Win32/Adware.Virtumonde.FP application

1

Win32/Adware.Virtumonde.FP application

offline
  • Pridružio: 07 Apr 2008
  • Poruke: 9

NOD32 je detektovao sledece:
File: C:\WINDOWS\system32\rqRJAsqR.dll
Threat: Win32/Adware.Virtumonde.FP application

NOD32 nece da ga sredi ni posle restarta, probao sam sa jos nekim alatima - AdAware,Spybot S&D...,ali nikako...
Skinuo sam ComboFix i on je izbacio sledeci log fajl...

ComboFix 08-03-30.5 - Dejan 2008-04-07 13:59:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.119 [GMT 2:00]
Running from: C:\Documents and Settings\Dejan\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\RqsAJRqr.ini
C:\WINDOWS\system32\RqsAJRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 13:51 . 2008-04-07 13:51 15 --a------ C:\WINDOWS\system32\b48ce26b
2008-04-03 15:34 . 2008-04-03 15:34 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Grisoft
2008-04-03 15:34 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-03 11:33 . 2008-04-03 11:33 <DIR> d-------- C:\VundoFix Backups
2008-03-31 13:35 . 2008-03-31 13:35 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Embarcadero
2008-03-31 13:34 . 2000-06-27 12:07 1,305,200 --a------ C:\WINDOWS\system32\sbe6_32.dll
2008-03-31 13:34 . 2000-06-18 23:53 512,560 --a------ C:\WINDOWS\system32\sb6ent.ocx
2008-03-31 13:34 . 2000-06-15 23:47 326,612 --a------ C:\WINDOWS\system32\SBE6_000.HLP
2008-03-31 13:34 . 1999-09-09 12:51 6,499 --a------ C:\WINDOWS\system32\SBE6_000.CNT
2008-03-31 13:33 . 2008-03-31 13:33 <DIR> d-------- C:\Program Files\Embarcadero
2008-03-31 13:33 . 2008-03-31 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Embarcadero
2008-03-31 08:13 . 2008-03-31 08:13 1,583,347 --ahs---- C:\WINDOWS\system32\ntjwfxfc.ini
2008-03-29 09:12 . 2008-03-28 16:02 1,584,019 --ahs---- C:\WINDOWS\system32\neducssk.ini
2008-03-28 16:37 . 2008-03-28 16:37 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-28 16:10 . 2008-03-31 08:13 1,583,287 --ahs---- C:\WINDOWS\system32\uyjtyxwg.ini
2008-03-27 09:40 . 2008-03-27 09:40 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-24 09:02 . 2008-03-24 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-22 13:22 . 2008-03-22 13:22 <DIR> d-------- C:\Program Files\Ref support camp
2008-03-22 13:22 . 2008-03-22 13:22 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-03-22 13:22 . 2008-03-22 13:22 <DIR> d-------- C:\Program Files\Circle Developement
2008-03-13 09:49 . 2007-10-10 05:34 216,064 --a------ C:\WINDOWS\UninstallW.exe
2008-03-13 09:49 . 2006-09-12 05:36 1,606 --a------ C:\WINDOWS\uninsW.bat
2008-03-13 09:49 . 2006-06-22 17:34 970 --a------ C:\WINDOWS\uninsWmove.bat
2008-03-13 09:49 . 2005-12-28 20:54 29 --a------ C:\WINDOWS\uninsW98.bat
2008-03-13 09:45 . 2008-03-13 09:45 <DIR> d-------- C:\Temp
2008-03-13 09:45 . 2008-03-13 09:45 <DIR> d-------- C:\Program Files\Wilcom2
2008-03-10 15:50 . 2008-04-07 08:47 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Skype
2008-03-10 15:49 . 2008-03-10 15:49 <DIR> d-------- C:\Program Files\Skype
2008-03-10 15:49 . 2008-03-10 15:49 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-10 15:49 . 2008-03-10 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-03-10 12:22 . 2006-09-13 10:04 9,676 --a------ C:\export_caps.png
2008-03-07 14:49 . 2008-03-08 11:19 <DIR> d-------- C:\Documents and Settings\Dejan\Contacts
2008-03-07 14:30 . 2008-03-07 14:48 <DIR> d-------- C:\Program Files\Windows Live
2008-03-07 14:30 . 2008-03-07 14:48 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-07 14:30 . 2008-03-07 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 06:53 --------- d-----w C:\Program Files\DeskCall NG
2008-04-07 06:13 --------- d-----w C:\Program Files\ICQToolbar
2008-04-03 09:25 --------- d-----w C:\Program Files\Google
2008-04-03 09:20 --------- d-----w C:\Program Files\HijackThis 1.99.1
2008-03-31 11:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 07:46 --------- d-----w C:\Program Files\Winamp
2008-02-25 08:10 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-23 13:10 --------- d-----w C:\Program Files\Eset
2008-02-23 12:54 --------- d-----w C:\Program Files\Common Files\NSV
2008-02-23 12:00 502,368 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-02-13 13:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-13 13:49 --------- d-----w C:\Program Files\Bonjour
2008-02-13 13:42 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-02-12 11:48 --------- d-----w C:\Documents and Settings\Dejan\Application Data\DeskCallNG
2008-02-11 12:35 --------- d-----w C:\Program Files\TC UP
2008-01-12 08:48 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-07-10 08:04 20,112 ----a-w C:\Documents and Settings\Dejan\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85D5A7A3-C325-479B-BE1C-CAD9691AA96E}]
1980-03-28 16:47 273920 --a------ C:\WINDOWS\system32\rqRJAsqR.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Magentic"="C:\PROGRA~1\Magentic\bin\Magentic.exe" [2007-10-09 14:42 475180]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-23 14:00 921600]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqRJAsqR.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2007-11-21 02:47 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Isoeggs]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-02 13:29 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 17:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tok-Cirrhatus]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\two city internet heck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\TC UP\\PLUGINS\\Media\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"512:TCP"= 512:TCP:KOMUNIKACIJA
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 14:00]
R2 pgAgent;PostgreSQL Scheduling Agent - pgAgent;C:\Program Files\PostgreSQL\8.1\bin\pgAgent RUN pgAgent hostaddr=127.0.0.1 dbname=postgres user=postgres []
R2 pgsql-8.1;PostgreSQL Database Server 8.1;"C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "C:\Program Files\PostgreSQL\8.1\data\" []
R2 U3SHLPDR;U3SHLPDR;C:\WINDOWS\System32\Drivers\U3SHLPDR.SYS [2007-10-21 10:41]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 13:00:15 C:\WINDOWS\Tasks\BackUp.job"
- D:\MARKO\Install_PoSo\BackUp\BackUp.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-07 14:06:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pgAgent]
"ImagePath"="C:\Program Files\PostgreSQL\8.1\bin\pgAgent RUN pgAgent hostaddr=127.0.0.1 dbname=postgres user=postgres"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\rqRJAsqR.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\PostgreSQL\8.1\bin\pgAgent.exe
C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PostgreSQL\8.1\bin\postmaster.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
.
**************************************************************************
.
Completion time: 2008-04-07 14:09:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 12:09:43
ComboFix2.txt 2008-04-01 11:46:54
Pre-Run: 26,035,486,720 bytes free
Post-Run: 26,048,913,408 bytes free
.
2008-01-09 15:38:09 --- E O F ---


Ako neko moze da mi pomogne bio bih mu zahvalan!!!
POZZ!

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Isprati ovo uputstvo prvo:

http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

offline
  • Pridružio: 07 Apr 2008
  • Poruke: 9

Hvala na brzom odgovoru
Evo log fajla


Logfile of HijackThis v1.99.1
Scan saved at 14:40:41, on 07.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\TC UP\TOTALCMD.EXE
C:\Program Files\TC UP\PLUGINS\Media\Notepad++\notepad++.exe
D:\!!! instalacije\TR3.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {85D5A7A3-C325-479B-BE1C-CAD9691AA96E} - C:\WINDOWS\system32\rqRJAsqR.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{198589BD-CECF-4DF8-BBEB-D6BACE6742BF}: NameServer = 194.247.192.33,194.247.192.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{198589BD-CECF-4DF8-BBEB-D6BACE6742BF}: NameServer = 194.247.192.33,194.247.192.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PostgreSQL Scheduling Agent - pgAgent (pgAgent) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - Unknown owner - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "C:\Program Files\PostgreSQL\8.1\data\ (file missing)

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Skini VundoFix:
http://www.atribune.org/ccount/click.php?id=4

* Dvoklikom se startuje fajl VundoFix.exe.
* Izabere opcija Scan for Vundo.
* Posle završenog skeniranja i pojave poruke Done Searching for files klikne se na OK.
* Sada, kada je skeniranje obavljeno potrebno je kliknuti na opciju Fix Vundo.
* Po pojavljivanju upita o uklanjaju Vundo fajlova klikne se na Yes.
* Pokretanje ove opcije učiniće Desktop privremeno praznim u cilju pripreme sistema za uklanjanje Vundo-a.
* Po završetku, pojaviće se obaveštenje o gašnjenju računara, klikne se OK.
* Uključi se računar i podigne sistem iznova.
* Iskopira se sadržaj loga sa putanje C:\vundofix.txt i novi HiJackThis log u poruku na forumu.

offline
  • Pridružio: 07 Apr 2008
  • Poruke: 9

Vundo nista nije nasao
evo log fajla ...


VundoFix V7.0.3

Scan started at 11:33:29 03.04.2008

Listing files found while scanning....

No infected files were found.


VundoFix V7.0.3

Scan started at 14:49:45 07.04.2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Beginning removal...

Beginning removal...

Dopuna: 07 Apr 2008 15:27

Problem i dalje stoji...

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Znam da stoji,ali sam trenutno zauzet,ne brini resicemo.....

Postavi mi novi Combo Fix log....

offline
  • Pridružio: 07 Apr 2008
  • Poruke: 9

Novi ComboFix log...

ComboFix 08-03-30.5 - Dejan 2008-04-07 15:29:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.81 [GMT 2:00]
Running from: C:\Documents and Settings\Dejan\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 15:34 . 2008-04-07 15:35 419 --ahs---- C:\WINDOWS\system32\RqsAJRqr.ini
2008-04-07 15:34 . 2008-04-07 15:34 320 --ahs---- C:\WINDOWS\system32\RqsAJRqr.ini2
2008-04-07 13:51 . 2008-04-07 13:51 15 --a------ C:\WINDOWS\system32\b48ce26b
2008-04-03 15:34 . 2008-04-03 15:34 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Grisoft
2008-04-03 15:34 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-03 11:33 . 2008-04-03 11:33 <DIR> d-------- C:\VundoFix Backups
2008-03-31 13:35 . 2008-03-31 13:35 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Embarcadero
2008-03-31 13:34 . 2000-06-27 12:07 1,305,200 --a------ C:\WINDOWS\system32\sbe6_32.dll
2008-03-31 13:34 . 2000-06-18 23:53 512,560 --a------ C:\WINDOWS\system32\sb6ent.ocx
2008-03-31 13:34 . 2000-06-15 23:47 326,612 --a------ C:\WINDOWS\system32\SBE6_000.HLP
2008-03-31 13:34 . 1999-09-09 12:51 6,499 --a------ C:\WINDOWS\system32\SBE6_000.CNT
2008-03-31 13:33 . 2008-03-31 13:33 <DIR> d-------- C:\Program Files\Embarcadero
2008-03-31 13:33 . 2008-03-31 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Embarcadero
2008-03-31 08:13 . 2008-03-31 08:13 1,583,347 --ahs---- C:\WINDOWS\system32\ntjwfxfc.ini
2008-03-29 09:12 . 2008-03-28 16:02 1,584,019 --ahs---- C:\WINDOWS\system32\neducssk.ini
2008-03-28 16:37 . 2008-03-28 16:37 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-28 16:10 . 2008-03-31 08:13 1,583,287 --ahs---- C:\WINDOWS\system32\uyjtyxwg.ini
2008-03-27 09:40 . 2008-03-27 09:40 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-24 09:02 . 2008-03-24 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-22 13:22 . 2008-03-22 13:22 <DIR> d-------- C:\Program Files\Ref support camp
2008-03-22 13:22 . 2008-03-22 13:22 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-03-22 13:22 . 2008-03-22 13:22 <DIR> d-------- C:\Program Files\Circle Developement
2008-03-13 09:49 . 2007-10-10 05:34 216,064 --a------ C:\WINDOWS\UninstallW.exe
2008-03-13 09:49 . 2006-09-12 05:36 1,606 --a------ C:\WINDOWS\uninsW.bat
2008-03-13 09:49 . 2006-06-22 17:34 970 --a------ C:\WINDOWS\uninsWmove.bat
2008-03-13 09:49 . 2005-12-28 20:54 29 --a------ C:\WINDOWS\uninsW98.bat
2008-03-13 09:45 . 2008-03-13 09:45 <DIR> d-------- C:\Temp
2008-03-13 09:45 . 2008-03-13 09:45 <DIR> d-------- C:\Program Files\Wilcom2
2008-03-10 15:50 . 2008-04-07 08:47 <DIR> d-------- C:\Documents and Settings\Dejan\Application Data\Skype
2008-03-10 15:49 . 2008-03-10 15:49 <DIR> d-------- C:\Program Files\Skype
2008-03-10 15:49 . 2008-03-10 15:49 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-10 15:49 . 2008-03-10 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-03-10 12:22 . 2006-09-13 10:04 9,676 --a------ C:\export_caps.png
2008-03-07 14:49 . 2008-03-08 11:19 <DIR> d-------- C:\Documents and Settings\Dejan\Contacts
2008-03-07 14:30 . 2008-03-07 14:48 <DIR> d-------- C:\Program Files\Windows Live
2008-03-07 14:30 . 2008-03-07 14:48 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-07 14:30 . 2008-03-07 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 06:53 --------- d-----w C:\Program Files\DeskCall NG
2008-04-07 06:13 --------- d-----w C:\Program Files\ICQToolbar
2008-04-03 09:25 --------- d-----w C:\Program Files\Google
2008-04-03 09:20 --------- d-----w C:\Program Files\HijackThis 1.99.1
2008-03-31 11:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 07:46 --------- d-----w C:\Program Files\Winamp
2008-02-25 08:10 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-23 13:10 --------- d-----w C:\Program Files\Eset
2008-02-23 12:54 --------- d-----w C:\Program Files\Common Files\NSV
2008-02-23 12:00 502,368 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-02-13 13:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-13 13:49 --------- d-----w C:\Program Files\Bonjour
2008-02-13 13:42 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-02-12 11:48 --------- d-----w C:\Documents and Settings\Dejan\Application Data\DeskCallNG
2008-02-11 12:35 --------- d-----w C:\Program Files\TC UP
2008-01-12 08:48 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-07-10 08:04 20,112 ----a-w C:\Documents and Settings\Dejan\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-07_14.09.28.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-07 13:35:36 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02F8E89D-1E71-47A2-838C-3C705C88281F}]
1980-03-28 16:47 273920 --a------ C:\WINDOWS\system32\rqRJAsqR.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Magentic"="C:\PROGRA~1\Magentic\bin\Magentic.exe" [2007-10-09 14:42 475180]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-23 14:00 921600]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqRJAsqR.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2007-11-21 02:47 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Isoeggs]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-02 13:29 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-12-01 17:54 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tok-Cirrhatus]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\two city internet heck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\TC UP\\PLUGINS\\Media\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"512:TCP"= 512:TCP:KOMUNIKACIJA
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 14:00]
R2 pgAgent;PostgreSQL Scheduling Agent - pgAgent;C:\Program Files\PostgreSQL\8.1\bin\pgAgent RUN pgAgent hostaddr=127.0.0.1 dbname=postgres user=postgres []
R2 pgsql-8.1;PostgreSQL Database Server 8.1;"C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "C:\Program Files\PostgreSQL\8.1\data\" []
R2 U3SHLPDR;U3SHLPDR;C:\WINDOWS\System32\Drivers\U3SHLPDR.SYS [2007-10-21 10:41]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 13:00:38 C:\WINDOWS\Tasks\BackUp.job"
- D:\MARKO\Install_PoSo\BackUp\BackUp.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-07 15:35:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pgAgent]
"ImagePath"="C:\Program Files\PostgreSQL\8.1\bin\pgAgent RUN pgAgent hostaddr=127.0.0.1 dbname=postgres user=postgres"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\rqRJAsqR.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\PostgreSQL\8.1\bin\pgAgent.exe
C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PostgreSQL\8.1\bin\postmaster.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
.
**************************************************************************
.
Completion time: 2008-04-07 15:38:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 13:38:25
ComboFix2.txt 2008-04-07 12:09:48
ComboFix3.txt 2008-04-01 11:46:54
Pre-Run: 26,134,724,608 bytes free
Post-Run: 26,124,050,432 bytes free
.
2008-01-09 15:38:09 --- E O F ---

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\RqsAJRqr.ini
C:\WINDOWS\system32\RqsAJRqr.ini2
C:\WINDOWS\system32\ntjwfxfc.ini
C:\WINDOWS\system32\neducssk.ini
C:\WINDOWS\system32\uyjtyxwg.ini
C:\WINDOWS\system32\rqRJAsqR.dll
C:\WINDOWS\system32\rqRJAsqR.dll

Folder::
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Program Files\Ref support camp
C:\Program Files\Messenger Plus! Live
C:\Program Files\Circle Developement

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Isoeggs]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tok-Cirrhatus]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\two city internet heck]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 07 Apr 2008
  • Poruke: 9

Cujemo se sutra posto sam morao da napustim firmu - ovaj problem mi je inace na sluzbenom racunaru. Ujutru saljem log. Hvala. POZDRAV!!!

Dopuna: 08 Apr 2008 13:16

Snimio sam fajl i prevukao ga u ComboFix. ComboFix je krenuo da se startuje i vrlo brzo se sve izgubilo. Racunar je pokazivao neku aktivnost, ali i nakon 3 sata rada nije dao nikakav rezultat. Restartovao sam racunar i pokusao ponovo i evo vec sat vremena ista stvar - ne vraca nista...

Koliko bi trebalo da traje ovo ciscenje i da li treba tako da se ponasa ComboFix?

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Ne bi trebao tako da se ponasa.Raspitacu se.Siguran si da si dobro uradio?Imenovao ga kao CFScript?

Ko je trenutno na forumu
 

Ukupno su 823 korisnika na forumu :: 57 registrovanih, 2 sakrivenih i 764 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., acatomic, alkatraz080, bojank, cavatina, cenejac111, comi_pfc, crnitrn, Denaya, Dežurni pod palubom, djboj, Djokkinen, flash12, Fog of War, goxin, hooraay, Insan, Jovan Nenad, Kibice, Korisnik038, krlebgd77, lukac, MarKhan, Marko Marković, Mercury, MIg, mikrimaus, milan.miscevic, MilosKop, Mirage 2000N, Misirac, moldway, mushroom, nemkea71, raskoljnikov, Recce, S2M, sabros, saputnik plavetnila, segax1, Sirius, Slingshot, Snorks, spektorsky, srecko81, Srki98, ssekir75, Tas011, Toni, vathra, vladas87, vlvl, vsn111, vukovi, zeljkodjokovic, zixmix