Molio bih za proveru

Molio bih za proveru

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

jer se nesto cudno desava, kad god kliknem na link, otvori jos jedan tab sa linkom

http://tende.biz/ctrl/l2.php

(ne znam zasto i kako, pa cisto predostroznosti radi)

sa IceSword-om mi ne izbacuje nista


Logfile of HijackThis v1.99.1
Scan saved at 12:16:15, on 01.03.2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
G:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bandwidth Controller Enterprise Server\bcserver.service
E:\Program Files\Bandwidth Controller Enterprise Server\bcserver.service
E:\Program Files\CCProxy\CCProxy.exe
E:\WINDOWS\system32\Dfssvc.exe
E:\WINDOWS\System32\dns.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\GPMON\GPMonSrv.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\WINDOWS\System32\ismserv.exe
E:\WINDOWS\system32\tcpsvcs.exe
E:\WINDOWS\system32\sfmsvc.exe
E:\WINDOWS\system32\sfmprint.exe
E:\Program Files\Eset\nod32krn.exe
E:\WINDOWS\system32\ntfrs.exe
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\nfsclnt.exe
E:\WINDOWS\system32\Dfsr.exe
E:\WINDOWS\system32\nfssvc.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\explorer.exe
E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cryptfg.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Eset\nod32kui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.1:808
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=explorer.exe E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cryptfg.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] G:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=031307 serial=DR12WRZ-6976472-eud lang=EN
O4 - HKLM\..\Run: [SmcService] G:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = austrubau.zil
O17 - HKLM\Software\..\Telephony: DomainName = austrubau.zil
O17 - HKLM\System\CCS\Services\Tcpip\..\{97132DA1-3897-4D13-9EBC-0773E79CE49B}: NameServer = 80.93.96.227,80.93.101.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4D1A3B2-B90D-410E-B603-86A8414A09E4}: NameServer = 10.10.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = austrubau.zil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = austrubau.zil
O20 - Winlogon Notify: dimsntfy - E:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Autodesk Licensing Service - Autodesk - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bandwidth Controller Server (bcserver) - Unknown owner - E:\Program.exe (file missing)
O23 - Service: CCProxy - Unknown owner - E:\Program Files\CCProxy\CCProxy.exe" -service (file missing)
O23 - Service: Group Policy Monitor (GPMON_SRV) - Unknown owner - E:\WINDOWS\system32\GPMON\GPMonSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - G:\Program Files\Sygate\SPF\smc.exe

Dopuna: 01 Mar 2007 14:05

F2 - REG:system.ini: Shell=explorer.exe E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cryptfg.exe


kada sam ubio ovaj proces sve je normalno...sta je ovo?

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Definitivno je taj fajl ubacen spolja (adware).
Mozes li da ga uploadujes na http://www.mycity.rs/ambulanta-upload.php
Izgleda da si nalovio nesto novo posto google ne nalazi nista o njemu.

Vidi da li ce posle restarta da ti se pojavi ponovo neki proces startovan iz Temp foldera.

Pregledaj takodje komp i vidi koliko kopija fajla shdoclc.dll imas na kompu, i da li se razlikuju po velicini fajla i datumu.
Sa cudnog mesta mi povlaci tu default stranicu koja ti se pojavljuje kada otvoris IE.

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

malo posto sam ga upucao, nod mi ga je prijavio kao potencijalni virus tako da je nestao sa kompa, a i sam sam se malo kasnije setio da sam mogao da ga posaljem, posto ga nisam nasao na guglu...sad cu da pogledam ovo, bas mi je krivo za ovog novog...

Dopuna: 01 Mar 2007 14:43

izgleda da je tu sve u redu, ima ih 2, jedan je od XP-a, drugi od win2oo3...

Dopuna: 01 Mar 2007 14:51

izgleda da je sve ok, sta da radim sa linjama gde pise file missing?

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Proveri i E:\Program.exe da li postoji.

Za ostatak loga ce nam trebati malo vise vremena, posto niko od nas ne poznaje toliko procese na Win 2003.

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

ne postoji, isto mi pise file missing...sta treba da radim sa tim linijama?

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Znam da pise file missing u logu, ali to ne znaci da fajl stvarno ne postoji na disku, zato sam te zamolio da proveris.

Nisi mi odgovorio da li se infekcija ponovila nakon restarta?

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

napisao sam gore da je sve ok, znaci nije se ponovila infekcija, a program.exe ne postoji....(2 posta moja iznad)...

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

F2 - REG:system.ini: Shell=explorer.exe E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cryptfg.exe

Ovu liniju sredi HJT-om, ostale linije nisu bitne niti stetne.
Ukoliko znas neki dobar alat za Win2k3 za ciscenje reg. baze, mozes sa njim da probas da sredis te "file missing" linije.
Linije legitimnih programa ne diramo u HJT-u kada pise "file missing" u O20 i O23 linijama.

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

sve sredjeno...thx...gasi

Ko je trenutno na forumu
 

Ukupno su 1104 korisnika na forumu :: 41 registrovanih, 6 sakrivenih i 1057 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, Areal84, Asparagus, babaroga, bojank, bokisha253, Brana01, Centauro, Chainsaw, Dimitrise93, DonRumataEstorski, draganca, FOX, Goran 0000, hologram, ikan, ILGromovnik, janbo, Još malo pa deda, Karla, kihot, Krvava Devetka, kybonacci, Luka Blažević, Mlav, nenad81, oldtimer, repac, sasa87, simazr, Singidunumac, Srle993, Stanlio, stegonosa, Toper, vathra, VJ, vladaa012, vladulns, |_MeD_|, šumar bk2