod polja:

var a, b:dword;


Procedure AddAlarm(AFileName, AMsg : string);

begin
  AddtoLog('>>>>>  '+AFileName+AMsg);
end;


Procedure ScanFile(AFileName : string);

begin
  b:=b+1;
  SetStatusBarText(AFileName);
  LoadFileToBuffer(AFileName);
  If SearchSign('8B 45 F8 6B C0 28 8B 4D 14 83 7C 01 0C 00',0, 0) >= 0 Then
    begin
      AddAlarm(AFileName, '');
      a:=a+1;
    end;
  FreeBuffer;
end;


Procedure ScanDir(ADirName : string; AScanSubDir : boolean);

var FS : TFileSearch;

begin
  ADirName := NormalDir(ADirName);
  FS := TFileSearch.Create(nil);
  FS.FindFirst(ADirName + '*.*');
  While FS.Found do
    begin
      If FS.IsDir Then
        begin
          If AScanSubDir and (FS.FileName <> '.') and (FS.FileName <> '..') then
            ScanDir(ADirName + FS.FileName, AScanSubDir)
        end
      Else
        ScanFile(ADirName + FS.FileName);
      FS.FindNext;
    end;
  FS.Free;
end;



begin
  a:=0;
  b:=0;
  ScanDir('C:\WINDOWS', true);
  AddToLog('');
  AddToLog('Files scanned: ' + IntToStr(b));
  AddToLog('Files detected:' + IntToStr(a));
  SaveLog('c:\scan_log.txt');
  ExecuteFile ('notepad.exe', 'c:\scan_log.txt', 1, 0, false);
end.


Klikni Run taster.


Kada skeniranje bude završeno, logfile će se otvoriti u Notepad-u.

Iskopiraj ovde sadržaj tog loga.

Poslao: 06 Mar 2009 00:06
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

Script error: ';' expected, position [59:1]
Script error: ';' expected, position [59:1]
Script error: ';' expected, position [59:1]
Script error: 'BEGIN' expected, position [1:1]
Script error: 'BEGIN' expected, position [1:1]
Script error: 'BEGIN' expected, position [1:1]
Script error: 'BEGIN' expected, position [1:1]
>>>>> C:\WINDOWS\system\msile.exe
>>>>> C:\WINDOWS\system32\00.scr
>>>>> C:\WINDOWS\system32\01.scr
>>>>> C:\WINDOWS\system32\04.scr
>>>>> C:\WINDOWS\system32\28.scr
>>>>> C:\WINDOWS\system32\43.scr
>>>>> C:\WINDOWS\system32\50.scr
>>>>> C:\WINDOWS\system32\68.scr
>>>>> C:\WINDOWS\system32\82.scr

Files scanned: 10031
Files detected:9
Ewo ae doktore malo brze ako moze ! Jel moze da se poprawi?Odo ja da spavam cujem ose sutra !

Poslao: 06 Mar 2009 14:05
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ponovo pokreni AVZ. Klikni File > Custom scripts.

U prozor koji se otvori iskopiraj sve što se nalazi unutar Kod polja:



var a, b:dword;


Procedure AddAlarm(AFileName, AMsg : string);

begin
  BC_QrFile(AFileName);
  BC_DeleteFile(AFileName)
end;


Procedure ScanFile(AFileName : string);

begin
  b:=b+1;
  SetStatusBarText(AFileName);
  LoadFileToBuffer(AFileName);
  If SearchSign('8B 45 F8 6B C0 28 8B 4D 14 83 7C 01 0C 00',0, 0) >= 0 Then
    begin
      AddAlarm(AFileName, '');
      a:=a+1;
    end;
  FreeBuffer;
end;


Procedure ScanDir(ADirName : string; AScanSubDir : boolean);

var FS : TFileSearch;

begin
  ADirName := NormalDir(ADirName);
  FS := TFileSearch.Create(nil);
  FS.FindFirst(ADirName + '*.*');
  While FS.Found do
    begin
      If FS.IsDir Then
        begin
          If AScanSubDir and (FS.FileName <> '.') and (FS.FileName <> '..') then
            ScanDir(ADirName + FS.FileName, AScanSubDir)
        end
      Else
        ScanFile(ADirName + FS.FileName);
      FS.FindNext;
    end;
  FS.Free;
end;



begin
  a:=0;
  b:=0;
  SearchRootkit(true, true);
  SetAVZGuardStatus(True);
  ScanDir('C:\WINDOWS', true);
  SaveLog('C:\izvestaj.log');
  BC_DeleteSvc('msile');
  BC_DeleteSvc('sysdrv32');
  BC_LogFile('C:\izvestaj.log');
  BC_Activate;
  RebootWindows(True)
end.




Pažljivo pri kopiranju, svaki znak je bitan.

Zatim isključi sve programe i, u AVZ-ovom prozoru, klikni Run taster.

Na kraju postupka, doći će do restarta kompjutera.

Nakon ponovnog pokretanja sistema, iskopiraj ovde sadržaj file-a C:\izvestaj.log.

Poslao: 06 Mar 2009 17:42
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

Quarantine path: \??\C:\Documents and Settings\Ziska\Desktop\avz4\avz4\Quarantine\2009-03-06\
QuarantineFile \??\C:\WINDOWS\system\msile.exe - succeeded
QuarantineFile \??\C:\WINDOWS\system32\00.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\01.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\04.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\10.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\11.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\28.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\30.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\34.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\35.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\43.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\44.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\50.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\51.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\54.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\58.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\62.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\68.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\75.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\77.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\82.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\85.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\86.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\87.scr - succeeded
QuarantineFile \??\C:\WINDOWS\system32\88.scr - succeeded
DeleteFile \??\C:\WINDOWS\system\msile.exe - failed (0xC0000121)
DeleteFile \??\C:\WINDOWS\system32\00.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\01.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\04.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\10.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\11.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\28.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\30.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\34.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\35.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\43.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\44.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\50.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\51.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\54.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\58.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\62.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\68.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\75.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\77.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\82.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\85.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\86.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\87.scr - succeeded
DeleteFile \??\C:\WINDOWS\system32\88.scr - succeeded
Delete File "C:\WINDOWS\system\msile.exe" - failed (0xC000003B)
Delete Service & File msile - failed (0xC0000121)
Delete File \??\C:\WINDOWS\system32\drivers\sysdrv32.sys - succeeded
Delete Service & File sysdrv32 - failed (0xC0000121)
-- End --

Dopuna: 06 Mar 2009 17:42

Sad mi izbacilo shvost samo pisalo i kad sam dao close nsita se nije dogodilo nije se iskljucilo iz neta !

Poslao: 06 Mar 2009 17:44
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Idemo još jednom...


Ponovo pokreni AVZ. Klikni File > Custom scripts.

U prozor koji se otvori iskopiraj sve što se nalazi unutar Kod polja:



var a, b:dword;


Procedure AddAlarm(AFileName, AMsg : string);

begin
  BC_QrFile(AFileName);
  BC_DeleteFile(AFileName)
end;


Procedure ScanFile(AFileName : string);

begin
  b:=b+1;
  SetStatusBarText(AFileName);
  LoadFileToBuffer(AFileName);
  If SearchSign('8B 45 F8 6B C0 28 8B 4D 14 83 7C 01 0C 00',0, 0) >= 0 Then
    begin
      AddAlarm(AFileName, '');
      a:=a+1;
    end;
  FreeBuffer;
end;


Procedure ScanDir(ADirName : string; AScanSubDir : boolean);

var FS : TFileSearch;

begin
  ADirName := NormalDir(ADirName);
  FS := TFileSearch.Create(nil);
  FS.FindFirst(ADirName + '*.*');
  While FS.Found do
    begin
      If FS.IsDir Then
        begin
          If AScanSubDir and (FS.FileName <> '.') and (FS.FileName <> '..') then
            ScanDir(ADirName + FS.FileName, AScanSubDir)
        end
      Else
        ScanFile(ADirName + FS.FileName);
      FS.FindNext;
    end;
  FS.Free;
end;



begin
  a:=0;
  b:=0;
  SearchRootkit(true, true);
  SetAVZGuardStatus(True);
  ScanDir('C:\WINDOWS', true);
  SaveLog('C:\izvestaj.log');
  BC_DisableSvc('sysdrv32');
  BC_DeleteSvc('sysdrv32');
  BC_DisableSvc('msile')
  BC_DeleteSvc('msile');
  BC_LogFile('C:\izvestaj.log');
  BC_Execute;
  BC_Activate;
  RebootWindows(True)
end.




Pažljivo pri kopiranju, svaki znak je bitan.

Zatim isključi sve programe i, u AVZ-ovom prozoru, klikni Run taster.

Na kraju postupka, doći će do restarta kompjutera.

Nakon ponovnog pokretanja sistema, iskopiraj ovde sadržaj file-a C:\izvestaj.log.

Poslao: 06 Mar 2009 18:43
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

Quarantine path: \??\C:\Documents and Settings\Ziska\Desktop\avz4\avz4\Quarantine\2009-03-06\
QuarantineFile \??\C:\WINDOWS\system\msile.exe - succeeded
QuarantineFile \??\C:\WINDOWS\system32\84.scr - succeeded
DeleteFile \??\C:\WINDOWS\system\msile.exe - failed (0xC0000121)
DeleteFile \??\C:\WINDOWS\system32\84.scr - succeeded
Delete File "C:\WINDOWS\system\msile.exe" - failed (0xC000003B)
Delete Service & File msile - failed (0xC0000121)
Delete File \??\C:\WINDOWS\system32\drivers\sysdrv32.sys - succeeded
Delete Service & File sysdrv32 - failed (0xC0000121)
-- End --

Dopuna: 06 Mar 2009 18:43

?????????????

Poslao: 06 Mar 2009 18:52
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Dvoklikom pokreni ComboFix i postavi log koji dobiješ.

Poslao: 07 Mar 2009 00:09
Idi na vrh
offline
  • Pridružio: 04 Mar 2009
  • Poruke: 54
  • Gde živiš: Vojvodina Serbia Selenca

ComboFix 09-03-04.01 - Ziska 2009-03-06 18:53:36.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.61 [GMT 1:00]
Running from: c:\documents and settings\Ziska\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\svhost.exe
c:\windows\system32\drivers\sysdrv32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-06 18:37 . 2009-03-06 18:37 995,328 --a------ c:\windows\system32\77.scr
2009-03-06 18:24 . 2009-03-06 18:24 41,987 --a------ c:\windows\system32\26.scr
2009-03-06 18:08 . 2009-03-06 18:08 41,987 --a------ c:\windows\system32\80.scr
2009-03-06 17:47 . 2009-03-06 17:47 995,328 --a------ c:\windows\system32\15.scr
2009-03-06 17:34 . 2009-03-06 17:49 995,328 --a------ c:\windows\system32\51.scr
2009-03-06 15:05 . 2009-03-06 15:05 995,328 --a------ c:\windows\system32\07.scr
2009-03-06 14:49 . 2009-03-06 14:49 995,328 --a------ c:\windows\system32\13.scr
2009-03-06 13:45 . 2009-03-06 14:45 995,328 --a------ c:\windows\system32\32.scr
2009-03-06 13:39 . 2009-03-06 13:39 995,328 --a------ c:\windows\system32\74.scr
2009-03-06 12:56 . 2009-03-06 14:07 995,328 --a------ c:\windows\system32\42.scr
2009-03-06 11:50 . 2009-03-06 12:30 995,328 --a------ c:\windows\system32\20.scr
2009-03-06 11:40 . 2009-03-06 11:40 995,328 --a------ c:\windows\system32\65.scr
2009-03-06 11:19 . 2009-03-06 18:26 41,987 --a------ c:\windows\system32\05.scr
2009-03-06 11:11 . 2009-03-06 11:30 995,328 --a------ c:\windows\system32\53.scr
2009-03-06 10:32 . 2009-03-06 10:32 995,328 --a------ c:\windows\system32\55.scr
2009-03-06 10:29 . 2009-03-06 10:29 995,328 --a------ c:\windows\system32\76.scr
2009-03-06 10:19 . 2009-03-06 18:37 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-06 00:43 . 2009-03-06 00:44 <DIR> d-------- c:\program files\Croatian Mini-Dictionary
2009-03-05 21:35 . 2009-03-06 18:04 41,987 -r-hs---- c:\windows\system\msile.exe
2009-03-05 19:30 . 2009-03-05 19:54 250 --a------ c:\windows\gmer.ini
2009-03-05 12:35 . 2009-03-05 12:35 63 --a------ c:\windows\wininit.ini
2009-03-04 21:52 . 2009-03-04 21:52 <DIR> d-------- c:\program files\Trend Micro
2009-03-04 19:34 . 2009-03-04 19:34 <DIR> d-------- c:\program files\Stardock
2009-03-04 19:34 . 2009-03-04 19:34 <DIR> d-------- c:\program files\Common Files\Stardock
2009-03-04 19:17 . 2009-03-04 19:17 2,560 --a------ c:\windows\_MSRSTRT.EXE
2009-03-03 20:47 . 2009-03-04 19:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 20:47 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 20:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-01 14:22 . 2009-03-01 14:22 <DIR> d---s---- c:\documents and settings\Ziska\UserData
2009-03-01 13:23 . 2009-03-06 12:22 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-01 12:40 . 2009-03-06 09:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-01 12:40 . 2009-03-01 14:22 <DIR> d-------- c:\documents and settings\Ziska\Application Data\AVGTOOLBAR
2009-03-01 12:40 . 2009-03-01 12:40 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-01 12:40 . 2009-03-01 12:40 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-01 12:40 . 2009-03-01 12:40 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-01 12:39 . 2009-03-01 12:39 <DIR> d-------- c:\program files\AVG
2009-03-01 12:39 . 2009-03-01 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-01 02:24 . 2009-03-01 23:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-27 20:56 . 2009-03-01 01:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware(2)
2009-02-26 22:02 . 2009-02-26 22:02 <DIR> d-------- c:\documents and settings\Ziska\Application Data\Malwarebytes
2009-02-26 22:02 . 2009-02-26 22:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-14 18:46 . 2009-03-03 17:37 238 --a------ c:\windows\mafosav.INI
2009-02-14 15:55 . 2009-02-14 15:55 <DIR> d-------- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 17:24 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-03-06 17:16 --------- d-----w c:\program files\FlashGet
2009-03-06 16:36 --------- d-----w c:\program files\Windows Live
2009-02-07 15:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 12:02 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-25 18:12 --------- d-----w c:\program files\Common Files\Real
2009-01-24 11:34 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-23 21:31 --------- d-----w c:\documents and settings\Ziska\Application Data\HLSW
2009-01-16 22:24 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-12 19:58 --------- d-----w c:\documents and settings\Ziska\Application Data\NetSupport
2009-01-12 19:53 --------- d-----w c:\program files\NetSupport
2009-01-12 19:53 --------- d-----w c:\documents and settings\All Users\Application Data\NetSupport
2009-01-11 21:19 --------- d-----w c:\program files\MessengerDiscovery
2008-12-28 12:05 218,624 ----a-w c:\windows\system32\uxtheme.dll
2008-12-28 12:05 111,110 ----a-w c:\windows\BricoPackUninst.cmd
.

------- Sigcheck -------

2008-04-14 04:42 699904 8a513e79e7980018daedca586b866bc3 c:\windows\system32\wininet.dll
2008-04-14 04:42 699904 8a513e79e7980018daedca586b866bc3 c:\windows\system32\dllcache\wininet.dll

2008-04-14 04:42 975872 561a50497324f378e30f55d09b4e1258 c:\windows\explorer.exe
2008-04-14 04:42 975872 088a0cd3d4cd3b584f3a4150d6cf941e c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-04_23.24.58.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-05 18:30:17 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 20:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-12-28 15:07:56 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-03-05 23:42:33 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-03-05 22:14:17 58,945 ----a-r c:\windows\Installer\{7739A0FE-2D25-4298-9414-1EC8A410CD53}\wlmail.exe
+ 2009-03-05 18:30:17 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-09-25 2007088]
"ClocX"="c:\program files\ClocX\ClocX.exe" [2007-07-26 270336]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-01 1601304]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-01 12:40 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msile]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSNETDED]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\client32.exe"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\PCICTLUI.EXE"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\pcideply.exe"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\PCISA.EXE"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\pciscrui.exe"=
"c:\\Program Files\\NetSupport\\NetSupport Manager\\runscrip.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/1/2009 12:40:10 PM 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/1/2009 12:40:18 PM 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/1/2009 12:39:44 PM 298264]
S2 msile;microsoft install le;c:\windows\system\msile.exe [3/5/2009 9:35:24 PM 41987]
S2 MSNETDED;Network Monitor service;"c:\windows\system\svhost.exe" --> c:\windows\system\svhost.exe [?]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [12/26/2008 11:23:14 AM 670592]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {BCE8778D-1AE7-46C0-98F0-93CB5E6CF7BC} = 195.252.122.154
FF - ProfilePath - c:\documents and settings\Ziska\Application Data\Mozilla\Firefox\Profiles\nhsg24iv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.abakusbp.net/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-06 18:57:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Nf815c75f]
@Denied: (4) (Everyone)
@Denied: (4) (Administrators)
@Allowed: (A B C D Full GENERIC_EXECUTE GENERIC_WRITE Read 1 2 3 4 5 6) (LocalSystem)
"a"="M"
"InternetCode"="U52LDJMC37ONPGW35EG4SPJX45LFAJ6ESRKK7IY8"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'csrss.exe'(536)
c:\program files\NetSupport\NetSupport Manager\pcihooks.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NetSupport\NetSupport Manager\client32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-06 18:59:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-06 17:59:49
ComboFix2.txt 2009-03-05 21:25:57
ComboFix3.txt 2009-03-05 20:16:42
ComboFix4.txt 2009-03-05 17:45:26
ComboFix5.txt 2009-03-06 17:53:05

Pre-Run: 5,931,597,824 bytes free
Post-Run: 6,018,867,200 bytes free

199
Nisam mogao pre net mi se poprawljao !

Dopuna: 07 Mar 2009 0:09

Sta ce mo dalje?

Poslao: 07 Mar 2009 09:17
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Upload-uj sledeće file-ove:

c:\windows\system32\wininet.dll
c:\windows\explorer.exe


Upload link: http://www.mycity.rs/ambulanta-upload.php

MyCity » Ambulanta -> Arhiva Ambulante » shvost.exe Problem !!

Ko je trenutno na forumu
 

Ukupno su 964 korisnika na forumu :: 28 registrovanih, 5 sakrivenih i 931 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Apok, Bobrock1, Boris BM, Brana01, djuradj, FileFinder, Fog of War, HogarStrashni, HrcAk47, jackreacher011011, Japidson, Kibice, kikisp, Kubovac, laurusri, mercedesamg, MiroslavD, Panter, pirke96, proka89, raptorsi, rodoljub, Romibrat, S2M, tomigun, virked, zbazin