Agent.Trojan.ORG

1

Agent.Trojan.ORG

offline
  • Pridružio: 08 Apr 2009
  • Poruke: 57
  • Gde živiš: Indjija

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53:09, on 22.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\livemessenger.com
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\dllcache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rasa\Desktop\Trojan\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [Custom System Service] C:\WINDOWS\SERVICE\SERVICE.EXE
O4 - HKLM\..\Run: [Microsoft Update] livemessenger.com
O4 - HKLM\..\Run: [Windows Dynamic Library Cache] dllcache.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com/windowsupdate/v6/V5Con.....0801603129
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 4609 bytes

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Preuzmi sUBs-ov ComboFix sa jedne od sledećih adresa na Desktop:


Bleeping Computer . . . . . Geeks to Go!
Klikni desnim tasterom na neki od linkova i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 08 Apr 2009
  • Poruke: 57
  • Gde živiš: Indjija

Konekcija: ADSL Telekom 1024/124

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Zelezni ::Konekcija: ADSL Telekom 1024/124

Ne razumem ovo, odradi po uputstvu koje sam ti dao.

offline
  • Pridružio: 08 Apr 2009
  • Poruke: 57
  • Gde živiš: Indjija

ComboFix 09-06-21.01 - Rasa 22.06.2009 20:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239.44 [GMT 2:00]
Running from: c:\documents and settings\Rasa\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\windows\desktop
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\admintxt.txt
c:\windows\jestertb.dll
c:\windows\livemessenger.com
c:\windows\system32\drivers\SKYNETeqgvagua.sys
c:\windows\system32\SKYNETcbrmtkro.dll
c:\windows\system32\SKYNETmiravpwa.dll
c:\windows\system32\SKYNETnkodurqe.dat
c:\windows\system32\SKYNETpwvoupqh.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETeultpowx


((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.

2009-06-21 17:20 . 2009-06-21 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-06-21 17:19 . 2009-06-21 00:49 56370 --sh--r- c:\windows\dllcache.exe
2009-06-19 20:14 . 2009-06-19 20:14 -------- d-----w- c:\program files\Webteh
2009-06-19 16:38 . 2009-06-19 16:38 -------- d-----w- c:\windows\SERVICE
2009-06-19 16:37 . 2006-09-29 14:26 94208 ----a-w- c:\windows\OEMDEL.EXE
2009-06-19 16:37 . 2006-12-28 12:36 78336 ----a-w- c:\windows\DEVCON.X64.EXE
2009-06-19 16:37 . 2006-12-28 12:35 73216 ----a-w- c:\windows\DEVCON.X86.EXE
2009-06-19 16:23 . 2009-06-19 16:23 -------- d-----w- c:\program files\ATI Technologies
2009-06-19 16:20 . 2009-06-19 16:20 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-19 16:19 . 2009-06-19 16:19 -------- d-----w- c:\documents and settings\Rasa\Application Data\InstallShield
2009-06-19 15:48 . 2009-06-19 15:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-06-19 07:42 . 2009-06-19 07:42 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-06-19 07:42 . 2008-11-12 14:44 27904 ----a-w- c:\windows\system32\uxtuneup.dll
2009-06-19 07:42 . 2009-06-19 07:42 362240 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-06-19 07:42 . 2009-06-19 07:42 -------- d-----w- c:\documents and settings\Rasa\Application Data\TuneUp Software
2009-06-19 07:40 . 2009-06-19 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-06-19 07:40 . 2009-06-19 07:42 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-06-19 07:39 . 2009-06-19 07:39 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-06-19 07:35 . 2009-06-19 07:35 -------- d-----w- c:\documents and settings\Rasa\Local Settings\Application Data\ACD Systems
2009-06-19 07:28 . 2009-06-19 07:28 -------- d-----w- c:\program files\Yahoo!
2009-06-19 07:27 . 2009-06-19 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-06-19 07:26 . 2009-06-19 07:26 -------- d-----w- c:\program files\ACD Systems
2009-06-19 05:17 . 2002-05-27 11:37 233525 ------w- c:\windows\system32\isutil.dll
2009-06-19 05:17 . 2002-05-27 11:37 90112 ------w- c:\windows\apptune.exe
2009-06-19 05:17 . 2002-05-27 11:37 36864 ------w- c:\windows\system32\zpppcl.dll
2009-06-19 05:17 . 2002-05-27 11:37 1953792 ------w- c:\windows\system32\pcldll6l.dll
2009-06-19 05:17 . 2002-05-27 11:37 45056 ------w- c:\windows\system32\zpp.dll
2009-06-19 05:17 . 2002-05-27 11:37 151552 ------w- c:\windows\system32\SDhp1000.DLL
2009-06-19 05:17 . 2009-06-19 05:17 -------- d-----w- c:\program files\hp LaserJet 1000
2009-06-19 05:16 . 2009-06-19 05:16 32768 ----a-w- c:\windows\closewnd.exe
2009-06-18 21:41 . 2009-06-18 21:41 -------- d-----w- c:\documents and settings\Rasa\Local Settings\Application Data\GHISLER
2009-06-18 20:46 . 2009-06-18 20:46 -------- d-----w- c:\documents and settings\Rasa\Local Settings\Application Data\ESET
2009-06-16 21:38 . 2009-06-16 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-16 21:24 . 2006-03-20 07:32 30336 ----a-w- c:\windows\system32\drivers\glauiad.sys
2009-06-16 21:24 . 2005-08-22 09:22 38400 ----a-w- c:\windows\system32\CoInst.dll
2009-06-16 21:24 . 2009-06-16 21:24 -------- d-----w- c:\program files\MT882

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 17:20 . 2007-03-30 23:36 -------- d--h--r- c:\documents and settings\Rasa\Application Data\yahoo!
2009-06-19 19:58 . 2006-02-24 14:21 51952 -c--a-w- c:\documents and settings\Rasa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-19 16:37 . 2006-02-24 16:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-19 16:17 . 2006-02-24 16:30 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-19 07:27 . 2006-02-24 16:39 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-06-16 21:49 . 2008-03-05 20:08 -------- d-----w- c:\program files\ESET
2009-06-08 08:44 . 2007-03-01 08:11 -------- d-----w- c:\program files\SWiSH v2.0
2009-06-08 08:43 . 2007-12-01 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-14 13:49 . 2009-05-14 13:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 13:41 . 2009-05-14 13:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"Custom System Service"="c:\windows\SERVICE\SERVICE.EXE" [2007-07-08 86016]
"Windows Dynamic Library Cache"="dllcache.exe" - c:\windows\dllcache.exe [2009-06-21 56370]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [19.6.2009 9:42 603904]
R3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [16.6.2009 23:24 30336]
S3 FGUARD32;FGUARD32;\??\c:\program files\Folder Guard XP\FGUARD32.SYS --> c:\program files\Folder Guard XP\FGUARD32.SYS [?]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);c:\windows\system32\drivers\k510bus.sys [7.10.2005 12:45 58288]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;c:\windows\system32\drivers\k510mdfl.sys [7.10.2005 12:46 8336]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;c:\windows\system32\drivers\k510mdm.sys [7.10.2005 12:46 94064]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\k510mgmt.sys [7.10.2005 12:47 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;c:\windows\system32\drivers\k510obex.sys [7.10.2005 12:48 83344]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 14:28]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Device Detector - DevDetect.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: krstarica.com\www
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-06-22 20:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-22 20:21
ComboFix-quarantined-files.txt 2009-06-22 18:21

Pre-Run: 8.573.169.664 bytes free
Post-Run: 8.581.779.456 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

195 --- E O F --- 2008-08-22 05:52

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Ajmo ovako, ukljuci prikaz skrivenih fajlova i foldera.

Prikaz skrivenih fajlova i foldera

Windows XP

1. Klikni Start taster (u levom donjem uglu).
2. Izaberi My Computer.
3. Selektuj Tools meni i klikni na Folder Options.
4. Selektuj View na vrhu, unutar Hidden files and folders grupe selektuj Show hidden files and folders.
5. Skini kvacicu sa Hide file extensions for known types.
6. Skini kvacicu sa Hide protected operating system files (recommended).
7. Klikni YES.
8. Klikni OK.

Pronadji i posalji mi sledece fajlove preko ovog linka

http://www.mycity.rs/ambulanta-upload.php

Fajlovi:

c:\windows\dllcache.exe
c:\windows\OEMDEL.EXE
c:\windows\DEVCON.X64.EXE
c:\windows\DEVCON.X86.EXE

Takodje posalji mi sve fajlove koji se nalaze u ovom folderu:

c:\windows\SERVICE

offline
  • Pridružio: 08 Apr 2009
  • Poruke: 57
  • Gde živiš: Indjija

Uspesno sam uplodovao fajlove koje ste trazili osim DLLCACHC.EXE koji nisam nasao u c:/Windows

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Samo je c:\windows\OEMDEL.EXE uploadovan.

offline
  • Pridružio: 08 Apr 2009
  • Poruke: 57
  • Gde živiš: Indjija

Napisano: 22 Jun 2009 23:10

Uspesno sam uplodovao fajlove koje ste trazili osim DLLCACHC.EXE koji nisam nasao u c:/Windows

Dopuna: 22 Jun 2009 23:36

NOD32 Antivirus 4 nije za sad nasao virus u Operatinoj memoriji, mozdciscen?
Scan Log
Version of virus signature database: 4083 (20090518-)
Date: 22.6.2009 Time: 23:34:00
Scanned disks, folders and files: Operating memory
Number of scanned objects: 312
Number of threats found: 0
Time of completion: 23:34:23 Total scanning time: 23 sec (00:00:23)

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Posto vidim da cekas, a argus je izgleda vec posao na spavanjac, evo ti sledeceg koraka:

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\dllcache.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Dynamic Library Cache"=-


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 771 korisnika na forumu :: 35 registrovanih, 6 sakrivenih i 730 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., alkatraz080, Apok, Botovac, Brankoni, cenejac111, Chainsaw, cikadeda, crnitrn, djo97, Duško, goxin, HrcAk47, Insan, ivica976, janezek67, Krusarac, louderick, MB120mm, mercedesamg, MrNo, nemkea71, Neo BetOnBit, Petar35, Rakenica, ruma, ruso, sajkaca, Sale.S, Snorks, Toni, VJ, Wisdomseeker, wolverined4