Poslao: 14 Jan 2009 22:16
|
offline
- snowbird
- Građanin
- Pridružio: 28 Nov 2004
- Poruke: 46
- Gde živiš: Novi Sad
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:53:11, on 14.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\dslmon.exe
C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\User\Desktop\New Folder\TR3.exe.exe
C:\Documents and Settings\User\User.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.sweetim.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = home.sweetim.com
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [User] C:\Documents and Settings\User\User.exe /i
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = D:\igre\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: GN-WP01GS Utility.lnk = C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C135F165-8E06-4A30-9B6F-D6F3C4952862}: NameServer = 212.62.32.1 212.62.32.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD49135B-E59B-4CAB-91E9-C57BD8892E7C}: NameServer = 172.16.4.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6229 bytes
NOD32 je detektovao trojanca,ali mislim da ga nije uklonio,kursor pokazuje kao da nesto racunar radi (pescanik)..izvinjavam se na ovakvom opisu,ali nisam bas vesta sa ovim...i nakon restarta je ista prica.
NOD pokazuje sledece :
Time Module Object Name Threat Action User Information
14.1.2009 19:26:40 AMON file C:\DOCUME~1\User\LOCALS~1\Temp\BN3AB.tmp Win32/Wigon.IH trojan quarantined - deleted USER-180FEE893F\User Event occurred on a file modified by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
Time Module Object Name Threat Action User Information
14.1.2009 20:05:15 AMON file C:\DOCUME~1\User\LOCALS~1\Temp\BN524.tmp Win32/Wigon.IH trojan quarantined - deleted USER-180FEE893F\User Event occurred on a file modified by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
Od pre nedelju dana koristim ADSL internet ,koristim Mozillu Firefox.
Molim vas da mi kazete o cemu se radi i kako mogu da resim ovaj problem.
Hvala unapred!
|
|
|
|
|
Poslao: 15 Jan 2009 17:38
|
offline
- snowbird
- Građanin
- Pridružio: 28 Nov 2004
- Poruke: 46
- Gde živiš: Novi Sad
|
ComboFix 09-01-13.04 - User 2009-01-15 17:04:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.204 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\User\User.exe
C:\Program Files\INSTALL.LOG
.
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.
2009-01-14 22:21 . 2009-01-14 22:21 <DIR> d-------- C:\Program Files\Lavasoft
2009-01-14 22:21 . 2009-01-14 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-01-14 21:33 . 2009-01-14 21:33 <DIR> d-------- C:\Program Files\Trend Micro
2009-01-10 14:18 . 2009-01-10 14:57 <DIR> d-------- C:\Program Files\Yahoo! Games
2009-01-10 14:18 . 2009-01-10 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2009-01-09 17:08 . 2009-01-09 17:08 <DIR> d-------- C:\Program Files\ASUS USB ADSL Modem
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 21:47 --------- d-----w C:\Program Files\ICQ
2009-01-14 21:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-01-09 16:14 26 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2009-01-09 16:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-12-28 18:28 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-11-24 19:04 --------- d-----w C:\Program Files\Common Files\DirectX
2008-12-20 12:37 67,688 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll
2008-12-20 12:37 54,368 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll
2008-12-20 12:37 34,944 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll
2008-12-20 12:37 46,712 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll
2008-12-20 12:37 172,136 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04 139264]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:06 1667584]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 16:09 171464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-09-04 00:15 4554752]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-09-04 00:15 86016]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-17 10:55 949376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 06:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03 81920]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 11:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2004-09-04 00:15 921600 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]
C:\Documents and Settings\User\Start Menu\Programs\Startup\
Registration Heroes of Might & Magic 5.LNK - D:\igre\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe [2008-12-27 18:16:39 868352]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-27 15:03:21 113664]
DSLMON.lnk - C:\Program Files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\dslmon.exe [2009-01-09 17:08:08 929889]
GN-WP01GS Utility.lnk - C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe [2008-08-24 13:07:31 720896]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"D:\\igre\\Ubisoft\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\SOUNDMAN.EXE"=
"C:\\WINDOWS\\system32\\userinit.exe"=
"C:\\Program Files\\ESET\\nod32kui.exe"=
R1 nod32drv;nod32drv;C:\WINDOWS\system32\drivers\nod32drv.sys [2007-10-17 10:55:30 15424]
S3 Rdpidesvsins;Rdpidesvsins; [x]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 11:54:14 97136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64651f29-7c94-11dc-a430-806d6172696f}]
\Shell\AutoRun\command - E:\ASUSACPI.exe
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-User - C:\Documents and Settings\User\User.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.sweetim.com/
mStart Page = hxxp://home.sweetim.com
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: C:\WINDOWS\system32\imon.dll
TCP: {C135F165-8E06-4A30-9B6F-D6F3C4952862} = 212.62.32.1 212.62.32.5
TCP: {DD49135B-E59B-4CAB-91E9-C57BD8892E7C} = 172.16.4.1
FF - ProfilePath - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\p42kp5ss.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ptt.rs/servis/
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: C:\Program Files\Mozilla Firefox\components\xpinstal.dll
.
Nadam se da sam dobro uradila..Jedino sto mi se nakon ponovne konekcije nakon ovog loga opet ukljucio NOD i ponovo detektovao trojanca......pa da li moram ponovo sve da uradim...
Dopuna: 15 Jan 2009 17:38
I samo jos da dodam da nakon ovog nema vise "pescanika" koji pokazuje da komp nesto radi...
|
|
|
|
|
Poslao: 15 Jan 2009 22:21
|
offline
- snowbird
- Građanin
- Pridružio: 28 Nov 2004
- Poruke: 46
- Gde živiš: Novi Sad
|
ComboFix 09-01-13.04 - User 2009-01-15 21:57:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.197 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\User\User.exe
c:\program files\INSTALL.LOG
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_Rdpidesvsins
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.
2009-01-14 22:21 . 2009-01-14 22:21 <DIR> d-------- c:\program files\Lavasoft
2009-01-14 22:21 . 2009-01-14 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-14 21:33 . 2009-01-14 21:33 <DIR> d-------- c:\program files\Trend Micro
2009-01-10 14:18 . 2009-01-10 14:57 <DIR> d-------- c:\program files\Yahoo! Games
2009-01-10 14:18 . 2009-01-10 14:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-09 17:08 . 2009-01-09 17:08 <DIR> d-------- c:\program files\ASUS USB ADSL Modem
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 20:47 --------- d-----w c:\documents and settings\User\Application Data\Skype
2009-01-14 21:47 --------- d-----w c:\program files\ICQ
2009-01-14 21:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-09 16:14 26 ----a-w c:\windows\system32\drivers\adidsl.cfg
2009-01-09 16:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 19:04 --------- d-----w c:\program files\Common Files\DirectX
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-29 171464]
"User"="c:\documents and settings\User\User.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-04 4554752]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-09-04 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-10-17 949376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2004-09-04 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\User\Start Menu\Programs\Startup\
Registration Heroes of Might & Magic 5.LNK - d:\igre\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe [2008-12-27 868352]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-27 113664]
DSLMON.lnk - c:\program files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\dslmon.exe [2009-01-09 929889]
GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe [2008-08-24 720896]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"d:\\igre\\Ubisoft\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\ESET\\nod32kui.exe"=
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-10-17 15424]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 ksi32sk;ksi32sk;c:\windows\system32\drivers\ksi32sk.sys [2009-01-09 22016]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64651f29-7c94-11dc-a430-806d6172696f}]
\Shell\AutoRun\command - E:\ASUSACPI.exe
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://home.sweetim.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {C135F165-8E06-4A30-9B6F-D6F3C4952862} = 212.62.32.1 212.62.32.5
TCP: {DD49135B-E59B-4CAB-91E9-C57BD8892E7C} = 172.16.4.1
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\p42kp5ss.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ptt.rs/servis/
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-15 22:00:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\ATKKBService.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-01-15 22:01:49 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2009-01-15 21:01:46
Pre-Run: 9,087,787,008 bytes free
Post-Run: 9,034,678,272 bytes free
129
Taman kad sam sve uradila i otvorila ovu stranu da iskopiram ovaj log ,opet mi je detektovan trojanac...
Dopuna: 15 Jan 2009 22:19
Time Module Object Name Threat Action User Information
15.1.2009 21:51:53 AMON file C:\WINDOWS\system32\drivers\ksi32sk.sys Win32/Wigon.HZ trojan NT AUTHORITY\SYSTEM Event occurred when attempting to access the file.
Dopuna: 15 Jan 2009 22:21
uh..pa bio je jos jedan...
Time Module Object Name Threat Action User Information
15.1.2009 22:04:04 AMON file C:\WINDOWS\TEMP\BN78.tmp Win32/Wigon.IH trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\system32\services.exe. The file was moved to quarantine. You may close this window.
|
|
|
|
Poslao: 15 Jan 2009 22:33
|
offline
- dr_Bora
- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.
Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.
Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.
|
|
|
|
Poslao: 15 Jan 2009 22:52
|
offline
- snowbird
- Građanin
- Pridružio: 28 Nov 2004
- Poruke: 46
- Gde živiš: Novi Sad
|
mycity.rs/must-login.png
mycity.rs/must-login.png
Ne znam da li je to bitno,ali ja opet moram da prijavim da mi je i prilikom ovog skeniranja NOD nekoliko puta detektovao trojanca...
Time Module Object Name Threat Action User Information
15.1.2009 22:35:47 AMON file C:\WINDOWS\system32\drivers\ksi32sk.sys Win32/Wigon.HZ trojan quarantined - deleted USER-180FEE893F\User Event occurred at an attempt to access the file by the application: C:\Documents and Settings\User\Desktop\New Folder (2)\gmer.exe.
15.1.2009 22:35:11 AMON file C:\WINDOWS\system32\drivers\ksi32sk.sys Win32/Wigon.HZ trojan quarantined USER-180FEE893F\User Event occurred at an attempt to access the file by the application: C:\Documents and Settings\User\Desktop\New Folder (2)\gmer.exe.
15.1.2009 22:34:24 AMON file C:\WINDOWS\system32\drivers\ksi32sk.sys Win32/Wigon.HZ trojan quarantined USER-180FEE893F\User Event occurred at an attempt to access the file by the application: C:\Documents and Settings\User\Desktop\New Folder (2)\gmer.exe.
|
|
|
|
|
|
Poslao: 16 Jan 2009 13:22
|
offline
- dr_Bora
- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
Još uvek bez problema/detekcija?
|
|
|
|