Worm.love (i nismo nesto u ljubavi...)

Worm.love (i nismo nesto u ljubavi...)

offline
  • Pridružio: 23 Jan 2009
  • Poruke: 8

Pozdrav.

Pre 2-3 nedelje sam prvi put koristio ovu vrstu pomoci od vas i ispostavilo se da nije bilo problema, tj. uspeo sam da ocistim komp od keylogger-a. Medjutim danas mi se pojavio worm sa delom reci "love" u imenu. Otkrio ga je Adaware i svaki put kad ga ocisti i restartujem komp on se opet pojavljuje. Spybot ga ne registruje, a ni avast. Takodje u dodatno tekstu sto adaware izbacuje navedeno je da se sam snimi na nekoliko mesta u sistemu i sam razmnozava (sto predpostavljam da je vama vise nego dobro poznato, ali ajde ne skodi da navedem).

Anyway, obzirom da mi je prethodni keylogger zadao probleme reko' bolje da odmah ovo resim, ako mozete da mi pomognete.

Hvala unapred.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:56:04, on 11.2.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\Sugavi\TH1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com/windowsupdate/v6/V.....6962230067
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe

--
End of file - 4842 bytes

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Daj mi ime fajla i lokaciju tog crva sto adaware detektuje...

offline
  • Pridružio: 23 Jan 2009
  • Poruke: 8

Saljem za koji minut samo da mi Adaware odradi scan da vidim (da ne lupam napamet, mislim da je c/.../shell32 ili nesto slicno)...

Saljem ubrzo.

Poz

Dopuna: 11 Feb 2009 18:30

Erm sad mi se nije pojavio Embarassed

Prvi put kad ga je nasao obrisao sam ga i restartovao komp. Posle ga je nasao i isao sam na quarantine...tamo ga vidim ("Win32WormLovGate") ali ga Ad-Aware sad ne vidi tj. ne detektuje...

Sorry ako su glupa pitanja, al ono da znam sam ne bih vas ja zadrz'avo Laughing

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

PItao sam te za lokaciju jer je skoro neko (juce) na lavasoft forumu prijavio slicnu detekciju i rekli su mu da je FP-lazna detekcija...

Mozda je sad ispravljen FP preko update-a... Inace log je cist... Ako se opet pojavi javi znaci lokaciju i ime fajla koji je detektovan.. PozZz

offline
  • Pridružio: 23 Jan 2009
  • Poruke: 8

Hvala na brzom odgovoru.

Thumbs up ljudi za ovo sto radite, svaka cast.

Pozdrav

Ko je trenutno na forumu
 

Ukupno su 800 korisnika na forumu :: 59 registrovanih, 9 sakrivenih i 732 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., akrep, aleksmajstor, alzir86, babaroga, black venom, Brada i Gibanica, branko7, brundo65, Chainsaw, chichabg, darkangel, Drug pukovnik, Frunze, Georgius, helen1, I AM THE KING, Ivica1102, Joja, Komentator, konstruktor, krkalon, krlebgd77, Kruger, KUZMAR, loon123, lord sir giga, milan47, mile23, misa1xx, misa2, mustangkg, Nixon, NoOneEver Dreams, operniki, PEGIN, pein, pvoman, Recce, ruseskij, Shufle, Skywhaler, slonic_tonic, Srle993, stagezin, stegonosa, Toper, trundle, uruk, vathra, Vlad000, Vlada1389, Vlajman1957, voja64, W123, Wisdomseeker, z.milosh, zillbg, Zimbabwe