|
Poslao: 23 Jun 2007 16:56
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
Logfile of HijackThis v1.99.1
Scan saved at 16:55:09, on 23.6.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Milos\Desktop\testing\tr3.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogodak.rs/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=062507 serial=DR12WNG-0249275-TMV lang=EN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\scvhost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Preuzmi odabrano Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Preuzmi sa Free Download Managerom - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Preuzmi sve sa Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{25A5A426-6110-42EE-BDD3-F9BCA81D2962}: NameServer = 10.88.0.5,194.106.162.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - C:\apache2triad\bin\apache.exe" -n Apache2 -k runservice (file missing)
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Unknown owner - C:\apache2triad\bin\apache.exe" -D SSL -n Apache2SSL -k runservice (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - Unknown owner - C:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -N PgSql -D C:\apache2triad\pgsql\data\ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2triad\ftp\SlimFTPd.exe" -service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe
Dopuna: 23 Jun 2007 16:56
I ako mi mozete reci dali ovim fajlovima treba da bude dozvoljen pristup preko firewall-a
c:\sysucnw.exe
c:\sysddhm.exe
a te fajlove ne vidim u root-u C
Hvala unapred
|
|
|
|
|
|
|
Poslao: 23 Jun 2007 17:32
|
|
|
uradi sledece:
1)
Ukljucivanje prikaza skrivenih fajlova i foldera:
Otvorite My Computer.
Odaberite Tools meni i kliknite Folder Options.
Odaberite View Tab.
U grupi Hidden files and folders stiklirajte Show hidden files and folders.
Destiklirajte Hide protected operating system files (recommended).
Kliknite Yes da bi ste potvrdili izbor.
Kliknite OK.
2) nadji sledece fajlove zipuj ih (rar-uj sve jedno) i uploaduj ih ovde http://www.mycity.rs/ambulanta-upload.php
- C:\WINDOWS\system32\drivers\svchost.exe
- C:\WINDOWS\system32\scvhost.exe
(ako posle prvog koraka budes mogao da vidis i ova dva fajla uploaduj i njih c:\sysucnw.exe c:\sysddhm.exe)
|
|
|
|
|
|
|
Poslao: 23 Jun 2007 19:09
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
Uploadovao sam svchost fajlove kao i sliku task menagera a ona dve fajla se i posle ukljucivanja hiden files-a ne vide ali ima neka druga dva fajla koja neznam koja su a isto stoje u root-u C.
Hvala jos jednom pa postavite ako ima nesto sto ne bi trebalo.
U task menager-u ima nekoliko procesa koji neznam od cega su npr MDM
Pozdrav
|
|
|
|
|
|
|
Poslao: 23 Jun 2007 19:32
|
|
|
za ovaj fajl obrati paznju C:\WINDOWS\system32\scvhost.exe
poslao si mi mi mikrosoftov svchost.exe
probaj da nadjes ovaj scvhost.exe i posaljes ga.
Dopuna: 23 Jun 2007 19:32
uradi i sledece:
Skeniraj komp sa GMER-om i postavi log da proverimo da nema nekih rootkitova...
Uradi sledeće:
Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.
Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
U polju za pisanje poruke na forumu klikni desno dugme misa i odaberi opciju Paste.
|
|
|
|
|
|
|
Poslao: 23 Jun 2007 20:11
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
Sorry, moja greska. Evo upravo sam uploadovao scvhost ali sam fajl nasao samo u system32 folderu dok ga u foldery drivers nema.
Upravo skeniram sa GMER-om i samo mi reci jer ti treba samo C ili sve particije ?
Poz
|
|
|
|
|
|
|
|
|
Poslao: 23 Jun 2007 20:26
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
Skenirana je C particija i ovo je rezultat
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-23 20:30:11
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\DRIVERS\update.sys
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1068] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe
---- EOF - GMER 1.0.12 ----
|
|
|
|
|
|
|
Poslao: 23 Jun 2007 20:58
|
|
|
- udji u safe mod (kako uci u safe mod - http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-uci-u-SAFE-MODE.html)
nadji i obrisi sledece fajlove:
- C:\WINDOWS\system32\drivers\svchost.exe (obrati paznju ovde je SVC)
- C:\WINDOWS\system32\scvhost.exe (ovde je SCV, pazi da ovde slucajno ne obrises svchost.exe jer je to legitiman win fajl)
- C:\sysmgav.exe
i ako se pojave obrisi i ova dva
- c:\sysucnw.exe
- c:\sysddhm.exe
-vrati se u normalan mod
-napravi novi sken sa HijackThis i postavi ga ovde.
|
|
|
|
|
|
|
Poslao: 23 Jun 2007 21:33
|
offline
- kostolac
- Građanin
- Pridružio: 21 Dec 2005
- Poruke: 228
- Gde živiš: Kostolac
|
Mislim izvini sto pitam a jer necu da srusim sistem ako pobrisem ove fajlove ??
|
|
|
|
|
|
|
Poslao: 23 Jun 2007 21:38
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
E_F trenutno nije tu, pa cu ja da ti odgovorim.
Ti fajlovi su vidljivi i kroz msconfig.exe, tako da nije nista opasno, tj. jednostavno su se ubacili u StartUp. Nisu neki drajveri ili servisi.
Najgore sto moze da ti se desi je da se Windows pri restartu pozali da ne moze da ih nadje, ali to cemo resiti u sledecem koraku, nakon sto postavis novi HJT log.
|
|
|
|
|
|
