Ne mogu da aktiviram automatic updates WinXP-a, a mreža ludi od protoka

NA ralunaru je XP SP2. Nod 4. Nod je updateovan, Pre toga iz safe moda uradjen combofix i smartfraud.

Kako je sve počelo:

Primetim na sviču da mi jedan računar (led) šizi od protoka. Odem do njega i vidim da su ekrančići od lana PLAVI ko more. JAO TROJANCI, a korisnik instalisao milion torent programa, a usput mu NOD istakla licenca. Prihvatim se polsa, aktiviram nod, update, prečistim, nod izbriše šta je izbrisao, pobrišem sve instalacije (uninstal) torent programa. F8 SAFE, cobofix, smartfraud.

Računar kako - tako, proradi.

Pokrenem hijackthis i log bacim na njihov sajt.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:05:15, on 11.9.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
E:\MOJI PROGRAMI\windows-kb890830-v2.3.exe
d:\c2a35ad6d26496b62d19c4\mrtstub.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\MRT.exe
E:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Vypress Chat StartUp.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://update.microsoft.com/wi...t/wuweb_site.cab?1252577574496
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AFC7D47-7A77-4E15-83F0-BF1292A1F113}: NameServer = 192.168.10.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{3AFC7D47-7A77-4E15-83F0-BF1292A1F113}: NameServer = 192.168.10.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{3AFC7D47-7A77-4E15-83F0-BF1292A1F113}: NameServer = 192.168.10.2
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ESET HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 3618 bytes


Za prvu crvenu liniju dobijem ?, a za drugu X, leeeleeee!!!!



Probam da čekiram ovo i da FIX ali AVAJ. Neće, probam i iz SAFE, ali nemože ni tu, jer naravno ti servisi nisu ni aktivirani u safe modu.

Pokrenem IPview i vidim da sa jedne strane milion nekih IP adresa i svi sa portom 25, a sa druge strane IP od te mašine, ali se portovi menjaju.

U medjuvremenu mi NOD pošalje poruku da mi sistem nije update, kliknem da link, otvori se EXP i počne ažuriranje sa microsoftovog sajta ali u neko doba iskoči error.

Pokušam iz administratorskog alata da pokrenem procese za auto update i ovaj background int. servis, ali nemože, kaže procesi su već zauzeti. A to kaže i fix iz hijacka.



Da li neko od Vas može da mi pomogne šta raditi?

---

Pogledaj Top Temu o koriscenju programa HijackThis i Combofix

Znaci obrisi taj Combofix;Odradi po tom uputstvu skidanje sveze verzije i skeniranje sa Combofix skriptom...
znaci prvo iskljuci antivirus program,skini combofix i postavi log po uputstvu.

_{[Ovu poruku je menjao magna86 dana 11.09.2009. u 20:43 GMT+1]}

---

Uradio sve po uputstvu.

Nema protoka kroz lan, ali i dalje nemože da se uradi update windowsa.

Evo i loga od combofixa:



ComboFix 09-09-13.05 - PC Office 14.09.2009 8:04.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.1015.716 [GMT 2:00]
Running from: c:\documents and settings\PC Office\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\46dd4d12.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_46dd4d12


((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-13 14:22 . 2009-09-13 14:22 -------- d-----w- C:\ Metamorphosis IV
2009-09-10 11:20 . 2009-09-10 11:24 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-09-08 09:21 . 2009-09-08 09:28 -------- d-----w- C:\fdsaf
2009-08-17 07:31 . 2009-08-17 07:31 -------- d-----w- c:\program files\RZZO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 09:02 . 2009-06-25 06:00 -------- d-----w- c:\program files\Java
2009-09-08 08:59 . 2009-07-22 07:54 -------- d-----w- c:\documents and settings\PC Office\Application Data\uTorrent
2009-09-08 08:31 . 2009-02-02 10:11 -------- d-----w- c:\documents and settings\PC Office\Application Data\Orbit
2009-07-27 07:53 . 2009-07-27 07:52 -------- d-----w- c:\documents and settings\PC Office\Application Data\Winamp
2009-07-27 07:52 . 2009-07-27 07:52 -------- d-----w- c:\program files\Winamp
2009-07-26 13:44 . 2009-07-22 08:14 -------- d-----w- c:\documents and settings\PC Office\Application Data\BSplayer PRO
2009-07-25 03:23 . 2009-06-25 06:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 11:41 . 2009-07-24 11:41 -------- d-----w- c:\program files\Conduit
2009-07-22 08:14 . 2009-07-22 08:14 -------- d-----w- c:\program files\Webteh
2009-07-18 19:30 . 2008-04-16 11:38 74992 ----a-w- c:\documents and settings\PC Office\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 09:59 . 2009-07-17 09:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-17 09:58 . 2009-07-17 09:58 -------- d-----w- c:\program files\Microsoft Works
2009-07-17 09:57 . 2009-07-17 09:57 -------- d-----w- c:\program files\Microsoft.NET
2009-07-17 09:22 . 2009-07-17 09:22 -------- d-----w- c:\program files\Opera
2009-07-17 08:51 . 2009-07-17 08:51 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-09-08_08.46.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-27 12:00 . 2009-09-11 11:01 53608 c:\windows\system32\perfc009.dat
+ 2008-10-24 19:53 . 2009-02-06 12:24 93336 c:\windows\system32\drivers\epfwtdir.sys
+ 2008-10-16 12:09 . 2008-10-16 12:09 43544 c:\windows\SoftwareDistribution\WebSetup\wups2.dll
+ 2008-10-16 12:08 . 2008-10-16 12:08 34328 c:\windows\SoftwareDistribution\WebSetup\wups.dll
+ 2008-10-16 12:09 . 2008-10-16 12:09 51224 c:\windows\SoftwareDistribution\WebSetup\wuauclt.exe
+ 2008-10-16 12:09 . 2008-10-16 12:09 92696 c:\windows\SoftwareDistribution\WebSetup\cdm.dll
+ 2009-09-08 09:39 . 2009-09-08 09:39 10134 c:\windows\Installer\{CDF97135-7FD2-4289-96B8-DD4505267ACD}\callmsi.exe
+ 2008-04-16 11:25 . 2008-10-16 12:12 202776 c:\windows\system32\wuweb.dll
+ 2007-07-27 12:00 . 2009-09-11 11:01 383254 c:\windows\system32\perfh009.dat
+ 2009-09-08 09:02 . 2009-07-25 03:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-08 09:02 . 2009-07-25 03:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-08 09:02 . 2009-07-25 03:23 145184 c:\windows\system32\java.exe
+ 2009-02-06 12:23 . 2009-02-06 12:23 106208 c:\windows\system32\drivers\ehdrv.sys
+ 2008-10-24 19:45 . 2009-02-06 12:19 113448 c:\windows\system32\drivers\eamon.sys
+ 2008-04-16 11:25 . 2008-10-16 12:12 202776 c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 12:12 . 2008-10-16 12:12 323608 c:\windows\SoftwareDistribution\WebSetup\wucltui.dll
+ 2008-10-16 12:12 . 2008-10-16 12:12 561688 c:\windows\SoftwareDistribution\WebSetup\wuapi.dll
+ 2009-09-08 09:39 . 2009-09-08 09:39 101480 c:\windows\Installer\{CDF97135-7FD2-4289-96B8-DD4505267ACD}\egui.exe
+ 2008-10-16 12:13 . 2008-10-16 12:13 1809944 c:\windows\SoftwareDistribution\WebSetup\wuaueng.dll
+ 2009-09-08 09:39 . 2009-09-08 09:39 1116672 c:\windows\Installer\5374a.msi
+ 2009-09-11 07:06 . 2008-10-07 10:19 16721856 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2007-07-27 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Vypress Chat StartUp.lnk - c:\windows\Installer\{A1E1619F-036F-4176-8563-AA9E570113F0}\iconVCAdvertised.exe [2008-12-11 12390]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vypress Chat\\VyChat.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"25:TCP"= 25:TCP:*:Disabled:smtp

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06.02.2009 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [24.10.2008 21:53 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [06.02.2009 14:23 727720]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {3AFC7D47-7A77-4E15-83F0-BF1292A1F113} = 192.168.10.2
FF - ProfilePath - c:\documents and settings\PC Office\Application Data\Mozilla\Firefox\Profiles\9ul0gjcp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1640187&SearchSource=3&q=
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1640187&SearchSource=2&q=
FF - component: c:\documents and settings\PC Office\Application Data\Mozilla\Firefox\Profiles\9ul0gjcp.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFExternalAlert.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 08:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Vypress Chat\VyChat.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-14 8:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 06:10
ComboFix2.txt 2009-09-08 09:28
ComboFix3.txt 2009-09-08 08:48

Pre-Run: 24,868,712,448 bytes free
Post-Run: 24,877,121,536 bytes free

126

---

Mozda ti ovo moze pomoci http://www.elitesecurity.org/t361948-0

---

Potrebno mi je dodatno skeniranje da bih sve proverio...
Skini RSIT
http://images.malwareremoval.com/random/RSIT.exe

Pokreni ga sa Desktopa ,idi na Continue i napravice dva loga

log.txt
info.txt

postavi log.txt

_{[Ovu poruku je menjao magna86 dana 17.09.2009. u 01:19 GMT+1]}

---

Evo log teksta:





Logfile of random's system information tool 1.06 (written by random/random)
Run by PC Office at 2009-09-18 11:59:57
Microsoft Windows XP Professional Service Pack 2
System drive C: has 23 GB (78%) free of 30 GB
Total RAM: 1015 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:02, on 18.09.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Documents and Settings\PC Office\Desktop\RSIT.exe
E:\PC Office.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [RegistryCleanerPro] C:\Program Files\iXi Tools\Registry Cleaner Pro\RegistryCleanerPro.exe -t
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Vypress Chat StartUp.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://update.microsoft.com/wi...t/wuweb_site.cab?1252577574496
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AFC7D47-7A77-4E15-83F0-BF1292A1F113}: NameServer = 192.168.10.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{3AFC7D47-7A77-4E15-83F0-BF1292A1F113}: NameServer = 192.168.10.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{3AFC7D47-7A77-4E15-83F0-BF1292A1F113}: NameServer = 192.168.10.2
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ESET HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4005 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-02-06 2021400]
"MSConfig"=C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [2007-07-27 158208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [2008-09-26 2356088]
"DriverUpdaterPro"=C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t []
"RegistryCleanerPro"=C:\Program Files\iXi Tools\Registry Cleaner Pro\RegistryCleanerPro.exe -t []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotkeyscmds]
C:\WINDOWS\system32\hkcmd.exe [2007-02-26 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe [2007-02-26 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\persistence]
C:\WINDOWS\system32\igfxpers.exe [2007-02-26 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trialreset]
C:\WINDOWS\regx32.exe [2008-07-03 285327]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Vypress Chat StartUp.lnk - C:\WINDOWS\Installer\{A1E1619F-036F-4176-8563-AA9E570113F0}\iconVCAdvertised.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-02-26 204800]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Vypress Chat\VyChat.exe"="C:\Program Files\Vypress Chat\VyChat.exe:*:Disabled:Vypress Chat - network chat software"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-09-18 11:59:57 ----D---- C:\rsit
2009-09-16 19:08:58 ----SHD---- C:\Config.Msi
2009-09-16 18:41:37 ----D---- C:\Program Files\iXi Tools
2009-09-15 09:01:32 ----SHD---- C:\RECYCLER
2009-09-14 10:17:50 ----D---- C:\Program Files\RZZO
2009-09-14 08:10:44 ----A---- C:\ComboFix.txt
2009-09-14 08:07:21 ----D---- C:\WINDOWS\temp
2009-09-13 16:22:15 ----D---- C:\ Metamorphosis IV
2009-09-11 09:06:37 ----A---- C:\WINDOWS\system32\MRT.exe
2009-09-10 12:14:34 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-09-08 11:21:44 ----D---- C:\fdsaf
2009-09-08 11:02:19 ----A---- C:\WINDOWS\system32\javaws.exe
2009-09-08 11:02:19 ----A---- C:\WINDOWS\system32\javaw.exe
2009-09-08 11:02:19 ----A---- C:\WINDOWS\system32\java.exe
2009-09-08 10:51:47 ----A---- C:\WINDOWS\system32\tmp.txt
2009-09-08 10:51:41 ----A---- C:\rapport.txt
2009-09-08 10:36:45 ----A---- C:\WINDOWS\zip.exe
2009-09-08 10:36:45 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-09-08 10:36:45 ----A---- C:\WINDOWS\SWSC.exe
2009-09-08 10:36:45 ----A---- C:\WINDOWS\SWREG.exe
2009-09-08 10:36:45 ----A---- C:\WINDOWS\sed.exe
2009-09-08 10:36:45 ----A---- C:\WINDOWS\PEV.exe
2009-09-08 10:36:45 ----A---- C:\WINDOWS\NIRCMD.exe
2009-09-08 10:36:45 ----A---- C:\WINDOWS\grep.exe
2009-09-08 10:35:37 ----D---- C:\WINDOWS\ERDNT
2009-09-08 10:35:23 ----D---- C:\Qoobox
2009-09-08 10:34:10 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-20 12:12:53 ----A---- C:\WINDOWS\avisplitter.INI

======List of files/folders modified in the last 1 months======

2009-09-18 12:00:01 ----D---- C:\WINDOWS\Prefetch
2009-09-18 11:19:43 ----D---- C:\Program Files\Mozilla Firefox
2009-09-18 06:53:42 ----SH---- C:\boot.ini
2009-09-18 06:53:42 ----A---- C:\WINDOWS\win.ini
2009-09-18 06:53:42 ----A---- C:\WINDOWS\system.ini
2009-09-17 20:10:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-16 19:09:08 ----SHD---- C:\WINDOWS\Installer
2009-09-16 18:41:37 ----RD---- C:\Program Files
2009-09-16 18:31:13 ----HD---- C:\WINDOWS\inf
2009-09-15 09:03:49 ----D---- C:\WINDOWS\Help
2009-09-15 07:15:36 ----D---- C:\WINDOWS
2009-09-14 10:19:31 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-09-14 10:19:28 ----D---- C:\WINDOWS\system32
2009-09-14 10:19:23 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-14 08:10:46 ----D---- C:\WINDOWS\system32\drivers
2009-09-14 08:07:59 ----D---- C:\WINDOWS\system32\config
2009-09-14 08:06:49 ----D---- C:\WINDOWS\AppPatch
2009-09-14 08:06:47 ----D---- C:\Program Files\Common Files
2009-09-11 13:01:19 ----D---- C:\WINDOWS\system32\wbem
2009-09-11 13:01:18 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-09-11 09:06:39 ----D---- C:\WINDOWS\Debug
2009-09-10 12:13:18 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-09-10 12:13:18 ----D---- C:\WINDOWS\SoftwareDistribution
2009-09-08 11:58:39 ----D---- C:\WINDOWS\pss
2009-09-08 11:30:20 ----SHD---- C:\System Volume Information
2009-09-08 11:30:20 ----D---- C:\WINDOWS\system32\Restore
2009-09-08 11:02:08 ----D---- C:\Program Files\Java
2009-09-08 10:59:21 ----D---- C:\Documents and Settings\PC Office\Application Data\uTorrent
2009-09-08 10:34:28 ----D---- C:\Documents and Settings
2009-09-08 10:31:33 ----D---- C:\Documents and Settings\PC Office\Application Data\Orbit
2009-09-08 10:31:07 ----RSD---- C:\WINDOWS\Fonts
2009-08-28 14:19:27 ----D---- C:\downloads
2009-08-20 07:48:49 ----D---- C:\WINDOWS\Minidump

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-02-06 93336]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2007-07-27 36096]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-02-06 113448]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-02-26 5700096]
R3 rootmodem;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2007-07-27 5888]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-02-06 727720]
R2 javaquickstarterservice;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2003-02-20 32768]
S3 ehttpsrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-02-06 20680]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

---

Citiracu Nemanju Zivanovica sa linka http://www.elitesecurity.org/t361948-0 :

Proveri da li su sledeci registry ulazi dobri:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventSystem > pa u kljucu ImagePath treba da bude vrednost:

%systemroot%\system32\svchost.exe -k netsvcs

Takodje pogledaj i ovo:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv > pa u kljucu ImagePath treba da bude vrednost:

%systemroot%\system32\svchost.exe -k netsvcs

P.S. Dobro pogledaj da li u putanje iste kao sto sam ti napisao, jer i ako se za slovo razlikuju, to moze da izazove problem. Recmo umesto %systemroot% pise %fystemroot%.

---

@chips
Ovako...

Skini catchme program
http://www2.gmer.net/catchme.exe

tamo kopiraj sledece



Klikni Run i na desktopu ce ti se pojaviti zipovan fajl pod imenom catchme, koji saljes na analizu na Virus Total
http://www.virustotal.com/

....................

Posalji mi link ka VirusTotal-u da vidim sta kazu sceneri...

...inace logovi su cisti i ako rezultati budu na VT budu negativni...znaci da problem nije prouzrokovan malware-om...
Combofix je vec automacki obrisao jedan aktivan malware...RSIT i HJT logovi su sad cisti...system je cist.

PS:u uputstvu ti se kaze da se CF pusta samo jednom...ti si pustao tri puta...
sad uninstaliraj tu verziju Combofix-a ..ovako:

Start >>> Run kopiraj ovo:


Ok

Javi rezultate




_{[Ovu poruku je menjao magna86 dana 19.09.2009. u 20:26 GMT+1]}

---

@drvlada75


E da, to je to. Izvinjavam ti se, ali nisam skontao prvi tvoj post od silnih log.textova. Identican slučaj. Sada radi sve ok.

Ali pošto je računar bio zaražen, nastavljam dalje kontrolu po uputstvu magna86.


@magna86

Nisam baš najbolje razumeo ovaj deo


U delu programa gde se kuca skripta ima run. A u delu gde se daje putanja ima scener i ZIP, pa sam to tu odradio.

Dobio sam sledeci txt file:



i to sam poslao na stranicu koju si mi dao, evo ispisa:




Nadam se da sam odradio sve kako treba??? Mada mi ne izgleda tako :-)


_{[Ovu poruku je menjao chips dana 21.09.2009. u 13:27 GMT+1]}

---

cilj je bio da program sam nadje taj file,i posalje copiju tog fajla na desktop da bi ga ti poslao na VT...

hm...probaj ovako... :s

*ugasi automatic update service
Start >>> Run >>>

Ok

nadji automatic servise i zaustavi ga ( stop/disable )
znaci ...dvoklik na automatic update i pod sturtup type: prebaci sa automatic na disable/stop

*Nadji sledeci file:
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb


*Obrisi taj file ili jos bolje kompletan folder
note: za svaki slucaj,pre brisanja becupuj taj folder

*Ponovo ukljuci automatic update,i taj folder bi se trebao ponovo napraviti

za ovaj postupak gore sto sam napsao nisam sasvim siguran.. :s
znaci netvrdim ti resenje problema...
ali probacu i ja kasnije na virtualnoj masini...

---