Pokupio sam neku zarazu!!!

1

Pokupio sam neku zarazu!!!

offline
  • Pridružio: 15 Feb 2007
  • Poruke: 443

Instalirao sam neke glupe vinkove i smajlije za MSN i popasao neku zarazu. Nod32 3.0,551 ne nalazi ništa, ali mi u IE stalno iskaču neki prozori kako mi je komp zaražen i nudi mi da skidam neke glupe anti-trojan, anti-spayware i anti-virus programe. Evo i loga

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:08, on 28.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Video Add-on\icthis.exe
C:\Program Files\Video Add-on\isfmntr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Video Add-on\icmntr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\autoclk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\POP Peeper\POPPeeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\dslmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ActivationManager Class - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Program Files\ActivationManager\ActivationManager.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E8249E69-A809-4544-832F-64EB65747A92} - C:\Program Files\Video Add-on\isfmdl.dll
O3 - Toolbar: IE Custom Tools - {EFAF6EA3-615D-4F83-8748-2F7A576FCEA6} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtins.....plugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O21 - SSODL: E404Helper - {4f817334-e39b-44cf-a958-9d96ad57864f} - e404d.dll (file missing)
O22 - SharedTaskScheduler: aldoa - {adf64b1b-c68c-4ce8-bb55-258b7b8b0f81} - (no file)
O22 - SharedTaskScheduler: arsenicism - {075a465d-0af2-4b79-8db3-2fda0fd8d74c} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 7420 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Upakuj sledeće file-ove u jedan zip:

C:\WINDOWS\autoclk.exe
C:\WINDOWS\SYSTEM32\winjyg32.dll

i uploaduj ga preko sledeće forme: http://www.mycity.rs/ambulanta-upload.php

-------------------------------------------------------------------------------------

Preimenuj file programa HijackThis i folder u kome se nalazi pre dalje upotrebe.


1) Preuzmi program SmitfraudFix sa ovog linka.

2.) Extract-uj program na desktop. (Takodje na ovaj način pripremi i program Hijack This koje će se kasnije koristiti)

3.) Restartuj računar i podigni sistem u Safe Mode-u. [ Safe Mode info link

4.) Pronadji na desktop-u folder gde si raspakovao SmitfraudFix program i dvoklikom pokreni fajl SmitfraudFix.cmd.
Kada se alat za uklanjanje prvi put startuje pokazaće ti se ekran za odobrenje. Jednostavno pretisni bilo koje dugme na tastaturi da bi prešao na sledeći nivo.

5.)



6.) Program će početi sa čišćenjem kompjutera. Posle završenog čišćenja SmitfraudFix-om
pokrenuće ti se Windows-ov program Disk Cleanup.



Nakon sto SmitFraudFix zavrsi svoj posao, postavi nam ovde log koji se nalazi na C:\rapport.txt i svez HJT log.

offline
  • Pridružio: 15 Feb 2007
  • Poruke: 443

Prvi fajl sam poslao, drzgog nema ni kada uključim prikaz skrivenih fajlova i fascikli.
HJT sam preimenovao, ali je ova nova verzija instalirana kao program u Program Files, pa je možda tu problem.

SmitFraudFix v2.256

Scan done at 13:29:28,64, sre 28.11.2007
Run from C:\Documents and Settings\korisnik\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{adf64b1b-c68c-4ce8-bb55-258b7b8b0f81}"="aldoa"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{075a465d-0af2-4b79-8db3-2fda0fd8d74c}"="arsenicism"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 Web2Pop

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\korisnik\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\Video Add-on\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{075a465d-0af2-4b79-8db3-2fda0fd8d74c}"="arsenicism"



»»»»»»»»»»»»»»»»»»»»»»»» End



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:35:59, on 28.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\autoclk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\POP Peeper\POPPeeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\dslmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Reši ovo\HijackThis.exe

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ActivationManager Class - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Program Files\ActivationManager\ActivationManager.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E8249E69-A809-4544-832F-64EB65747A92} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtins.....plugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C316C31-68E5-49BD-9B6D-3B8F479592FF}: NameServer = 80.74.164.249 80.74.160.38
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O21 - SSODL: E404Helper - {4f817334-e39b-44cf-a958-9d96ad57864f} - e404d.dll (file missing)
O22 - SharedTaskScheduler: arsenicism - {075a465d-0af2-4b79-8db3-2fda0fd8d74c} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 6811 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pokreni HijackThis, skeniraj i čekiraj sledeće linije:

O2 - BHO: ActivationManager Class - {86A44EF7-78FC-4e18-A564-B18F806F7F56} - C:\Program Files\ActivationManager\ActivationManager.dll
O2 - BHO: (no name) - {E8249E69-A809-4544-832F-64EB65747A92} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O21 - SSODL: E404Helper - {4f817334-e39b-44cf-a958-9d96ad57864f} - e404d.dll (file missing)
O22 - SharedTaskScheduler: arsenicism - {075a465d-0af2-4b79-8db3-2fda0fd8d74c} - (no file)

Klikni Fix Checked.


-------------------------------------------------------------------------------------


Skini CatchMe.

Dvoklikom pokreni program i pređi na tab Script.
U (beli) prozor programa iskopiraj tekst koji se nalazi unutar kod polja:

files to kill:
C:\WINDOWS\SYSTEM32\winjyg32.dll


Klikni na taster Run.

Nakon što proces bude završen na Desktop-u će se nalaziti file catchme.zip.
Uploaduj ga preko sledeće forme: http://www.mycity.rs/ambulanta-upload.php


-------------------------------------------------------------------------------------


Pronađi i obriši:
C:\Program Files\ActivationManager\
C:\WINDOWS\autoclk.exe


-------------------------------------------------------------------------------------


Iskopiraj u iduću poruku sadržaj file-a catchme.log koji će se nalaziti na desktopu i postavi novi HijackThis log.

offline
  • Pridružio: 15 Feb 2007
  • Poruke: 443

Processing "Files to kill:"

file zipped: C:\WINDOWS\SYSTEM32\winjyg32.dll -> catchme.zip -> winjyg32.dll ( 21504 bytes )
PE file "C:\WINDOWS\SYSTEM32\winjyg32.dll" killed successfully




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:09, on 28.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\POP Peeper\POPPeeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\dslmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Reši ovo\HijackThis.exe

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtins.....plugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C316C31-68E5-49BD-9B6D-3B8F479592FF}: NameServer = 80.74.164.249 80.74.160.38
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O21 - SSODL: E404Helper - {4f817334-e39b-44cf-a958-9d96ad57864f} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 5835 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Restartuj kompjuter.

Pokreni HT, skeniraj i čekiraj sledeće linije:

O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O21 - SSODL: E404Helper - {4f817334-e39b-44cf-a958-9d96ad57864f} - (no file)

Klikni Fix Checked.


Postavi novi HT log.

offline
  • Pridružio: 15 Feb 2007
  • Poruke: 443

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:22:42, on 28.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\POP Peeper\POPPeeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\dslmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Reši ovo\HijackThis.exe

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtins.....plugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C316C31-68E5-49BD-9B6D-3B8F479592FF}: NameServer = 80.74.164.249 80.74.160.38
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 5722 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini ComboFix sa jedne od sledecih adresa:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log koji ces nam ovde iskopirati.

offline
  • Pridružio: 15 Feb 2007
  • Poruke: 443

ComboFix 07-11-19.4C - Dejan 2007-11-28 16:20:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.202 [GMT 1:00]
Running from: E:\P R O G R A M I\Nenarezani programi\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\bsnzafqa.bin
C:\WINDOWS\system32\cfg.dat

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-28 13:35 <DIR> d-------- C:\Program Files\Reši ovo
2007-11-27 02:14 <DIR> d-------- C:\Program Files\Windows Live
2007-11-27 02:14 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-27 02:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-26 16:53 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2007-11-26 16:53 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2007-11-26 16:53 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2007-11-26 16:53 79,360 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2007-11-26 16:53 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2007-11-26 16:53 65,536 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2007-11-26 16:53 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-11-26 16:53 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-11-26 16:53 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2007-11-26 16:52 15,872 --a--c--- C:\WINDOWS\system32\dllcache\padrs404.dll
2007-11-26 16:52 7,680 --a--c--- C:\WINDOWS\system32\dllcache\kbdnecnt.dll
2007-11-26 16:51 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_20290.nls
2007-11-26 16:51 54,528 --a--c--- C:\WINDOWS\system32\dllcache\cap7146.sys
2007-11-26 16:51 24,632 --a--c--- C:\WINDOWS\system32\dllcache\fpadmcgi.exe
2007-11-26 16:51 20,541 --a--c--- C:\WINDOWS\system32\dllcache\fpadmdll.dll
2007-11-26 16:50 275,968 --a--c--- C:\WINDOWS\system32\dllcache\certwiz.ocx
2007-11-26 16:50 189,440 --a--c--- C:\WINDOWS\system32\dllcache\smtpadm.dll
2007-11-26 16:50 188,494 --a--c--- C:\WINDOWS\system32\dllcache\fpcount.exe
2007-11-26 16:50 188,480 --a--c--- C:\WINDOWS\system32\dllcache\cfgwiz.exe
2007-11-26 16:50 94,720 --a--c--- C:\WINDOWS\system32\dllcache\certmap.ocx
2007-11-26 16:50 76,800 --a--c--- C:\WINDOWS\system32\dllcache\logui.ocx
2007-11-26 16:50 76,288 --a--c--- C:\WINDOWS\system32\dllcache\cnfgprts.ocx
2007-11-26 16:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\iisext51.dll
2007-11-26 16:50 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll
2007-11-26 16:50 20,536 --a--c--- C:\WINDOWS\system32\dllcache\shtml.dll
2007-11-26 16:50 16,437 --a--c--- C:\WINDOWS\system32\dllcache\shtml.exe
2007-11-26 16:50 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll
2007-11-26 16:50 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll
2007-11-26 16:49 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2007-11-26 16:40 1,042,903 --a--c--- C:\WINDOWS\system32\dllcache\SP2.CAT
2007-11-26 16:40 31,281 --a--c--- C:\WINDOWS\system32\dllcache\FP4.CAT
2007-11-26 16:40 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-11-26 16:40 13,753 --a--c--- C:\WINDOWS\system32\dllcache\IMS.CAT
2007-11-26 16:40 13,472 --a--c--- C:\WINDOWS\system32\dllcache\HPCRDP.CAT
2007-11-26 16:40 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-11-26 16:40 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-11-26 16:40 9,581 --a--c--- C:\WINDOWS\system32\dllcache\MSMSGS.CAT
2007-11-26 10:00 <DIR> d-------- C:\Program Files\CryptLoad - Download Manager
2007-11-25 14:12 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\Winamp
2007-11-24 16:22 155,648 --a------ C:\WINDOWS\system32\adadix32.dll
2007-11-24 16:22 127,456 --a------ C:\WINDOWS\system32\IPDETECT.EXE
2007-11-24 16:22 46,892 --a------ C:\WINDOWS\system32\ADADIX16.DLL
2007-11-24 16:22 32,768 --a------ C:\WINDOWS\adiras.exe
2007-11-24 16:22 4,981 --a------ C:\WINDOWS\system32\ADADIX2K.DLL
2007-11-24 02:22 44,544 --a------ C:\WINDOWS\AWuninstall.exe
2007-11-23 11:31 147,456 --a------ C:\WINDOWS\AVUNTOOL.EXE
2007-11-18 20:36 7,334 --a--c--- C:\WINDOWS\system32\dllcache\wmerrenu.cat
2007-11-18 18:27 <DIR> d-------- C:\Program Files\Nero
2007-11-18 18:27 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-11-17 16:51 <DIR> d-------- C:\Program Files\LightWave 3D 9.2
2007-11-17 16:51 1,219,950 --a------ C:\WINDOWS\LightWave 3D 9.2 Uninstaller.exe
2007-11-17 12:34 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\Thinstall
2007-11-16 21:02 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-11-16 21:01 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-14 16:48 <DIR> d-------- C:\Program Files\MSECache
2007-11-12 18:58 <DIR> d-------- C:\Program Files\MakeHuman
2007-11-12 12:00 <DIR> d-------- C:\Program Files\QuickTime
2007-11-12 11:59 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-12 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-12 11:44 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\Poser 7
2007-11-12 11:42 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-11-12 11:20 <DIR> d-------- C:\Program Files\Poser 7
2007-11-11 01:43 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-07 16:21 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\ESET
2007-11-07 02:34 <DIR> dr------- C:\FlexLM
2007-11-07 02:18 <DIR> d-------- C:\Program Files\Common Files\Alias Shared
2007-11-07 02:18 <DIR> d-------- C:\Program Files\Autodesk
2007-11-06 12:36 <DIR> d-------- C:\Program Files\InfinaDyne
2007-11-06 01:01 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\InfinaDyne
2007-11-06 00:58 <DIR> d-------- C:\Program Files\Shared
2007-11-05 23:29 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\Imagenomic
2007-11-05 23:17 <DIR> d-------- C:\Program Files\Imagenomic
2007-11-05 23:07 <DIR> d-------- C:\Program Files\Bonjour
2007-11-05 14:39 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-05 14:26 <DIR> d-------- C:\Program Files\WinXP Manager
2007-11-04 18:06 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\Ahead
2007-11-03 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-10-30 08:32 87,040 --a------ C:\WINDOWS\UnGins.exe
2007-10-29 19:26 <DIR> d-------- C:\Program Files\Folderico
2007-10-29 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2007-10-29 19:20 <DIR> d-------- C:\Program Files\Gom Player
2007-10-29 19:20 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\GRETECH
2007-10-28 23:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-10-28 21:11 <DIR> d-------- C:\Program Files\Screamer Radio
2007-10-28 14:40 <DIR> d-------- C:\WINDOWS\system32\RNBOSENT
2007-10-28 14:40 20,032 -ra------ C:\WINDOWS\system32\drivers\SNTNLUSB.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 03:16 --------- d-----w C:\Documents and Settings\korisnik\Application Data\POP Peeper
2007-11-28 01:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-26 17:55 --------- d-----w C:\Program Files\Tutorials
2007-11-25 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-25 13:17 --------- d-----w C:\Program Files\Winamp
2007-11-24 15:25 26 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2007-11-24 15:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-24 15:10 --------- d-----w C:\Program Files\Bluetooth
2007-11-18 15:17 85 --sh--w C:\Program Files\desktop.ini
2007-11-18 15:17 15,086 --sha-w C:\Program Files\ShedkoFolderico3_0627.ico
2007-11-18 13:46 --------- d-----w C:\Program Files\POP Peeper
2007-11-13 20:14 --------- d-----w C:\Program Files\Microsoft
2007-11-07 21:47 --------- d-----w C:\Program Files\Opera
2007-11-05 22:07 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-05 13:56 --------- d-----w C:\Program Files\YuRecnik
2007-11-05 13:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-05 13:56 --------- d-----w C:\Program Files\Lexmark_HostCD
2007-10-28 13:41 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
2007-10-27 19:35 --------- d-----w C:\Program Files\Java
2007-10-25 08:27 53,768 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2007-10-25 08:27 50,696 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2007-10-25 08:27 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2007-10-25 08:25 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-10-25 08:25 27,144 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-10-22 13:07 --------- d-----w C:\Program Files\Corel
2007-10-22 13:06 --------- d-----w C:\Documents and Settings\korisnik\Application Data\Corel
2007-10-22 12:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-10-21 13:01 --------- d-----w C:\Program Files\MSBuild
2007-10-21 03:41 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-21 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-10-21 03:39 --------- d-----w C:\Program Files\Common Files\Protexis
2007-10-21 03:29 --------- d--h--w C:\Program Files\Give4Free Plugin
2007-10-17 20:46 --------- d-----w C:\Program Files\Common Files\WhenU
2007-10-17 20:35 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-15 13:59 --------- d-----w C:\Program Files\MP3, WAV, WMA, OGG Converter
2007-10-14 02:51 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-01 12:43 --------- d-----w C:\Program Files\CCleaner
2007-10-01 10:03 --------- d-----w C:\Program Files\Boilsoft MOV Converter - QuickTime(.mov, .qt), 3GP, mp4 to avi, mpeg, vcd, dvd, wmv
2007-09-29 19:44 --------- d-----w C:\Documents and Settings\korisnik\Application Data\ACD Systems
2007-09-29 18:36 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-09-29 18:36 --------- d-----w C:\Program Files\ACD Systems
2007-09-10 07:43 2,380,800 ----a-w C:\WINDOWS\SaveTo.exe
2007-09-03 18:32 47,360 ----a-w C:\Documents and Settings\korisnik\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="C:\Program Files\POP Peeper\POPPeeper.exe" [2006-11-16 05:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 15:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 15:15]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-10-25 09:26]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 10:09 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - C:\Program Files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\dslmon.exe [2007-11-24 16:22:21]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2007-08-03 19:03:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 1
"NoRecentDocsMenu"= 1
"NoToolbarCustomize"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^korisnik^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-02-07 15:21 54832 --a------ C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-02-07 15:24 71216 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 00:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdi;epfwtdi;C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R2 ekrn;Eset Service;"C:\Program Files\ESET\ESET Smart Security\ekrn.exe"
R2 epfw;epfw;C:\WINDOWS\system32\DRIVERS\epfw.sys
R3 Epfwndis;Eset Personal Firewall;C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe"
S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;"C:\Program Files\MSN Messenger\usnsvc.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7ae3923-8dfc-11dc-b5ef-4d6564696130}]
\Shell\Auto\command - activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - activexdebugger32.exe f
\Shell\open\Command - activexdebugger32.exe f

.
Contents of the 'Scheduled Tasks' folder
"2007-11-12 10:59:47 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 16:29:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-28 16:32:12
.
--- E O F ---

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini file sa [url=https://www.mycity.rs/must-login.png linka[/url] i pokreni ga dvoklikom.

-------------------------------------------------------------------------------------

Pošto su vidljivi tragovi infekcije koja se prenosi putem usb drive-ova, potrebno je da ispratiš sledeće uputstvo.

Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.


-------------------------------------------------------------------------------------

Obriši sledeće foldere:

C:\qoobox\
C:\Program Files\Common Files\WhenU\

Obriši sve programe koje smo koristili.

-------------------------------------------------------------------------------------


Na kraju, potrebno je resetovati SR.

Iskljucivanje System Restore-a

Na Desktopu, desni klik na My Computer.
Odaberite Properties.
Odaberite System Restore tab.
Stiklirajte Turn off System Restore.
Kliknite na dugme Apply.
Kliknite na dugme OK.


Restartuj kompjuter.


Ukljucivanje System Restore-a

Na Desktopu, desni klik na My Computer.
Odaberite Properties.
Odaberite System Restore tab.
Destiklirajte Turn off System Restore.
Kliknite na dugme Apply.
Kliknite na dugme OK.


-------------------------------------------------------------------------------------

To bi bilo sve...

Ko je trenutno na forumu
 

Ukupno su 663 korisnika na forumu :: 36 registrovanih, 4 sakrivenih i 623 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., AC-DC, Apok, bankulen, branko7, cenejac111, dacaaca, djo97, dragon986, havoc995, Joja, Korisnik038, leptirleptir, MarKhan, Markogrozni, Mercury, milekNS, Misirac, moldway, nemkea71, novator, Panter, pavle_pzs, Polemarchoi, randja26, S2M, Sale.S, Smiljke, Snorks, Srky Boy, Tenk, USSVoyager, Vlad000, yufighter, 223223