Logfile of HijackThis v1.99.1

2

Logfile of HijackThis v1.99.1

offline
  • Pridružio: 11 Jul 2007
  • Poruke: 22

"sanja" - 2007-07-18 22:03:09 - ComboFix 07-07-17.8 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\sanja\APPLIC~1.\PCTurbo Pro Free
C:\DOCUME~1\sanja\APPLIC~1.\PCTurbo Pro Free\Logs\update.log
C:\DOCUME~1\sanja\APPLIC~1\Install.dat
C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00002.dll
C:\Program Files\Hotbar
C:\WINDOWS\hosts
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\vx.tll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_GB
-------\LEGACY_LDRSVC
-------\gb


((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))


2007-07-18 21:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-12 16:22 <DIR> d-------- C:\DOCUME~1\sanja\APPLIC~1\Talkback
2007-07-12 16:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-12 16:21 <DIR> d-------- C:\DOCUME~1\sanja\APPLIC~1\Thunderbird
2007-07-12 16:20 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-07-11 23:02 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-11 14:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-09 16:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-08 16:45 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-08 16:44 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-08 16:42 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-29 21:47 <DIR> d---s---- C:\DOCUME~1\sanja\UserData
2007-06-26 17:25 <DIR> d-------- C:\Program Files\Kazaa
2007-06-25 15:20 <DIR> d-------- C:\DOCUME~1\sanja\APPLIC~1\SumatraPDF
2007-06-21 17:05 <DIR> d-------- C:\Program Files\FTP Explorer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-18 20:06:55 -------- d-----w C:\Program Files\FlashGet
2007-07-18 16:17:59 -------- d-----w C:\DOCUME~1\sanja\APPLIC~1\Wildfire
2007-07-06 17:14:34 10,856 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-05 11:16:36 -------- d-----w C:\Program Files\Common Files\WinFixer 2006
2007-06-29 15:12:17 -------- d-----w C:\DOCUME~1\sanja\APPLIC~1\MSN6
2007-06-18 14:18:20 -------- d-----w C:\DOCUME~1\sanja\APPLIC~1\Offline Explorer
2007-05-20 15:36:07 -------- d-----w C:\Program Files\KaraFun
2007-05-06 13:28:40 47 ----a-w C:\WINDOWS\popcinfo.dat
2007-05-04 12:17:29 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2006-09-09 07:44:22 0 ----a-w C:\Program Files\acs1.tmp
2005-01-26 19:54:34 312,832 ----a-w C:\Program Files\gosing.exe
1998-04-26 23:00:00 570,128 ----a-w C:\Program Files\DAO350.DLL
2006-02-18 13:06:07 56 --sh--r C:\WINDOWS\system32\4DF02F4AE6.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]
2002-01-16 20:12 65536 --a------ C:\PROGRA~1\FlashGet\jccatch.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 12:23 C:\WINDOWS\SOUNDMAN.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 17:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-22 23:39]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2004-07-26 05:21]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-01 10:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dancer]
"C:\Program Files\Microsoft Plus! Dancer LE\DncLE.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Explorer32]
C:\WINDOWS\system32\efsdfgxg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
C:\WINDOWS\system32\kernels32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatedrweb_nt]
C:\WINDOWS\system32\updatedrweb_nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walser]
C:\Program Files\Draxysoft\Wallpaper Sequencer\Walser.exe start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
C:\winstall.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-07-13 15:21:29 C:\WINDOWS\tasks\1-Click Maintenance.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2007-07-18 22:09:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}]
"DisplayName"="DAEMON Tools"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 22:13:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-18 22:12

--- E O F ---


Nadam se da sam uradila kako treba, i da je sve po uputstvu.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Startuj ponovo Catchme, klikni na tab Script i tamo iskopiraj sledeci tekst:
files:
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\popcinfo.dat
C:\WINDOWS\NCUNINST.EXE
C:\Program Files\acs1.tmp
C:\Program Files\gosing.exe
C:\Program Files\DAO350.DLL
C:\WINDOWS\system32\4DF02F4AE6.sys
C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00002.dll
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\efsdfgxg.exe

i klikni na Run
Kada catchme zavrsi na desktopu ces naci catchme.zip.
Uploaduj taj zip preko http://www.mycity.rs/ambulanta-upload.php

Zelim da proverim te fajlove, ali sam vise nego siguran da je racunar inficiran sa vise infekcija.
Ako ti nije problem skidanje 8mb, onda bih preporucio jedno skeniranje uz pomoc Ewido Micro, pa da se onda pozabavimo onim sto on ne uspe da pocisti

http://downloads.ewido.net/ewido_micro.exe

Kako se radi sa Ewido micro:
- na prvom ekranu odaberi sve particije (štikliraj polja ispred njih)
- klikni na dugme Start Scan
- nakon završenog skeniranja klikni na Save Report i snimi log fajl na sigurno mesto
- klikni na Remove Infections
- iskopiraj nam ovde sadržaj log fajla koji je malopre snimljen

Nakon skeniranja sa Ewidom i postavljanja log fajla, postavi nam i svez log programa HijackThis.

offline
  • Pridružio: 11 Jul 2007
  • Poruke: 22

Prvi dio zadatka odradila i dobila catchme.zip.

pokusala da posaljem , ali.....ja stvarno neznam kako se uploaduje(mozda sam nesto i poslala)

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoris sledecu stranicu:
http://www.mycity.rs/ambulanta-upload.php

Kliknes na Browse i onda ti se pojavi onaj poznati dijalog za biranje fajla. Tu odaberes catchme.zip i kliknes na Open

Sada ce da te vrati na onu prethodnu stranicu, s tim sto ce ono polje biti popunjeno putanjom do tvog fajla.
Sada kliknes Upload! i sacekas sve dok se ne pojavi poruka da je fajl uspesno uploadovan. U zavisnosti od velicine fajla, mozda i potraje koji minut dok se ta poruka o uspesnom uploadu pojavi.

offline
  • Pridružio: 11 Jul 2007
  • Poruke: 22

uspjesno(nadam se) odradila , bar je tako pisalo.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Ti je si uspesno poslala fajl, ali Catchme nije odradio svoj deo posla...
Sad sam ja zbunjen, tj. ne mogu odmah da te posavetujem sta dalje da uradis, trebace mi malo vremena.

Ako imas brz net, mozes da probas jedno skeniranje OnLine verzijom BitDefendera:
http://www.bitdefender.com/scan8/ie.html

Skeniranje je potrebno obaviti iz Internet Explorera sa ukljucenim ActiveX, tj. treba dozvoliti instalaciju ActiveX komponente kada to bude zatrazeno.
Kada zavrsi skeniranje, iskopiraj nam ovde log koji bude napravio.

offline
  • Pridružio: 11 Jul 2007
  • Poruke: 22

__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\sanja\Cookies\sanja@ssl-hints.netflame[2].txt
Risk: Medium

Name: Adware.Minibug
Path: C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
Risk: Medium

Name: Adware.Cydoor
Path: C:\WINDOWS\system32\AdCache
Risk: Medium



Logfile of HijackThis v1.99.1
Scan saved at 16:36:46, on 21.07.07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\Documents and Settings\sanja\Desktop\TR3.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Preuzmi sa FlashGet-om - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Preuzmi sve sa FlashGet-om - C:\PROGRA~1\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE15} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .kar: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


skeniranje sa BitDefenderom mi nije uspjelo, neznam iz kog razloga, jednostavno me "baci" na desktop i kao da nista nisam radila.To mi se desilo sinoc dva puta, i danas sam pokusala ali bez uspjeha.Pozdrav

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pogledaj da li imas sledece foldere na racunaru:
c:\program files\shopperreports\
c:\documents and settings\administrator\application data\shopperreports\

Za drugi folder, umesto administrator moze biti i folder sa imenom korisnika.

Ukoliko ti folderi postoje, obrisi ih.

offline
  • Pridružio: 11 Jul 2007
  • Poruke: 22

Pregledala sam i nista slicno ne postoji.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Spakuj mi folder c:\qoobox\ u jedan ZIP i uploaduj mi ga preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

Zelim da proverim fajlove iz tog foldera pre nego sto ti kazem da li da ih brises ili ne.

Pretpostavljam da ti antivirus vise ne prijavljuje Sinowal virus sada?

Jedino sto ne mogu da ti otklonim je ShopperReports iz Internet Explorera.
Dolazi u vidu toolbara i dodatne opcije u meniju koji se dobija kada na sajtovima kliknes desno dugme.
U sustini nije nista opasno, ali sam imao zelju da ti sklonim to cudo posto mi generalno sklanjamo i te opcije koje te vode na sajtovima sa reklamama.

Ko je trenutno na forumu
 

Ukupno su 603 korisnika na forumu :: 27 registrovanih, 3 sakrivenih i 573 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: AF-1, amaterSRB, amstel, Bane san, bankulen, comi991, Despot1, Fog of War, Georgius, Insan, Japidson, Korisnik038, Krusarac, kybonacci, LUDI, Mali Veseljak, mk, mrkanidja, mushroom, nemkea71, Ognjen D., PRIVATE RYAN, Raptor1, raskoljnikov, Recce, Tenk, wolf431