Problem sa nepoznatim mailovima

1

Problem sa nepoznatim mailovima

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

Imam instaliran f-secure. Svaki cas mi se javlja poruka o nekim mailovima koji su kao blokirani. Napravio sam i log

Logfile of HijackThis v1.99.1
Scan saved at 11:01:01, on 5.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\DOCUME~1\vlado\LOCALS~1\Temp\{E9C3A6CE-29A2-4458-8B43-4D21F0E8C308}\Blaero Start Orb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\DOCUME~1\vlado\LOCALS~1\Temp\{4F8D0DF7-C954-4AE1-B9B3-4B997E40B70A}\sidebar.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\vlado\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = kingkongsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = windowsxlive.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = go.microsoft.com/fwlink/?LinkId=488
R3 - URLSearchHook: (no name) - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O2 - BHO: (no name) - {5488E24F-B8E4-43B7-8726-F314FF7FEE98} - c:\windows\system32\dmhadmh.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MS Explorer - {9B5A95FA-DFAF-31AB-A1AF-8A9FA7F8A98E} - C:\WINDOWS\system\wmecst32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: XBTB06823 - {BA463437-C3DE-47da-8280-87596824388A} - C:\PROGRA~1\GOOGLE~1\TOOLBA~1.DLL
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\system32\winnet.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Starware Screensavers Toolbar - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware316\bin\Starware316.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - (no file)
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\AdobeR.exe
O4 - HKLM\..\Run: [mrwmhlft] C:\WINDOWS\system32\mrwmhlft.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - HKCU\..\Run: [mrwmhlft] C:\WINDOWS\system32\mrwmhlft.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nikbanka.cg.rs
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F5325BC-2881-4CE2-9419-BF5F4C41D508}: NameServer = 172.16.1.5,172.16.1.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nikbanka.cg.rs
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F5325BC-2881-4CE2-9419-BF5F4C41D508}: NameServer = 172.16.1.5,172.16.1.15
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: poibqqbc - C:\WINDOWS\SYSTEM32\dmhadmh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)


a poslacu i print screen da vidite kako poruka izgleda.

mycity.rs/must-login.png


Hvala unaprijed

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Malformed message su ti E-mail poruke koje (prosto rečeno) odstupaju od propisanih Internet mailing standarda na razne načine. Njima se koriste najčešće spameri, mada mogu da se koriste za DoS napade ili u cilju exploatacije nekog propusta ili "slabe tačke" (Vulnerability) operativnog sistema. Mogu biti maliciozne ili sadržati maliciozni attachment. U tvom slučaju F-Secure ti je blokirao ovakav tip poruka.

Proveriću ti log koji si postavio pa ti se javim kasnije ..

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

OK. Samo sam jos htio da kazem da posle odredjenog vremena racunar mi strasno uspori i kad udjem u task manager iskoriscenost procesora bude 100% i proces koji najvise uzima procesorskog vremena je explorer.exe i onda ne mogu nista da uradim nego samo resetujem racunar. Ne znam da li je to povezano sa ovim gore. Rekao sam vec da ove poruke vezane za mailove svaki cas iskacu

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Imaš više različitih infekcija na računaru. Evo kako ćemo..

Uključi prikaz skrivenih fajlova i extenzija:
My Computer > izabere se Tools menu i klik na Folder Options.
Izabere se View tab.
Nadje se Hidden files and folders označi opcija Show hidden files and folders.
Deštiklira opcija Hide file extensions for known types.

Zipuj/Raruj sledeće fajlove i uradi njihov upload preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

C:\Document and Settings\vlado\Local Settings\Temp\{4F8D0DF7-C954-4AE1-B9B3-4B997E40B70A}\sidebar.e xe
C:\WINDOWS\system32\mrwmhlft.exe
C:\WINDOWS\SYSTEM32\dmhadmh.dll


Kada to uradiš, pokreni HijackThis program, idi na "Do a system scan only", zatim pronađi i čekiraj sledeće linije:

R3 - URLSearchHook: (no name) - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - (no file)
O2 - BHO: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\system32\winload.dll
O2 - BHO: XBTB06823 - {BA463437-C3DE-47da-8280-87596824388A} - C:\PROGRA~1\GOOGLE~1\TOOLBA~1.DLL
O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\system32\winnet.dll
O3 - Toolbar: Starware Screensavers Toolbar - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware316\bin\Starware316.dll
O3 - Toolbar: (no name) - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - (no file)
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\AdobeR.exe


Klikni na "Fix Checked."

Dok mi analiziramo te fajlove koje nam budeš poslao, ti možeš da skineš (ako imaš bržu vezu) Ewido/AVG Anty Spyware (10 mb), dopuniš mu definicije i preskeniraš računar njime.
Restartuješ računar i podigneš ga u Safe Mode-u pa preskeniraš sistemsku particiju tvojim anti virusom.

Podigneš sistem, napraviš i postuješ nam ovde nov HJT log. Preimenuj ime programa HijackThis.exe u nešto što ne asocira na njega kada to budeš radio. Primera radi vlado.exe.

Obavesti u poruci šta si od gore napisanog primenio i šta su ti AV/AS programi eventualno detektovali i brisali.

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

Nijesam nasao drugi po redu od ova tri falja. A ovaj treci nema dll ektenziju jer sam samo nasao ovaj koji ima ovu drukciju ekstenziju. Sad cu odradim ostale stvari pa se javljam.

Dopuna: 07 Maj 2007 11:16

Napravio sam scan sa AVG i evo reporta koji sam dobio:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:48:19 7.5.2007

+ Scan result:



C:\Program Files\Screensavers.com\SSSInst\bin\SSSInst.dll -> Adware.Comet : Ignored.
C:\Program Files\Starware316\bin\Starware316.dll -> Adware.Comet : Ignored.
C:\System Volume Information\_restore{912E11A5-5A9F-4512-9386-C9016C68EC2F}\RP4\A0009641.dll -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{912E11A5-5A9F-4512-9386-C9016C68EC2F}\RP4\A0009642.dll -> Adware.Yatool : Ignored.
C:\WINDOWS\system32\pstore.dll -> Downloader.Small.ehe : Ignored.
C:\Program Files\RAdmin\AdmDll.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\Program Files\RAdmin\R_server.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\Program Files\RAdmin\Radmin.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\Program Files\RAdmin\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\WINDOWS\system32\AdmDll.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\WINDOWS\system32\r_server.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\WINDOWS\system32\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\WINDOWS\system32\ssacuaaa.exe -> Trojan.Zapchast.ca : Ignored.


::Report end



Iz nekog meni nepoznatog razloga nisam uspio da otvorim f-secure(antivirus koji ja koristim) u safe modu. Ali evo reporta scana koji sam uradio prije neki dan ako je to od nekog znacaja

Scanning Report
04 May 2007 13:10:59 - 13:43:35
Computer name: VLADO
Scanning type: Perform full computer check
Target: C:\ + system


--------------------------------------------------------------------------------

Result: 4 malware found
Trojan.Win32.Delf.zj (virus)
C:\WINDOWS\Temp\kyllqmxa.sys Action: deleted
Softomate Toolbar (Data miner)
REGKEY:HKCR\toolband.xbtb06823.1
REGKEY:HKCR\toolband.xbtb06823
REGKEY:HKCR\xbtb06823.xbtb06823.1
REGKEY:HKCR\xbtb06823.xbtb06823
REGKEY:HKCR\xbtb06823.ietoolbar.1
REGKEY:HKCR\xbtb06823.ietoolbar
REGKEY:HKU\S-1-5-21-2365521518-796408755-2943142746-1442\software\xbtb06823
REGKEY:HKLM\software\microsoft\windows\currentversion\uninstall\xbtb06823.xbtb06823toolbar

REGKEY:HKCR\xbtb06823.xbtb06823.1
REGKEY:HKCR\xbtb06823.xbtb06823
REGKEY:HKCR\xbtb06823.ietoolbar.1
REGKEY:HKCR\xbtb06823.ietoolbar
REGKEY:HKCR\toolband.xbtb06823.1
REGKEY:HKCR\toolband.xbtb06823
REGKEY:HKU\S-1-5-21-2365521518-796408755-2943142746-1442\software\xbtb06823
REGKEY:HKLM\software\microsoft\windows\currentversion\uninstall\xbtb06823.xbtb06823toolbar
Action: quarantined
Starware Toolbar (Undefined)
REGKEY:HKCR\clsid\{45a4902e-4479-4eae-a186-8d0f7e4c78de}
REGKEY:HKCR\clsid\{9a7d6ad2-0881-451f-bb27-f5e2ee2c5b14}
REGKEY:HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{45a4902e-4479-4eae-a186-8d0f7e4c78de}
REGVALUE:HKU\S-1-5-21-2365521518-796408755-2943142746-1442\software\microsoft\internet explorer\main\Use Custom Search URL

REGKEY:HKCR\clsid\{45a4902e-4479-4eae-a186-8d0f7e4c78de}
REGKEY:HKCR\clsid\{9a7d6ad2-0881-451f-bb27-f5e2ee2c5b14}
REGVALUE:HKU\S-1-5-21-2365521518-796408755-2943142746-1442\software\microsoft\internet explorer\main\Use Custom Search URL
REGKEY:HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{45a4902e-4479-4eae-a186-8d0f7e4c78de}
Action: quarantined
Adware.Eztracks (Data miner)
REGKEY:HKCR\clsid\{6d53adb7-6ad5-4a59-bfe4-7b57d2f4aa89}
Action: quarantined


--------------------------------------------------------------------------------

Statistics
Files:
Scanned: 26274
System: 5909
Not scanned: 3
Result:
Viruses: 1
Spyware: 3
Suspected: 0
Actions:
Disinfected: 0
Renamed: 0
Deleted: 1
Quarantined: 3
Failed: 0
Boot Sectors:
Scanned: 1
Infected: 0
Suspected: 0
Disinfected: 0
Files not scanned:
Cannot open file C:\pagefile.sys
Cannot open file C:\WINDOWS\system32\drivers\xkwagrvl.sys
Cannot open file C:\WINDOWS\system32\config\default


--------------------------------------------------------------------------------

Options
Definitions version:
Viruses: 2007-05-04_02
Spyware: 2007-04-24_06
Scanning Engines:
F-Secure AVP: 6.00.169, 2007-05-04
F-Secure Libra: 2.03.08, 2007-05-03
F-Secure Orion: 1.02.37, 2007-05-04
F-Secure Draco: 1.00.35, 2007-04-23
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ANI AVB BAT CEO CMD LSP MAP MHT MIF PHP POT WMF NWS TAR TGZ ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Scan inside archives
Actions:
Viruses: Disinfect infected files
Spyware: Ask after scan


I konacno log:

Logfile of HijackThis v1.99.1
Scan saved at 11:22:10, on 7.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\DOCUME~1\vlado\LOCALS~1\Temp\{4275ED12-4304-4190-9FC5-99FDB59272F3}\Blaero Start Orb.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\DOCUME~1\vlado\LOCALS~1\Temp\{713D21B6-7FEB-4D2F-9F0E-13621C333DE4}\sidebar.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\vlado\Desktop\vlado.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = kingkongsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = windowsxlive.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5488E24F-B8E4-43B7-8726-F314FF7FEE98} - c:\windows\system32\dmhadmh.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MS Explorer - {9B5A95FA-DFAF-31AB-A1AF-8A9FA7F8A98E} - C:\WINDOWS\system\wmecst32.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [mrwmhlft] C:\WINDOWS\system32\mrwmhlft.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - HKCU\..\Run: [mrwmhlft] C:\WINDOWS\system32\mrwmhlft.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nikbanka.cg.rs
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F5325BC-2881-4CE2-9419-BF5F4C41D508}: NameServer = 172.16.1.5,172.16.1.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nikbanka.cg.rs
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F5325BC-2881-4CE2-9419-BF5F4C41D508}: NameServer = 172.16.1.5,172.16.1.15
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: poibqqbc - dmhadmh.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)

Dopuna: 07 Maj 2007 11:19

Jeste na istoj je putanji. Evo poslao sam nadam se sve sto treba. Ako nesto treba samo reci

Dopuna: 07 Maj 2007 11:32

Evo jos dva print screen-a ako je to od nekog znacaja. To su poruke koje sam dobio od f-secure-a jutros

mycity.rs/must-login.png
mycity.rs/must-login.png

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Reci mi jos samo šta se desilo sa AVG Anti-Spyware Scan-om, vidim da su ti svi detektovani fajlovi na "Ignored". Zašto nisi brisao to ?

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

Ja sam gledao hoce li pojaviti opcija za clean posle scan-a ali nije. Ili ja to nisam vidio. Kada sam htio da otvorim remote administrator javljala mi se poruka za clean ali sam birao ignore jer taj program sam instralirao i treba mi.

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

RemoteAdmin-a ti je prepoznao kao potencijalni rizik, vidiš da pored njega piše " Not-A-Virus". To je ok.

Proverio sam ti ovo sto si upload-ovao. Ono iz foldera ti je čisto a onaj drugi fajl sa maskiranom extenzijom ti je maliciozan. Idi obriši ga sa sistema.

Dok to budeš radio proveri i ove putanje:
C:\WINDOWS\system32\pstore.dll
C:\WINDOWS\system32\ssacuaaa.exe


Ako ih nađeš, opet ih zipuj i upload-uj na proveru. Postoji mogućnost da je prvi legitiman tako da ne mogu da ti dam savet da briseš to bez provere.

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

Obrisao sam onaj maskirani a saljem i ova dva.

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Ok. Samo mi ne ide u glavu kako ga nema "mrwmhlft.exe" kada ti se pojavljuje iznova u startup-u i to dupliran ? Confused

Putanja je i dalje ista:
C:\WINDOWS\system32\mrwmhlft.exe

Da li si ukljucio prikaz skrivenih fajlova i extenzija ? Probao Windows Search opciju ?

Dopuna: 07 Maj 2007 12:58

Update: Briši ona 2 fajla koja si uploadovao.

Javim ti se za par minuta sa listom linija koje ćeš da obrišeš iz HJT-a.

Ko je trenutno na forumu
 

Ukupno su 701 korisnika na forumu :: 32 registrovanih, 4 sakrivenih i 665 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., amaterSRB, Cufo, Dorcolac, Dragstor, Gagi193, krlebgd77, Krusarac, kybonacci, liman, Markoni29, mercedesamg, Mercury, mushroom, mustangkg, N.e.m.a.nj.a., ostoja, Panonsky, Raptor1, Regrut Boskica, rovac, ruso, S2M, ssekir75, VaRvArI 85, vlvl, vobo, VSJ193, Warhawk, willie, zixmix, zlaya011