(riješeno) Malware odjednom?

Warrior · 15.01.2010., 18:46

Daklem, koristim Avast, bio sam 2 dana na putu, daklem bez pristupa kompu. Danas upalim komp, update-a mi se Avast i odjednom počinju izljetati poruke da sam zaražen Malwareom Rootkit-gen (rtk) i to skoro SVE .sys datoteke u Windows/system32/drivers folderu. Čudno... To mi javlja Avast Live Scan ili zaštita na pristup.

Skeniranje foldera pronašlo mi je dotični Malware u sljedećim datotekama:
Datoteka C:\WINDOWS\gdrv.sys je zaražena sa Win32:Rootkit-gen [Rtk]
Datoteka C:\WINDOWS\system32\drivers\entech.sys je zaražena sa Win32:Rootkit-gen [Rtk]
Datoteka C:\WINDOWS\system32\fsusbexdisk.sys je zaražena sa Win32:Rootkit-gen [Rtk]

Što mi je činiti? Sve se nekako nadam da je lažna uzbuna jer nisam bio pri kompu kada je ta promjena nastupila. Pomoć...

Doink the Clown · 15.01.2010., 18:53

Skini Malwarebytes' Anti-Malware pa s njim još proskeniraj sistem, ako nešto nađe ubijaj u safe modu.

Warrior · 15.01.2010., 19:46

Proskenirao je, našao je dotične fileove kao zaražene + još malo smeća. Što da radim u Safe Modu? Ponovno pokrenem taj program i brišem fileove s njim? Pa ne mogu samo tako brisati .sys fileove, što ako su potrebni za rad neke aplikacije?

Don · 15.01.2010., 20:21

S ovim programom bi trebao riješiti sve probleme.
http://www.combofix.org/

A tu je i

greenfly · 15.01.2010., 23:02

Citiraj:

Autor Warrior

Pa ne mogu samo tako brisati .sys fileove, što ako su potrebni za rad neke aplikacije?

U najgorem ćeš slučaju bacit Repair instalacije..

Warrior · 24.01.2010., 22:11

OK, 15.1. očistio sam komp od Malwarea s Anti Malware toolom i od tada nije bilo problema. Međutim, danas, 24.1. komp mi je bio upaljen, otišao sam prileći na sat-dva, vratim se i vidim da mi je Avast opet pronašao neko smeće. Kako sam smeće čistio i stavljao u karantenu, primijetio sam da mi se na C:\ pojavljuju čudni .exe fileovi. Kako je to moguće te kako je moguće da mi se virusi sami od sebe pojavljuju dok je komp uključen, a ništa ne radim?

Bilo je hrpa nekih trojanaca, trojan.russian te se više ne sjećam kakvih gluposti. Moje pitanje je kako se opet na C:-u pojavljuje smeće, kao da me netko izvana napada? Firewall mi je windowski, a koristim WinXP SP2 koje nisam dosta dugo updateao jer, khm khm, nisu kupljeni.

Može pomoć i stručno mišljenje?

Joke · 25.01.2010., 01:14

Probaj maknut Avast pa instalirat npr. Kaspersky i usput napravit scan sa combofix...

Warrior · 25.01.2010., 10:33

Za Combofix upozoravaju da se ne koristi ako nemaš expertno znanje jer je alat vrlo moćan. Hmmmm...

Nego, pitao sam može li uzrok pojavljivanju malwarea i čudnih fileova na C:-u biti to što nakon WinXP SP2 nisam instaliravao nikakve zakrpe? Vjerujem da je hrpa security fixeva izašla koja bi riješila moj problem, ne?

Uzalud meni čišćenje malwarea kada se isti nekako probije jer mi neki WinXP fix nije instaliran. Da li sam donekle na pravom putu?

Joke · 25.01.2010., 15:24

Citiraj:

Autor Warrior

Za Combofix upozoravaju da se ne koristi ako nemaš expertno znanje jer je alat vrlo moćan. Hmmmm...

Ne znam bas kakvo extra ekspertno znanje treba imati? Uostalom imas i na linku povise pojasnjeno sve.

Uglavnom:
-combofix spremi na desktop
-antivirus postavi na disable
-pokreni combofix i na sve što traži odgovori potvrdno
-dok traje scan ne radi nista po kompu
Kad odradis scan i sve unistallas ga-> start-run-combofix /uninstall

Citiraj:

Nego, pitao sam može li uzrok pojavljivanju malwarea i čudnih fileova na C:-u biti to što nakon WinXP SP2 nisam instaliravao nikakve zakrpe? Vjerujem da je hrpa security fixeva izašla koja bi riješila moj problem, ne?

Ne znam bas sad nekakve updateove od MS-a, koji bi sprijecili ikakvo smetje sa neta da korisnik pokupi.

Citiraj:

Uzalud meni čišćenje malwarea kada se isti nekako probije jer mi neki WinXP fix nije instaliran. Da li sam donekle na pravom putu?

Povise sam rekao sta mislim za fix-eve, a sad ja bi poskenirao nekim boljim AV-om (napisao sam takoder u postu povise)..

Warrior · 25.01.2010., 17:45

Odradio sam scan, dobio sam mrcinu od loga kojeg ne znam baš iščitati, ali mislim da ne nalazi ništa sumnjivo.

Savjeti?

nino · 25.01.2010., 17:47

Ajd digni log...

Warrior · 25.01.2010., 18:29

ComboFix 10-01-24.05 - Dario 25.01.2010 17:29:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.3326.2794 [GMT 1:00]
Running from: c:\documents and settings\Dario\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100125-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll
c:\windows\unins000.dat
c:\windows\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-24 21:24 . 2010-01-24 21:24 -------- d-----w- c:\program files\Haali
2010-01-24 21:24 . 2010-01-24 21:24 -------- d-----w- c:\program files\CoreCodec
2010-01-15 20:08 . 2010-01-15 20:08 -------- d-----w- c:\documents and settings\Dario\Application Data\HD Tune Pro
2010-01-15 20:07 . 2010-01-15 20:08 -------- d-----w- c:\program files\HD Tune Pro
2010-01-15 18:40 . 2010-01-15 18:40 -------- d-----w- c:\documents and settings\Dario\Application Data\Malwarebytes
2010-01-15 18:40 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 18:40 . 2010-01-15 18:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 18:40 . 2010-01-15 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-15 18:40 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 17:02 . 2010-01-15 17:02 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-01-15 17:02 . 2010-01-25 16:33 39456 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-15 17:02 . 2010-01-25 16:33 2609184 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-15 16:54 . 2010-01-15 17:19 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-15 16:54 . 2010-01-15 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-15 16:54 . 2010-01-15 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-01-15 16:52 . 2010-01-15 16:52 -------- d-----w- c:\documents and settings\Dario\Local Settings\Application Data\Downloaded Installations
2010-01-15 08:19 . 2004-08-03 22:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-01-15 08:19 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-01-02 20:24 . 2009-10-21 23:13 31280 ----a-r- c:\windows\system32\drivers\vmusb.sys
2009-12-31 19:26 . 2010-01-24 23:15 -------- d-----w- c:\documents and settings\Dario\Local Settings\Application Data\SecondLife
2009-12-31 13:36 . 2010-01-09 23:36 -------- d-----w- c:\program files\DebugMode
2009-12-31 00:43 . 2009-12-31 00:43 -------- d-----w- C:\FrameServer Images
2009-12-30 15:22 . 2009-12-30 15:22 -------- d-----w- c:\program files\Digital Juice
2009-12-30 15:22 . 2009-12-30 15:22 -------- d-----w- c:\program files\Common Files\DigitalJuice
2009-12-27 12:59 . 2009-12-18 10:19 545280 ----a-w- c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-12-27 12:59 . 2009-12-18 10:19 344064 ----a-w- c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-12-27 12:59 . 2009-12-18 10:19 153600 ----a-w- c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-12-27 12:59 . 2009-12-18 10:19 103424 ----a-w- c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-12-27 12:59 . 2009-12-18 10:19 57856 ----a-w- c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-12-27 12:59 . 2009-12-18 10:19 4726272 ----a-w- c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com\libs\cooliris190.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 16:25 . 2009-02-07 15:13 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2010-01-25 16:25 . 2009-02-07 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-01-25 16:23 . 2010-01-15 17:02 6548 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-25 16:23 . 2010-01-15 17:02 23924 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-25 07:18 . 2009-02-07 15:16 -------- d-----w- c:\documents and settings\Dario\Application Data\VMware
2010-01-24 22:10 . 2009-11-08 11:51 -------- d-----w- c:\program files\JDownloader
2010-01-24 21:40 . 2008-03-22 21:14 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-01-24 21:10 . 2008-06-23 21:14 -------- d-----w- c:\program files\Avast4
2010-01-15 16:27 . 2008-12-18 17:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-15 00:25 . 2008-03-22 23:41 -------- d-----w- c:\program files\BitComet
2010-01-15 00:23 . 2009-09-13 18:26 -------- d-----w- c:\documents and settings\Dario\Application Data\vlc
2010-01-05 00:32 . 2008-11-01 18:31 -------- d-----w- c:\documents and settings\Dario\Application Data\dvdcss
2010-01-02 18:17 . 2008-03-23 18:47 -------- d-----w- c:\documents and settings\Dario\Application Data\LimeWire
2009-12-31 19:26 . 2008-07-07 20:38 -------- d-----w- c:\documents and settings\Dario\Application Data\SecondLife
2009-12-31 15:36 . 2008-04-02 20:04 -------- d-----w- c:\documents and settings\Dario\Application Data\Skype
2009-12-31 15:34 . 2008-04-02 20:06 -------- d-----w- c:\documents and settings\Dario\Application Data\skypePM
2009-12-30 00:23 . 2008-05-01 17:27 12 ----a-w- c:\windows\system32\RFMDat.dat
2009-12-30 00:23 . 2008-05-01 17:27 -------- d-----w- c:\program files\MFR
2009-12-18 10:19 . 2009-12-26 08:48 57856 ----a-w- c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll
2009-12-18 10:19 . 2009-12-26 08:48 4726272 ----a-w- c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com-trash\libs\cooliris190.dll
2009-12-15 20:40 . 2009-12-15 20:40 -------- d-----w- c:\documents and settings\Dario\Application Data\Megaupload
2009-12-15 20:40 . 2009-12-15 20:40 -------- d-----w- c:\program files\Megaupload
2009-12-15 20:40 . 2008-03-21 23:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-12 15:43 . 2009-12-12 15:43 -------- d---a-w- c:\program files\b3s-subtranslator-0721
2009-12-03 12:19 . 2008-12-16 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Zoom Player
2009-12-02 17:06 . 2009-12-01 18:21 -------- d-----w- c:\program files\FormatFactory
2009-11-30 22:35 . 2009-04-04 00:05 -------- d-----w- c:\documents and settings\Dario\Application Data\ameCache
2009-11-24 23:54 . 2008-06-23 21:14 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-06-23 21:14 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-06-23 21:14 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-06-23 21:14 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-06-23 21:14 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-06-23 21:14 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-06-23 21:14 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-06-23 21:14 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-06-23 21:14 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-08 13:44 . 2008-03-22 00:00 134400 ----a-w- c:\documents and settings\Dario\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-08 01:23 . 2009-11-08 01:23 159168 ----a-w- c:\windows\system32\drivers\afcdp.sys
2009-11-08 01:22 . 2009-11-08 01:22 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys
2009-11-08 01:22 . 2008-03-22 10:22 570016 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-11-08 01:22 . 2008-03-22 02:35 157248 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-11-01 02:21 . 2009-11-01 02:21 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\uninstall.exe
2009-11-01 02:21 . 2009-11-01 02:21 625200 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\instUtils.dll
2009-11-01 02:18 . 2009-11-01 02:21 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\vnetlib.dll
2009-11-01 02:18 . 2009-11-01 02:21 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\module_ws.dll
2009-11-01 02:18 . 2009-11-01 02:21 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\module_core.dll
2009-11-01 02:18 . 2009-11-01 02:21 360448 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\module_license.dll
2009-11-01 02:18 . 2009-11-01 02:21 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\vnetlib64.dll
2009-11-01 02:18 . 2009-11-01 02:21 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\vnetlib64.exe
2009-11-01 02:18 . 2009-11-01 02:21 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\vminstutil.dll
2009-11-01 02:18 . 2009-11-01 02:21 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Workstation\Uninstaller\vnetlib.exe
2008-07-15 22:09 . 2008-08-28 16:51 2003456 ----a-w- c:\program files\Common Files\Boris RED.msi
2004-06-13 15:04 . 2004-06-13 15:04 626688 ----a-w- c:\program files\Common Files\PowerButton.ocx
2003-03-20 11:21 . 2003-03-20 11:21 409600 ----a-w- c:\program files\Common Files\activelock1884.ocx
2008-04-01 23:35 . 2008-04-01 23:35 61 --sh--w- c:\windows\cnerolf.bin
.

------- Sigcheck -------

[-] 2008-04-12 . 8D8949936913B041C6A0E184FBF1030B . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\TCPIP.SYS
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"RegClean Expert Scheduler"="c:\program files\Registry Clean Expert\RCHelper.exe" [2008-01-31 604920]
"S60 PC Suite Tray"="c:\program files\Samsung\Samsung PC Studio 7\PCSuite.exe" [2008-12-05 699392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 16384512]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 1261475]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EasyTuneVPro"="c:\program files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 20480]
"snp2std"="c:\windows\vsnp2std.exe" [2005-11-23 344064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-18 76304]
"NexusServer"="c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2008-08-05 520192]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-13 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2009-10-22 129584]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5048488]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-09-12 357384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"Samsung.PCSync"="c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe" [2009-06-04 1294336]

c:\documents and settings\Dario\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-11 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-18 22:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-09-10 22:43 67488 ----a-w- c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Igre\\FEAR\\FEAR.exe"=
"d:\\Igre\\FEAR\\FEARMP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\ratiomaker_bin_0.5.1.115\\ratiomaker_bin_0.5.1.115\\ratiomaker_0.5.1.115.exe"=
"d:\\Igre\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"d:\\Igre\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Igre\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"d:\\Igre\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Igre\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\Igre\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\Igre\\Far Cry 2\\bin\\FC2Editor.exe"=
"d:\\Igre\\Call of Duty - World at War\\CoDWaW.exe"=
"d:\\Igre\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [8.11.2009 2:22 902432]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [23.6.2008 22:14 114768]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [23.4.2007 12:03 82200]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [8.11.2009 2:22 2326920]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [23.6.2008 22:14 20560]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [15.9.2009 22:38 222968]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11.4.2009 13:48 10384]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22.10.2009 5:00 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [22.10.2009 3:47 563760]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [8.11.2009 2:23 159168]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22.3.2008 12:35 717296]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [24.11.2009 0:53 135664]
S3 FsUsbExDisk;FsUsbExDisk;\??\c:\windows\system32\FsUsbExDisk.SYS --> c:\windows\system32\FsUsbExDisk.SYS [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys --> c:\windows\system32\DRIVERS\ggflt.sys [?]
S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [17.8.2009 20:10 135680]
S3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [17.8.2009 20:10 8320]
S3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [17.8.2009 20:10 12288]
S3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [17.8.2009 20:10 12288]
S3 SSUSBDownload;SAMSUNG SYMBIAN USB Downloader Driver;c:\windows\system32\drivers\SSUSBDownload.sys [17.8.2009 20:16 17920]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-23 23:53]

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-23 23:53]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.logitech.com/buycamera
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
FF - ProfilePath - c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\Dario\Application Data\Mozilla\Firefox\Profiles\mrq9vkbw.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Dario\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
AddRemove-Icon Restore_is1 - c:\windows\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 17:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-842925246-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:3f,a1,f5,dd,7a,e2,76,05,5e,e0,50,ed,99,cd,09,7e,b2,d0,b8,e3,2d,
50,01,da,8a,71,67,9a,cd,c6,55,c4,e6,e3,52,12,3e,80,f6,4e,18,92,1f,1c,4a,66,\
"rkeysecu"=hex:4e,ed,76,dc,19,c8,74,75,d1,50,0c,5e,47,a5,2e,d8

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:90,39,ec,3a,56,41,13,c6,35,b8,77,62,94,5e,e3,16,37,71,f0,6c,28,
89,6c,9d,dc,27,9a,91,0d,d9,2a,86,ac,2f,68,e8,56,a6,f0,2b,9e,5e,09,50,c6,2b,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:90,39,ec,3a,56,41,13,c6,35,b8,77,62,94,5e,e3,16,37,71,f0,6c,28,
89,6c,9d,dc,27,9a,91,0d,d9,2a,86,ac,2f,68,e8,56,a6,f0,2b,9e,5e,09,50,c6,2b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-01-25 17:35:41
ComboFix-quarantined-files.txt 2010-01-25 16:35

Pre-Run: 15.404.797.952 bytes free
Post-Run: 15.739.236.352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 8777E5072BD1B7B26145E95B5AA73D33

nino · 25.01.2010., 18:46

Lol, da te kvotam?

Pod dignuti log mislio sam da ga uploadas a ne copy/pejstas...

Enivej, vidis da je obrisao cudake:

Citiraj:

c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll
c:\windows\unins000.dat
c:\windows\unins000.exe

Sad ozezi sa Kasperky-em jednu rundu.

Warrior · 25.01.2010., 20:38

Ma i mislio sam uploadati, ali sam vidio sam da i ostali kopiraju pa rekoh... he he... Thanks...

15.01.2010., 18:46	#1
Warrior Premium Moj komp Datum registracije: Nov 2006 Lokacija: Zagreb Postovi: 1,012	(riješeno) Malware odjednom? Daklem, koristim Avast, bio sam 2 dana na putu, daklem bez pristupa kompu. Danas upalim komp, update-a mi se Avast i odjednom počinju izljetati poruke da sam zaražen Malwareom Rootkit-gen (rtk) i to skoro SVE .sys datoteke u Windows/system32/drivers folderu. Čudno... To mi javlja Avast Live Scan ili zaštita na pristup. Skeniranje foldera pronašlo mi je dotični Malware u sljedećim datotekama: Datoteka C:\WINDOWS\gdrv.sys je zaražena sa Win32:Rootkit-gen [Rtk] Datoteka C:\WINDOWS\system32\drivers\entech.sys je zaražena sa Win32:Rootkit-gen [Rtk] Datoteka C:\WINDOWS\system32\fsusbexdisk.sys je zaražena sa Win32:Rootkit-gen [Rtk] Što mi je činiti? Sve se nekako nadam da je lažna uzbuna jer nisam bio pri kompu kada je ta promjena nastupila. Pomoć... __________________ Everything is sooooo slow... Why? Oh, why?

15.01.2010., 18:53	#2
Doink the Clown Jack of all, master of none Moj komp Datum registracije: Jan 2009 Lokacija: Matulji - Rijeka Postovi: 6,214	Skini Malwarebytes' Anti-Malware pa s njim još proskeniraj sistem, ako nešto nađe ubijaj u safe modu. __________________ C L O W N I N G A R O U N D

15.01.2010., 19:46	#3
Warrior Premium Moj komp Datum registracije: Nov 2006 Lokacija: Zagreb Postovi: 1,012	Proskenirao je, našao je dotične fileove kao zaražene + još malo smeća. Što da radim u Safe Modu? Ponovno pokrenem taj program i brišem fileove s njim? Pa ne mogu samo tako brisati .sys fileove, što ako su potrebni za rad neke aplikacije? __________________ Everything is sooooo slow... Why? Oh, why?

15.01.2010., 20:21	#4
Don je gladan! Moj komp Datum registracije: Nov 2005 Lokacija: Rijeka Postovi: 1,698	S ovim programom bi trebao riješiti sve probleme. http://www.combofix.org/ A tu je i __________________

24.01.2010., 22:11	#6
Warrior Premium Moj komp Datum registracije: Nov 2006 Lokacija: Zagreb Postovi: 1,012	OK, 15.1. očistio sam komp od Malwarea s Anti Malware toolom i od tada nije bilo problema. Međutim, danas, 24.1. komp mi je bio upaljen, otišao sam prileći na sat-dva, vratim se i vidim da mi je Avast opet pronašao neko smeće. Kako sam smeće čistio i stavljao u karantenu, primijetio sam da mi se na C:\ pojavljuju čudni .exe fileovi. Kako je to moguće te kako je moguće da mi se virusi sami od sebe pojavljuju dok je komp uključen, a ništa ne radim? Bilo je hrpa nekih trojanaca, trojan.russian te se više ne sjećam kakvih gluposti. Moje pitanje je kako se opet na C:-u pojavljuje smeće, kao da me netko izvana napada? Firewall mi je windowski, a koristim WinXP SP2 koje nisam dosta dugo updateao jer, khm khm, nisu kupljeni. Može pomoć i stručno mišljenje? __________________ Everything is sooooo slow... Why? Oh, why?

25.01.2010., 01:14	#7
Joke N00B Moj komp Datum registracije: Oct 2006 Lokacija: Split Postovi: 3,886	Probaj maknut Avast pa instalirat npr. Kaspersky i usput napravit scan sa combofix... __________________ IE6 Linux is Not Windows

25.01.2010., 10:33	#8
Warrior Premium Moj komp Datum registracije: Nov 2006 Lokacija: Zagreb Postovi: 1,012	Za Combofix upozoravaju da se ne koristi ako nemaš expertno znanje jer je alat vrlo moćan. Hmmmm... Nego, pitao sam može li uzrok pojavljivanju malwarea i čudnih fileova na C:-u biti to što nakon WinXP SP2 nisam instaliravao nikakve zakrpe? Vjerujem da je hrpa security fixeva izašla koja bi riješila moj problem, ne? Uzalud meni čišćenje malwarea kada se isti nekako probije jer mi neki WinXP fix nije instaliran. Da li sam donekle na pravom putu? __________________ Everything is sooooo slow... Why? Oh, why?

25.01.2010., 17:45	#10
Warrior Premium Moj komp Datum registracije: Nov 2006 Lokacija: Zagreb Postovi: 1,012	Odradio sam scan, dobio sam mrcinu od loga kojeg ne znam baš iščitati, ali mislim da ne nalazi ništa sumnjivo. Savjeti? __________________ Everything is sooooo slow... Why? Oh, why?

25.01.2010., 17:47	#11
nino PizzoZder Moj komp Datum registracije: Jan 2003 Lokacija: Umag Postovi: 12,602	Ajd digni log... __________________ Prodajem kucu na klizistu.. Nije puno presla..... Member Of PC Ekspert 100+kg Demolition Squad NAJNOVIJE = Povoljno RAM..http://www.downloadmoreram.com/... tor i AMD kupili.... NOVO! Prodajem visokokvalitetni tropleteni hardverski konac za fixiranje coolera

25.01.2010., 18:29	#12
Warrior Premium Moj komp Datum registracije: Nov 2006 Lokacija: Zagreb Postovi: 1,012	--> Evo ga... __________________ Everything is sooooo slow... Why? Oh, why? Zadnje izmijenjeno od: domy_os. 31.01.2010. u 10:54.

25.01.2010., 20:38	#14
Warrior Premium Moj komp Datum registracije: Nov 2006 Lokacija: Zagreb Postovi: 1,012	Ma i mislio sam uploadati, ali sam vidio sam da i ostali kopiraju pa rekoh... he he... Thanks... __________________ Everything is sooooo slow... Why? Oh, why?

Oglasni prostor
PC Ekspert Forum Oglas