|
Poslao: 05 Mar 2007 11:25
|
offline
- Pridružio: 25 Okt 2006
- Poruke: 276
|
Odradio sam ovo...dodao ovaj fajl, kliknuo Remove Vundo, ponudio mi je restart. Ponovo sam pokrenuo program, nije nista nasao...
Evo i HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:02:19 AM, on 3/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\issrch.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MDT6\acad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\stanimir\Desktop\ZekaThis\ZekaThis.exe
R3 - URLSearchHook: radiostanica Toolbar - {a10dc0cb-728f-456b-90f9-7fd1351e841a} - C:\Program Files\radiostanica\tbradi.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - (no file)
O2 - BHO: radiostanica Toolbar - {a10dc0cb-728f-456b-90f9-7fd1351e841a} - C:\Program Files\radiostanica\tbradi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\System32\ixt0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: radiostanica Toolbar - {a10dc0cb-728f-456b-90f9-7fd1351e841a} - C:\Program Files\radiostanica\tbradi.dll
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - [Link mogu videti samo ulogovani korisnici]\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\AcPreview.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Backbone Service (BBDemon) - Unknown owner - C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe" -service (file missing)
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\2CB.tmp".exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Dopuna: 05 Mar 2007 11:03
Jos ima ta linija...
Uploadovao sam ti ixsso.dll
Dopuna: 05 Mar 2007 11:25
Zaboravio sam postaviti Vundo log:
VundoFix V6.3.6
Checking Java version...
Sun Java not detected
Scan started at 1:00:32 PM 2/16/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.3.6
Checking Java version...
Sun Java not detected
Scan started at 1:36:31 PM 2/16/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\System32\ixt0.dll
C:\WINDOWS\System32\ixt0.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.12
Checking Java version...
Sun Java not detected
Scan started at 8:43:43 AM 3/5/2007
Listing files found while scanning....
No infected files were found.
|
|
|
|
|
|
|
Poslao: 05 Mar 2007 16:14
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Situacija se puno promenila od zadnjeg loga u smislu da se u bazama informacija pojavile neke informacije koje mogu da nam pomognu.
Fajl koji si uploadovao je Windowsov sistemski fajl.
Skeniraj HJT-om i stikliraj polja ispred sledecih linija:
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - (no file)
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\2CB.tmp".exe (file missing)
Klikni Fix Checked
Spakuj mi sledece fajlove:
C:\WINDOWS\System32\issrch.exe
U Windows\System32 potrazi sledece fajlove:
- ipv6mon*.dll (gde umesto zvezdive moze biti bilo koje slovo). Legitiman Windowsov fajl se zove ipv6mon.dll. Svi fajlovi sa slicnim imenom su moguci uzrok naseg problema.
- hook.dll
- msn.exe
Predji u Safe Mode i skloni te fajlove u neki folder koliko da vidimo da li ce Windows da se digne normalno bez njih.
Nakon toga ponovo uradi ciscenje uz VundoFix kako sam ti opisao zadnji put.
Na kraju, postavi nove logove VundoFix-a i HJT-a.
|
|
|
|
|
|
|
Poslao: 05 Mar 2007 18:25
|
offline
- Pridružio: 25 Okt 2006
- Poruke: 276
|
Ujutro ti postavljam logove, posto je racunar u firmi...a imam samo jedno offtopic pitanje. Citao sam o otvaranju te neke skole za borbu protiv malicioza, pa me samo zanima ima li negdje neko uputstvo za razumijevanje ovih logova ili sl., da malo sam citam, posto nisam clan skole...
|
|
|
|
|
|
|
Poslao: 05 Mar 2007 20:57
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Sto se skole tice, uce se neke osnovne stvari, a za tumacenje linija koriste se par baza sa drugih sajtova.
Od ovoga se pocinje:
[Link mogu videti samo ulogovani korisnici]
|
|
|
|
|
|
|
Poslao: 06 Mar 2007 11:53
|
offline
- Pridružio: 25 Okt 2006
- Poruke: 276
|
Saljem ti issrch a ova 3 sto si rekao da sklonim ne postoje, tj. ja ih ne mogu naci...
evo logova:
Logfile of HijackThis v1.99.1
Scan saved at 11:12:57 AM, on 3/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\issrch.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\ACD\ACDSee\ACDSee.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
G:\Opera\op.com
C:\Program Files\Winamp\winamp.exe
C:\Program Files\zekaThis\zekaThis.exe
R3 - URLSearchHook: radiostanica Toolbar - {a10dc0cb-728f-456b-90f9-7fd1351e841a} - C:\Program Files\radiostanica\tbradi.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: radiostanica Toolbar - {a10dc0cb-728f-456b-90f9-7fd1351e841a} - C:\Program Files\radiostanica\tbradi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\System32\ixt0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: radiostanica Toolbar - {a10dc0cb-728f-456b-90f9-7fd1351e841a} - C:\Program Files\radiostanica\tbradi.dll
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - [Link mogu videti samo ulogovani korisnici]\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\AcPreview.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Backbone Service (BBDemon) - Unknown owner - C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe" -service (file missing)
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\2CB.tmp".exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
VundoFix V6.3.12
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 11:15:46 AM 3/6/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
|
|
|
|
|
|
|
Poslao: 06 Mar 2007 22:29
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Jesi li stiklirao bio ovu liniju:
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\2CB.tmp".exe (file missing) ?
Jesi li u VundoFix uneo da obrise i C:\WINDOWS\System32\ixt0.dll ?
Fajl koji si uploadovao obrisi iz Safe Moda posto je u pitanju Zlob trojanac.
Razbijacemo mi izgleda fino glavu oko ovog kompa. Najvise ce da nas zeza sto nema SP2, a i sto je Java malo matora.
Koja ti je brzina konekcije na tom kompu?
Ako je neka bolja, probaj ewido micro (8mb za skidanje nakon startovanja):
[Link mogu videti samo ulogovani korisnici]
Kako se radi sa Ewido micro:
- na prvom ekranu odaberi sve particije (štikliraj polja ispred njih)
- klikni na dugme Start Scan
- nakon završenog skeniranja klikni na Save Report i snimi log fajl na sigurno mesto
- klikni na Remove Infections
- iskopiraj nam ovde sadržaj log fajla koji je malopre snimljen
Nakon skeniranja sa Ewidom i postavljanja log fajla, postavi nam i svez log programa HijackThis.
|
|
|
|
|
|
|
Poslao: 06 Mar 2007 22:59
|
offline
- Pridružio: 25 Okt 2006
- Poruke: 276
|
Stiklirao sam tu liniju 2 puta, opet je ostala...unio sam u Vundo da obrise ixt0.dll, kaze poslije boot-ovanja da ce se obrisati..
Pa hocu li obrisati ovaj Zlob?
Konekcija mi je dobra i vec sam prije skenirao sa Ewidom i slao sam ti log fajl...ali opet cu, pa ti javim...
PS(samo me interesuje kako normalan nacin nisam mogao naci ixt0.dll a
preko SEARCH-a mogu? I kada mu dam po brisanju, kaze da ce se brisati poslije restarta...
|
|
|
|
|
|
|
Poslao: 06 Mar 2007 23:10
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Nisi ga nasao normalnim putem jer najverovatnije ima Hidden i System atribute, pa ga Explorer sakriva. Neki drugi file manager bi ga najverovatnije video (recimo Total Commander). VundoFix bi trebao da ga obrise nakon restarta, i to se moze videti u logu koji napravi tom prilikom.
Ajde da probamo rucno da nadjemo uzrok re-infekcije.
Uradi sledeće:
Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.
Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.
Iskopiraj nam ovde sadrzaj ta dva fajla koja smo malopre snimili.
GMER je anti-rootkit program, ali daje i dosta drugih korisnih informacija koje nama ovde mozda mogu da pomognu.
|
|
|
|
|
|
|
Poslao: 07 Mar 2007 10:51
|
offline
- Pridružio: 25 Okt 2006
- Poruke: 276
|
Evo logova. U medjuvremenu sam deinstalirao NOD i instalirao Kaspersky, nasao je neke 2 prijetnje...nista strasno...
__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________
Name: TrackingCookie.Yieldmanager
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@ad.yieldmanager[2].txt
Risk: Medium
Name: TrackingCookie.Adbrite
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@adbrite[1].txt
Risk: Medium
Name: TrackingCookie.Atdmt
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@atdmt[1].txt
Risk: Medium
Name: TrackingCookie.Com
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@com[1].txt
Risk: Medium
Name: TrackingCookie.Overture
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@data2.perf.overture[1].txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@doubleclick[1].txt
Risk: Medium
Name: TrackingCookie.Masterstats
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@image.masterstats[1].txt
Risk: Medium
Name: TrackingCookie.Ivwbox
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@ivwbox[2].txt
Risk: Medium
Name: TrackingCookie.Statcounter
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@statcounter[2].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@tacoda[1].txt
Risk: Medium
Name: TrackingCookie.Yadro
Path: C:\Documents and Settings\stanimir\Cookies\stanimir@yadro[1].txt
Risk: Medium
Name: Adware.Generic
Path: HKLM\SOFTWARE\Classes\CLSID\{f4d74aaa-a178-4463-846b-b4bc87a024e0}
Risk: Medium
Name: Adware.Generic
Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f4d74aaa-a178-4463-846b-b4bc87a024e0}
Risk: Medium
Name: Downloader.Zlob.bda
Path: C:\VundoFix Backups\ixt0.dll.bad
Risk: High
Name: Downloader.Zlob.bda
Path: C:\WINDOWS\system32\ixt0.dll
Risk: High
Logfile of HijackThis v1.99.1
Scan saved at 10:51:57 AM, on 3/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\issrch.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\zekaThis\zekaThis.exe
R3 - URLSearchHook: radiostanica Toolbar - {a10dc0cb-728f-456b-90f9-7fd1351e841a} - C:\Program Files\radiostanica\tbradi.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: radiostanica Toolbar - {a10dc0cb-728f-456b-90f9-7fd1351e841a} - C:\Program Files\radiostanica\tbradi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\System32\ixt0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: radiostanica Toolbar - {a10dc0cb-728f-456b-90f9-7fd1351e841a} - C:\Program Files\radiostanica\tbradi.dll
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [KAVWks50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kav.exe" /minimize /chkas
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - [Link mogu videti samo ulogovani korisnici]\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Skype add-on - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\InstFred.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [Link mogu videti samo ulogovani korisnici]
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - [Link mogu videti samo ulogovani korisnici]\Program Files\MDT6\AcPreview.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Backbone Service (BBDemon) - Unknown owner - C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe" -service (file missing)
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 5.0 for Windows Workstations\kavsvc.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\2CB.tmp".exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Sada cu se baciti i na Gmer...
Dopuna: 07 Mar 2007 10:51
Vidim da ga je Ewido obrisao, ali jos je tu u Hijackthis logu...?
|
|
|
|
|
|
|
Poslao: 07 Mar 2007 11:20
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
U HJT logu je ostala samo linija koja trenutno kazuje da fajl više ne postoji.
Štikliraj polja ispred sledećih linija u HJT-u:
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\System32\ixt0.dll (file missing)
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\2CB.tmp".exe (file missing)
Klikni na Fix Checked.
Ukoliko se linije pojave ponovo nakon sledeceg restarta, onda znaci da smo nesto propustili. Ukoliko se ne pojave, onda bi to trebalo da znaci da je problem resen.
Gmer log nije potreban ukoliko se linije ne pojave ponovo nakon restarta.
Javi sta je i kako bilo nakon restarta, pa da ti nakon toga dam i par uputstava za sam kraj, da ne bi vise dolazilo do ove iste infekcije.
|
|
|
|
|
|
