MyCity » Ambulanta -> Arhiva Ambulante » Kriticno stanje

Kriticno stanje

Napisano na dan: 21.12.2008

Kriticno stanje
Sledeća strana Pagination

Idi na vrh

Poslao: 21 Dec 2008 00:37
Idi na vrh
offline
  • Pridružio: 03 Dec 2007
  • Poruke: 26

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:11:28, on 21.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Opera\Opera.exe
D:\Documents and Settings\Dmitar\Desktop\TR33.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www2.iesearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - D:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - D:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - D:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - D:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - D:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - D:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 D:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "D:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Ping upload extra road] D:\Documents and Settings\All Users.WINDOWS\Application Data\burn spam ping upload\Open user.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TEAM SLOW] D:\DOCUME~1\Dmitar\APPLIC~1\HIDEAX~1\defy soap.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Search - edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRman000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8-) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\Program Files\MATLAB\R2006a\webserver\bin\win32\matlabserver.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe

--
End of file - 4949 bytes

Poslao: 21 Dec 2008 11:32
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Zašto nemaš instaliran antivirus? Na tome treba da poradiš što pre.



Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Poslao: 21 Dec 2008 13:07
Idi na vrh
offline
  • Pridružio: 03 Dec 2007
  • Poruke: 26

Imao sam ranije NOD32 medjutim nisam mogao da ga updateujem i posle nekog vremena sam ga izbrisao...

evo loga:

ComboFix 08-12-20.03 - Dmitar 2008-12-21 12:17:42.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.255.106 [GMT 1:00]
Running from: d:\documents and settings\Dmitar\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\program files\FunWebProducts
d:\program files\FunWebProducts\ScreenSaver\Cache\00B88416.swf
d:\program files\FunWebProducts\ScreenSaver\Cache\00BEA682
d:\program files\FunWebProducts\ScreenSaver\Cache\files.ini
d:\program files\FunWebProducts\ScreenSaver\Images\00B43F57.urr
d:\program files\FunWebProducts\ScreenSaver\Images\00B87A1C.urr
d:\program files\FunWebProducts\ScreenSaver\Images\00B9608F.dat
d:\program files\FunWebProducts\ScreenSaver\Images\00BF12DD.dat
d:\program files\FunWebProducts\ScreenSaver\Images\00C18930.dat
d:\program files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
d:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
d:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
d:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
d:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
d:\program files\Internet Explorer\msimg32.dll
d:\program files\MyWebSearch
d:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
d:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
d:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
d:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
d:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
d:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
d:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
d:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
d:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
d:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
d:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
d:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
d:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
d:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
d:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
d:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
d:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
d:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
d:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
d:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
d:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
d:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
d:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
d:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
d:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
d:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
d:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
d:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
d:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
d:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
d:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
d:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
d:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
d:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
d:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
d:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
d:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
d:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
d:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
d:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
d:\program files\MyWebSearch\bar\Cache\0002F99A
d:\program files\MyWebSearch\bar\Cache\0009B4BE
d:\program files\MyWebSearch\bar\Cache\00260400.bin
d:\program files\MyWebSearch\bar\Cache\00B48657.bin
d:\program files\MyWebSearch\bar\Cache\00B48D08.bin
d:\program files\MyWebSearch\bar\Cache\00B497D4.bin
d:\program files\MyWebSearch\bar\Cache\00B4A2C8.bin
d:\program files\MyWebSearch\bar\Cache\00DBA7DF.bin
d:\program files\MyWebSearch\bar\Cache\00DBBA38.bin
d:\program files\MyWebSearch\bar\Cache\00DBC337.bin
d:\program files\MyWebSearch\bar\Cache\00DBCB46.bin
d:\program files\MyWebSearch\bar\Cache\00DBD323
d:\program files\MyWebSearch\bar\Cache\files.ini
d:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
d:\program files\MyWebSearch\bar\Game\CHESS.F3S
d:\program files\MyWebSearch\bar\Game\REVERSI.F3S
d:\program files\MyWebSearch\bar\History\search3
d:\program files\MyWebSearch\bar\icons\CM.ICO
d:\program files\MyWebSearch\bar\icons\MFC.ICO
d:\program files\MyWebSearch\bar\icons\PSS.ICO
d:\program files\MyWebSearch\bar\icons\SMILEY.ICO
d:\program files\MyWebSearch\bar\icons\WB.ICO
d:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
d:\program files\MyWebSearch\bar\Message\COMMON.F3S
d:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
d:\program files\MyWebSearch\bar\Notifier\DOG.F3S
d:\program files\MyWebSearch\bar\Notifier\FISH.F3S
d:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
d:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
d:\program files\MyWebSearch\bar\Notifier\MAID.F3S
d:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
d:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
d:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
d:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
d:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
d:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
d:\program files\MyWebSearch\bar\Settings\s_pid.dat
d:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
d:\windows\system32\404Fix.exe
d:\windows\system32\dumphive.exe
d:\windows\system32\f3PSSavr.scr
d:\windows\system32\IEDFix.C.exe
d:\windows\system32\IEDFix.exe
d:\windows\system32\Process.exe
d:\windows\system32\SrchSTS.exe
d:\windows\system32\tmp.reg
d:\windows\system32\VACFix.exe
d:\windows\system32\VCCLSID.exe
d:\windows\system32\WS2Fix.exe

----- BITS: Possible infected sites -----

hxxp://www.8ballclub.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 12:13 . 2008-12-21 12:14 <DIR> d-------- D:\32788R22FWJFW
2008-12-19 00:01 . 2008-12-19 00:01 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-12-08 11:21 . 2008-12-08 11:21 <DIR> d-------- d:\program files\hideaxisjunk
2008-12-08 00:25 . 2008-12-08 00:25 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2008-12-02 22:17 . 2008-12-02 23:16 69,632 --a------ d:\documents and settings\Dmitar\dfdghgsxhg.exe
2008-12-02 18:28 . 2008-12-02 18:28 69,632 --a------ d:\documents and settings\Dmitar\dfdghg.exe
2008-12-01 20:18 . 2008-12-02 18:26 69,632 --a------ d:\documents and settings\Dmitar\dfdghgshg.exe
2008-11-29 15:42 . 2008-12-01 00:17 116,736 --a------ d:\documents and settings\Dmitar\dfdghghg.exe
2008-11-28 01:33 . 2008-11-28 03:12 116,736 --a------ d:\documents and settings\Dmitar\dfdfdf.exe
2008-11-27 03:49 . 2008-11-27 03:49 115,712 --a------ d:\documents and settings\Dmitar\jlsofxgh.exe
2008-11-26 10:46 . 2008-11-27 05:24 115,712 --a------ d:\documents and settings\Dmitar\fgfghp.exe
2008-11-25 21:36 . 2008-10-27 23:12 117 --a------ d:\windows\boxworld.ini
2008-11-24 21:51 . 2008-11-24 21:52 <DIR> d-------- d:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 20:45 --------- d-----w d:\documents and settings\Dmitar\Application Data\ZoomBrowser EX
2008-12-12 21:40 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\ZoomBrowser
2008-12-08 10:23 --------- d-----w d:\documents and settings\Dmitar\Application Data\hideaxisjunk
2008-12-08 10:22 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\burn spam ping upload
2008-12-05 12:41 --------- d-----w d:\program files\8BallClub
2008-12-03 22:07 --------- d-----w d:\program files\FrostWire
2008-11-26 13:49 --------- d-----w d:\program files\Winamp
2008-11-14 23:41 --------- d-----w d:\program files\Primal Pictures
2008-11-03 19:37 --------- d-----w d:\program files\Fun Web Products
2008-11-02 16:11 --------- dc----w d:\documents and settings\All Users.WINDOWS\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-10-31 22:50 --------- d--h--w d:\program files\InstallShield Installation Information
2008-10-31 22:50 --------- d-----w d:\program files\phenomedia
2008-10-31 22:50 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\phenomedia
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:36 45,056 ----a-w d:\windows\NCUNINST.EXE
2008-10-23 13:01 283,648 ----a-w d:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w d:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w d:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w d:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w d:\windows\system32\wups.dll
2008-10-05 08:49 73,216 ----a-w d:\windows\ST6UNST.EXE
2008-10-05 08:49 249,856 ------w d:\windows\Setup1.exe
2008-10-03 10:15 247,326 ----a-w d:\windows\system32\strmdll.dll
2001-11-23 04:08 712,704 ----a-w d:\windows\inf\OTHER\AUDIO3D.DLL
2008-10-29 21:47 67,696 ----a-w d:\program files\mozilla firefox\components\jar50.dll
2008-10-29 21:47 54,376 ----a-w d:\program files\mozilla firefox\components\jsd3250.dll
2008-10-29 21:47 34,952 ----a-w d:\program files\mozilla firefox\components\myspell.dll
2008-10-29 21:47 46,720 ----a-w d:\program files\mozilla firefox\components\spellchk.dll
2008-10-29 21:47 172,144 ----a-w d:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "d:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-05-19 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-05-19 17:11 66912 --a------ d:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"TEAM SLOW"="d:\docume~1\Dmitar\APPLIC~1\HIDEAX~1\defy soap.exe" [2008-12-08 552960]
"msnmsgr"="d:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Ping upload extra road"="d:\documents and settings\All Users.WINDOWS\Application Data\burn spam ping upload\Open user.exe" [2008-12-20 786432]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= d:\progra~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"msacm.sl_anet"= d:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"vidc.3ivx"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.3iv0"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.3iv1"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.3iv2"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.3ivd"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.yv12"= d:\progra~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= d:\progra~1\ACEMEG~1\SystemS\DivX\DivX511.dll
"vidc.iyuv"= d:\progra~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= d:\progra~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.rsy2"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"msacm.msaudio1"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"d:\\Program Files\\Counter-Strike 1.6\\hlds.exe"=
"d:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\8BallClub\\GameDirector.exe"=

R3 iadusb;MT882;d:\windows\system32\DRIVERS\glauiad.sys [2008-03-24 30336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"d:\program files\MSN Messenger\usnsvc.exe" [2007-01-19 97136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94ea3c67-5138-11dd-99e5-0018027c2248}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b91a35b0-0fef-11dd-994c-0018027c2248}]
\Shell\AutoRun\command - h:\system\S-3-7-89-2225458569-9856321456-454423558-8896\Driver.exe
\Shell\open\command - h:\system\S-3-7-89-2225458569-9856321456-454423558-8896\Driver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67EFG7H6-8IJL-56YT-KLH4-76WE8D3RAM87}]
c:\system\S-3-7-89-2225458569-9856321456-454423558-8896\\Driver.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-21 d:\windows\Tasks\AE3E361D9185A6E9.job
- d:\docume~1\dmitar\applic~1\hideax~1\roam five 4.exe [2008-12-08 11:23]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MyWebSearch Plugin - d:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
HKLM-Run-My Web Search Bar Search Scope Monitor - d:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www2.iesearch.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRman000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-12-21 12:28:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\wdfmgr.exe
d:\program files\Canon\CAL\CALMAIN.exe
d:\windows\system32\wscntfy.exe
d:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-12-21 12:40:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 11:40:35
ComboFix2.txt 2008-08-21 18:42:55

Pre-Run: 529.104.896 bytes free
Post-Run: 1,391,439,872 bytes free

269 --- E O F --- 2008-12-19 00:13:43

Poslao: 21 Dec 2008 15:48
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
d:\documents and settings\Dmitar\dfdghgsxhg.exe
d:\documents and settings\Dmitar\dfdghg.exe
d:\documents and settings\Dmitar\dfdghgshg.exe
d:\documents and settings\Dmitar\dfdghghg.exe
d:\documents and settings\Dmitar\dfdfdf.exe
d:\documents and settings\Dmitar\jlsofxgh.exe
d:\documents and settings\Dmitar\fgfghp.exe
d:\windows\Tasks\AE3E361D9185A6E9.job

Folder::
d:\program files\hideaxisjunk
d:\documents and settings\Dmitar\Application Data\hideaxisjunk
d:\documents and settings\All Users.WINDOWS\Application Data\burn spam ping upload
d:\program files\8BallClub
d:\program files\Fun Web Products
c:\system

Registry::
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRman000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TEAM SLOW"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ping upload extra road"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b91a35b0-0fef-11dd-994c-0018027c2248}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67EFG7H6-8IJL-56YT-KLH4-76WE8D3RAM87}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 21 Dec 2008 17:17
Idi na vrh
offline
  • Pridružio: 03 Dec 2007
  • Poruke: 26

ComboFix 08-12-20.03 - Dmitar 2008-12-21 16:53:06.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.255.82 [GMT 1:00]
Running from: d:\documents and settings\Dmitar\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Dmitar\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
d:\documents and settings\Dmitar\dfdfdf.exe
d:\documents and settings\Dmitar\dfdghg.exe
d:\documents and settings\Dmitar\dfdghghg.exe
d:\documents and settings\Dmitar\dfdghgshg.exe
d:\documents and settings\Dmitar\dfdghgsxhg.exe
d:\documents and settings\Dmitar\fgfghp.exe
d:\documents and settings\Dmitar\jlsofxgh.exe
d:\windows\Tasks\AE3E361D9185A6E9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system
c:\system\S-3-7-89-2225458569-9856321456-454423558-8896\Desktop.ini
c:\system\S-3-7-89-2225458569-9856321456-454423558-8896\Driver.exe
d:\documents and settings\All Users.WINDOWS\Application Data\burn spam ping upload
d:\documents and settings\All Users.WINDOWS\Application Data\burn spam ping upload\Open user.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\0
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\defy soap.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\dzfqvhwz.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\egzrsxjv.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\gjrlegoy.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\govueiuv.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\gudrwxrv.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\hnpqcevt.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\roam five 4.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\tlkenvrb.exe
d:\documents and settings\Dmitar\Application Data\hideaxisjunk\yoiyikyq.exe
d:\documents and settings\Dmitar\dfdfdf.exe
d:\documents and settings\Dmitar\dfdghg.exe
d:\documents and settings\Dmitar\dfdghghg.exe
d:\documents and settings\Dmitar\dfdghgshg.exe
d:\documents and settings\Dmitar\dfdghgsxhg.exe
d:\documents and settings\Dmitar\fgfghp.exe
d:\documents and settings\Dmitar\jlsofxgh.exe
d:\program files\8BallClub
d:\program files\8BallClub\BoardGames.bin
d:\program files\8BallClub\CardGames.bin
d:\program files\8BallClub\Duplicator.bin
d:\program files\8BallClub\EightBall.bin
d:\program files\8BallClub\GameDirector.exe
d:\program files\8BallClub\GameService.bin
d:\program files\8BallClub\GameService1.bin
d:\program files\8BallClub\gui_billiards.cmp
d:\program files\8BallClub\gui_boards.cmp
d:\program files\8BallClub\gui_common.cmp
d:\program files\8BallClub\gui_single.cmp
d:\program files\8BallClub\guiresources.cmp
d:\program files\8BallClub\Microsoft.VC80.CRT.manifest
d:\program files\8BallClub\msvcm80.dll
d:\program files\8BallClub\msvcp80.dll
d:\program files\8BallClub\msvcr80.dll
d:\program files\8BallClub\resources.dat
d:\program files\8BallClub\resources2.dat
d:\program files\8BallClub\resources3.dat
d:\program files\8BallClub\sounds.dat
d:\program files\8BallClub\SystemData\cid21269.dat
d:\program files\8BallClub\SystemData\cid21272.dat
d:\program files\8BallClub\SystemData\cid21275.dat
d:\program files\8BallClub\SystemData\cid22393.dat
d:\program files\8BallClub\SystemData\cid22394.dat
d:\program files\8BallClub\SystemData\cid22395.dat
d:\program files\8BallClub\SystemData\radial.cdb
d:\program files\8BallClub\SystemData\radial.sdb
d:\program files\8BallClub\SystemData\radial.tdb
d:\program files\8BallClub\uninst-8BC.exe
d:\program files\8BallClub\Updates\3.25\BIT9C.tmp
d:\program files\8BallClub\Updates\3.25\BIT9D.tmp
d:\program files\8BallClub\Updates\3.25\BIT9E.tmp
d:\program files\8BallClub\Updates\3.25\BIT9F.tmp
d:\program files\8BallClub\webres.dat
d:\program files\Fun Web Products
d:\program files\hideaxisjunk
d:\windows\Tasks\AE3E361D9185A6E9.job

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-19 00:01 . 2008-12-19 00:01 <DIR> d-------- d:\documents and settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-12-08 00:25 . 2008-12-08 00:25 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2008-11-25 21:36 . 2008-10-27 23:12 117 --a------ d:\windows\boxworld.ini
2008-11-24 21:51 . 2008-11-24 21:52 <DIR> d-------- d:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 20:45 --------- d-----w d:\documents and settings\Dmitar\Application Data\ZoomBrowser EX
2008-12-12 21:40 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\ZoomBrowser
2008-12-03 22:07 --------- d-----w d:\program files\FrostWire
2008-11-26 13:49 --------- d-----w d:\program files\Winamp
2008-11-14 23:41 --------- d-----w d:\program files\Primal Pictures
2008-11-02 16:11 --------- dc----w d:\documents and settings\All Users.WINDOWS\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-10-31 22:50 --------- d--h--w d:\program files\InstallShield Installation Information
2008-10-31 22:50 --------- d-----w d:\program files\phenomedia
2008-10-31 22:50 --------- d-----w d:\documents and settings\All Users.WINDOWS\Application Data\phenomedia
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:36 45,056 ----a-w d:\windows\NCUNINST.EXE
2008-10-05 08:49 73,216 ----a-w d:\windows\ST6UNST.EXE
2008-10-05 08:49 249,856 ------w d:\windows\Setup1.exe
2001-11-23 04:08 712,704 ----a-w d:\windows\inf\OTHER\AUDIO3D.DLL
2008-10-29 21:47 67,696 ----a-w d:\program files\mozilla firefox\components\jar50.dll
2008-10-29 21:47 54,376 ----a-w d:\program files\mozilla firefox\components\jsd3250.dll
2008-10-29 21:47 34,952 ----a-w d:\program files\mozilla firefox\components\myspell.dll
2008-10-29 21:47 46,720 ----a-w d:\program files\mozilla firefox\components\spellchk.dll
2008-10-29 21:47 172,144 ----a-w d:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "d:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-05-19 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-05-19 17:11 66912 --a------ d:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="d:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= d:\progra~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"msacm.sl_anet"= d:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"vidc.3ivx"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.3iv0"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.3iv1"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.3iv2"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.3ivd"= d:\progra~1\ACEMEG~1\SystemS\3ivx\3IVXVF~1.DLL
"vidc.yv12"= d:\progra~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= d:\progra~1\ACEMEG~1\SystemS\DivX\DivX511.dll
"vidc.iyuv"= d:\progra~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= d:\progra~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.rsy2"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"msacm.msaudio1"= d:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"d:\\Program Files\\Counter-Strike 1.6\\hlds.exe"=
"d:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 iadusb;MT882;d:\windows\system32\DRIVERS\glauiad.sys [2008-03-24 30336]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"d:\program files\MSN Messenger\usnsvc.exe" [2007-01-19 97136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94ea3c67-5138-11dd-99e5-0018027c2248}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www2.iesearch.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRman000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-12-21 16:57:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-21 17:06:28
ComboFix-quarantined-files.txt 2008-12-21 16:06:15
ComboFix2.txt 2008-12-21 11:40:43
ComboFix3.txt 2008-08-21 18:42:55

Pre-Run: 1.399.480.320 bytes free
Post-Run: 1,391,603,712 bytes free

182 --- E O F --- 2008-12-19 00:13:43

Poslao: 21 Dec 2008 17:51
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Kakvo je sada stanje?

Poslao: 21 Dec 2008 18:24
Idi na vrh
offline
  • Pridružio: 03 Dec 2007
  • Poruke: 26

Primetno bolje Smile

Poslao: 21 Dec 2008 18:38
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Sudeći po logovima, i trebalo bi da bude.

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore


To je sve.

MyCity » Ambulanta -> Arhiva Ambulante » Kriticno stanje

Ko je trenutno na forumu
 

Ukupno su 1206 korisnika na forumu :: 39 registrovanih, 11 sakrivenih i 1156 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Andrija357, cavatina, ccoogg123, comi_pfc, debeli, Denaya, Dimitrise93, dragoljub11987, FOX, goxin, hatman, ikan, Istman, Karla, Kriglord, Kubovac, kunktator, kybonacci, ladro, laganini123, laki_bb, Libertas, Lieutenant, Milometer, mkukoleca, nemkea71, Pohovani_00, Recce, Sale.S, Srle993, stankolich, Stefan M, Tvrtko I, vathra, VP6919, vukdra, vukovi, zeo, 125