Natrag   Forum.hr > Informatička tehnologija > IT Help service > Security

Security Antivirusi, firewalli, patchevi, service packovi, updatei, ... Sve o sigurnosti vašeg računala.

Odgovor
 
Tematski alati Opcije prikaza
Old 05.08.2010., 20:01   #1
CPU 100%

Prilikom uključivanja kompjutera, znači nakon uključivanja nod 32,a msna, i internet povezivanja u upravitelju zadataka mi se pojavi proces
updater.exe koji obuhvaća 99 cpu
koji je to updater od nekog programa npr. od real playera ili je to update windowsa koji uvik nešto updatea, i kako to maknuti
i nakon šta završim proces tog update tada je sve oke 2,3 minute kada
svchost.exe - Network service koristi 100 % cpu,a

i nekada se događa da cpu ide na 100% nakon i što je ugašen internet i nod 32 i nakon što završim proces explorer.exe i ponovno ga pokrenem opet stoji 100% i nemoguće je radit bilo šta

nod 32 , malwarebyte anti malware nisu pronašli nikakve viruse il nešto
ante83 is offline  
Odgovori s citatom
Old 05.08.2010., 20:25   #2
napravi kao u ovom postu...https://www.forum.hr/showthread.php?t=509701

računalo ti je zaraženo
dobrota is offline  
Odgovori s citatom
Old 08.08.2010., 19:28   #3
Otl http://pastebin.com/2TncwZxv
Extras http://pastebin.com/Rv5ZYdEe

i šta dalje ?
ante83 is offline  
Odgovori s citatom
Old 08.08.2010., 22:06   #4
Quote:
ante83 kaže: Pogledaj post
otvori OTl i ovo kopiraj u prazno polje
Kod:
:OTL
PRC - [2010.07.23 00:21:33 | 000,708,608 | RHS- | M] (CosSs) -- C:\WINDOWS\updater.exe
SRV - File not found [Auto | Stopped] --  -- (PCToolsSSDMonitorSvc)
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =  [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://myfastwebsearch.com/
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Driver Control Manager v2.8] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\brpet.exe File not found
O4 - HKLM..\Run: [updater.exe] C:\WINDOWS\updater.exe (CosSs)
O4 - HKCU..\Run: [0x017]  File not found
O4 - HKCU..\Run: [Driver Control Manager v2.8] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\brpet.exe File not found
O4 - HKCU..\Run: [updater.exe] C:\WINDOWS\updater.exe (CosSs)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\homepg.cmd ()
O33 - MountPoints2\{be56257c-699f-11df-a86a-0810743ba3f0}\Shell\AutoRun\command - "" = H:\cold\hott\updater.exe -- File not found
O33 - MountPoints2\{be56257c-699f-11df-a86a-0810743ba3f0}\Shell\Explore\Command - "" = H:\cold\hott\updater.exe -- File not found
O33 - MountPoints2\{be56257c-699f-11df-a86a-0810743ba3f0}\Shell\open\command - "" = H:\cold\hott\updater.exe -- File not found
[2010.07.21 18:15:46 | 000,708,608 | RHS- | C] (CosSs) -- C:\WINDOWS\updater.exe
[2010.07.20 12:44:51 | 000,000,000 | RHSD | C] -- C:\WINDOWS\System32\System32
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2010.08.05 20:00:00 | 000,000,376 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010.06.26 18:51:23 | 000,004,178 | ---- | M] () -- C:\WINDOWS\svchost.dat

:Commands
[purity]
[emptytemp]
[resethosts]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
klik na runfix
log koji dobiješ kopiraj na forum

2. skini combofix sa ove stranice http://www.bleepingcomputer.com/down...virus/combofix
-spremi na desktop
-antivirus postavi na disble
-pokreni combofix i na sve što traži odgovori potvrdno
-nakon restarta, combofix će izbaciti log kojeg ćeš kopirati na pastebix, a linkna forum
dobrota is offline  
Odgovori s citatom
Old 09.08.2010., 00:08   #5
All processes killed
========== OTL ==========
No active process named updater.exe was found!
Service PCToolsSSDMonitorSvc stopped successfully!
Service PCToolsSSDMonitorSvc deleted successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Secondary Start Pages| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8 A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D2F8F919-690B-4EA2-9FA7-A203D1E04F75} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2F8F91 9-690B-4EA2-9FA7-A203D1E04F75}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7 F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\\Driver Control Manager v2.8 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\\updater.exe deleted successfully.
C:\WINDOWS\updater.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\\0x017 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\\Driver Control Manager v2.8 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\\updater.exe deleted successfully.
File C:\WINDOWS\updater.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\\{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AE067D 3-9AFB-48E0-853A-EBB7F4A000DA}\ deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\homepg.cmd moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{be56257c-699f-11df-a86a-0810743ba3f0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{be56257 c-699f-11df-a86a-0810743ba3f0}\ not found.
File H:\cold\hott\updater.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{be56257c-699f-11df-a86a-0810743ba3f0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{be56257 c-699f-11df-a86a-0810743ba3f0}\ not found.
File H:\cold\hott\updater.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{be56257c-699f-11df-a86a-0810743ba3f0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{be56257 c-699f-11df-a86a-0810743ba3f0}\ not found.
File H:\cold\hott\updater.exe not found.
File C:\WINDOWS\updater.exe not found.
C:\WINDOWS\System32\System32 folder moved successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\NV4282012.TMP\nvtcp.sys deleted successfully.
C:\WINDOWS\NV4282012.TMP folder deleted successfully.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\svchost.dat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 31888866 bytes
->Temporary Internet Files folder emptied: 5426152 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 50775239 bytes
->Flash cache emptied: 1492 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33932 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 98420 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 63983486 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 145,00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0,00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.9.1 log created on 08082010_222837

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



Combofix

http://pastebin.com/AMjnqjJh
ante83 is offline  
Odgovori s citatom
Old 09.08.2010., 17:25   #6
otvori notepad i u notepad kopiraj ovo

Kod:
KillAll::

File::
c:\windows\system32\unins000.exe
c:\windows\system32\unins000.dat
c:\windows\eReg.dat
C:\bog2.exe
C:\bog.exe

Reg::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"updater.exe"=-

DDS::
uStart Page = 

RegNull::

[HKEY_USERS\S-1-5-21-2052111302-1383384898-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
zatvori notepad i spremi kao CFScript na desktop
-antivirus postavi na disable
-skriptu sa mišem uvuci u combofix.exe
-log kopiraj

2. pokreni malwarebytes...update..ful scan

-log kopiraj


ova dva filea sam ubacio u skriptu, nisam baš siguran da su od koristi neke...
C:\bog2.exe
C:\bog.exe

pitanje, poznato ti ?....ako je, onda ih ukloni iz ove skripte, ako nije ostavi kako je

kako sad radi komp ?
dobrota is offline  
Odgovori s citatom
Old 10.08.2010., 16:43   #7
evo od combofixa ComboFix

http://pastebin.com/pWnD86TA

taj bog i bog 2 exe su mi poznati bili su spremljeni na c: disku nisan ništa maknija
sad ih više nema

malwarebytes
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verzija baze podataka: 4412

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10.8.2010 15:37:52
mbam-log-2010-08-10 (15-37-52).txt

Tip provjere: Kompletna provjera (C:\|D:\|)
Provjereni objekti: 198504
Vrijeme trajanja: 1 sat(i), 44 minuta, 16 sekundi

Zaraženi procesi u memoriji: 0
Zaraženi moduli u memoriji: 0
Zaraženi ključevi u registru: 0
Zaražene vrijednosti u registru: 0
Zaraženi podaci u registru: 0
Zaraženi direktoriji: 0
Zaražene datoteke: 3

Zaraženi procesi u memoriji:
(Zloćudne stavke nisu otkrivene)

Zaraženi moduli u memoriji:
(Zloćudne stavke nisu otkrivene)

Zaraženi ključevi u registru:
(Zloćudne stavke nisu otkrivene)

Zaražene vrijednosti u registru:
(Zloćudne stavke nisu otkrivene)

Zaraženi podaci u registru:
(Zloćudne stavke nisu otkrivene)

Zaraženi direktoriji:
(Zloćudne stavke nisu otkrivene)

Zaražene datoteke:
C:\Documents and Settings\Administrator\Desktop\Malwarebytes Keygen (Any version!).exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\s18irdy2.default\Cac he\693B9494d01 (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\08082010_222837\C_WINDOWS\updat er.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


kompjuter je sad uredu , cpu ne ide na 100%

ako je to sve , hvala puno na pomoći
ante83 is offline  
Odgovori s citatom
Old 10.08.2010., 17:10   #8
je , to bi bilo sve

obriši combofix
start/run/ combofix /uninstall

otvori OTL i kili na cleanup
dobrota is offline  
Odgovori s citatom
Old 10.08.2010., 20:23   #9
oke
hvala puno
samo mi reci da li vraćanje sustava poništava ovo skeniranje i čišćenje i
brisanje one 3 datoteke sa malwarebytes ?
ante83 is offline  
Odgovori s citatom
Old 10.08.2010., 20:55   #10
najbolje je da kompletno isključiš system restore, restartiraš, pa opet uključiš....nek ide sve od ovog dana....
postoji mogučnost da se zaraza vrati vraćanjem sustava...doduše pobrisani su datumi od prije 9.8.2010, al eto...
sigurnije je
dobrota is offline  
Odgovori s citatom
Old 11.08.2010., 14:28   #11
[QUOTE=dobrota;28256240]najbolje je da kompletno isključiš system restore, restartiraš, pa opet uključiš....nek ide sve od ovog dana....
postoji mogučnost da se zaraza vrati vraćanjem sustava...doduše pobrisani su datumi od prije 9.8.2010, al eto...
sigurnije je[/QUOTE


problem je u tome šta san ja već napravia system restore prije neg šta san postavija ode pitanje

kompjuter radi uredu, pretpostavljam da se zaraza nije vratila
ante83 is offline  
Odgovori s citatom
Old 11.08.2010., 20:29   #12
na koji datum si vratio ?....
datumi od prije 9.8 su pobrisani, pa čisto smnjam da se zaraza vratila...ponovi scan sa malwarebytesom
dobrota is offline  
Odgovori s citatom
Old 13.08.2010., 19:29   #13
Quote:
dobrota kaže: Pogledaj post
na koji datum si vratio ?....
datumi od prije 9.8 su pobrisani, pa čisto smnjam da se zaraza vratila...ponovi scan sa malwarebytesom

vratia sam na 9.8
a na mawarebytu nema ništa
valjda je sve uredu
ante83 is offline  
Odgovori s citatom
Old 13.08.2010., 19:41   #14
sve je u redu
dobrota is offline  
Odgovori s citatom
Odgovor


Tematski alati
Opcije prikaza

Kreni na podforum




Sva vremena su GMT +2. Trenutno vrijeme je: 09:21.