a variant of Win32/Conficker.Gen worm

a variant of Win32/Conficker.Gen worm

offline
  • Pridružio: 06 Jan 2006
  • Poruke: 64

Pozdrav sjajnoj ekipi iz Ambulante!
Imam problem sa ovom malom napasti. Nod32 mi već neko vreme izbacuje obaveštenje o njemu. Juče i prekjuče po jedno, a danas tri.
Evo spisak logova:
24.7.2009 18:00:35 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\dkzt[1].jpg a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.

Citat:Time Module Object Name Threat Action User Information
24.7.2009 18:00:35 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\dkzt[1].jpg a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
24.7.2009 18:00:27 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\dkzt[1].jpg a variant of Win32/Conficker.Gen worm deleted NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
24.7.2009 18:00:21 IMON file http://10.80.100.110:5590/dkzt a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM
24.7.2009 15:15:38 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\coxk[1].png a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
24.7.2009 15:15:38 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
24.7.2009 15:15:22 IMON file http://10.80.100.120:9899/coxk a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM
24.7.2009 12:18:03 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\coxk[1].bmp a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
24.7.2009 12:17:52 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
24.7.2009 12:17:34 IMON file http://10.80.100.120:9899/coxk a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM
23.7.2009 17:26:14 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\zhoeixkh[1].png a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
23.7.2009 17:25:49 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
23.7.2009 17:24:27 IMON file http://10.80.100.110:5590/zhoeixkh a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM
22.7.2009 20:36:45 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\hujsacp[1].png a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
22.7.2009 20:35:21 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
22.7.2009 20:35:00 IMON file http://10.80.100.110:5590/hujsacp a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM
19.7.2009 19:27:05 AMON file F:\Autorun.inf INF/Autorun virus deleted NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.



I HijackThis po upustvu iz izdvojene teme


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:03:57, on 24.7.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ana\Desktop\New Folder\trr4.exe.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5415 bytes



Hvala unapred!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...




Arrow Preuzmi program RootRepeal na Desktop.

Raspakuj RootRepeal.zip u neki folder.
Dvoklikom pokreni RootRepeal.exe.
Pređi na Report karticu (klikom na Report taster, dole, desno).
Klikni Scan taster.
U prozoru koji se otvori (Select Scan), obeleži kućice ispred svih stavki i klikni OK.
U narednom prozoru (Select Drives) obeleži kućicu ispred sistemskog diska (obično C:\) i klikni OK.
Po završetku procesa, klikni Save Report i sačuvaj izveštaj o skeniranju.


Priloži izveštaj uz poruku korišćenjem opcije Prikači fajl.

offline
  • Pridružio: 06 Jan 2006
  • Poruke: 64

Hvala dr Bora na brzom odgovoru.
Raport sam prikačila.
mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Vlo je moguće da se ovde ne radi o malware-u koji je na kompjuteru već o malware-u koji pokušava da uđe u njega (Conficker je mrežni crv).


Za početak instaliraj ovaj patch:

http://www.microsoft.com/downloads/details.aspx?fa.....laylang=en



Nakon toga odradi i sledeće...



Arrow Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 06 Jan 2006
  • Poruke: 64

Hvala Dr Bora!
Imam pitanje u vezi tog da je "mrežni". Ja nisam ni sa kim umrežena, jedino ako je to moguće preko internet veze nekako, ja imam wireless?

Evo izveštaja Combofix-a.
ComboFix 09-07-23.04 - ana 24.07.2009 22:56.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.87 [GMT 2:00]
Running from: c:\documents and settings\ana\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-24 13:56 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-24 13:56 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-07-17 20:39 . 2009-07-17 20:52 -------- d-----w- c:\documents and settings\ana\Local Settings\Application Data\Temp
2009-07-14 11:56 . 2009-07-14 11:56 -------- d-----w- c:\documents and settings\ana\.thumbnails
2009-07-14 11:54 . 2009-07-14 16:13 -------- d-----w- c:\documents and settings\ana\.gimp-2.6
2009-07-14 11:54 . 2009-07-14 11:54 -------- d-----w- c:\documents and settings\ana\.gegl-0.0
2009-07-14 11:53 . 2009-07-14 11:53 -------- d-----w- c:\program files\GIMP-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 15:27 . 2007-05-23 15:07 -------- d-----w- c:\program files\CCleaner
2009-07-22 19:10 . 2009-03-26 23:50 -------- d-----w- c:\documents and settings\ana\Application Data\HPAppData
2009-07-19 20:36 . 2007-07-16 15:59 -------- d-----w- c:\documents and settings\ana\Application Data\foobar2000
2009-07-18 00:11 . 2009-07-18 08:18 3608064 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-07-15 08:28 . 2007-10-16 07:31 18131284 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-07-14 16:13 . 2007-05-09 20:16 -------- d-----w- c:\documents and settings\ana\Application Data\gtk-2.0
2009-07-12 16:19 . 2008-04-22 22:13 -------- d-----w- c:\documents and settings\ana\Application Data\Any Video Converter
2009-06-13 01:54 . 2009-06-13 09:17 2637824 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-06-10 19:50 . 2007-04-26 08:15 77432 ----a-w- c:\documents and settings\ana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-27 17:18 . 2009-05-27 17:18 -------- d-----w- c:\program files\AskBarDis
2009-05-27 17:13 . 2007-05-25 13:03 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-05-19 12:22 . 2009-05-19 12:22 390664 ----a-w- c:\documents and settings\ana\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2007-03-20 21:47 . 2007-07-10 01:38 1748224 ----a-w- c:\program files\Foxit PDF Reader v2.0 Build 1516.exe
2005-08-26 11:38 . 2007-07-13 19:26 933888 ----a-w- c:\program files\FontViewer.exe
2009-07-19 09:18 . 2008-06-17 19:50 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-08-21 05:04 . 2007-04-28 18:47 56 --sh--r- c:\windows\system32\BEAC641D62.sys
2007-11-13 21:03 . 2007-04-28 18:43 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Google Update"="c:\documents and settings\ana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-23 3756032]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-04-23 46080]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-04-26 949376]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-06-18 67584]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-23 831488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^ana^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\ana\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [26.4.2007 21:23 15424]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 12:31 98328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]

2009-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1993962763-1417001333-1003Core.job
- c:\documents and settings\ana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-04 18:23]

2009-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1993962763-1417001333-1003UA.job
- c:\documents and settings\ana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-04 18:23]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\ana\Application Data\Mozilla\Firefox\Profiles\8lmmhfsa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/intl/sr/
FF - plugin: c:\documents and settings\ana\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-07-24 23:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(3908-)
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-24 23:08
ComboFix-quarantined-files.txt 2009-07-24 21:08

Pre-Run: 25.048.707.072 bytes free
Post-Run: 25.034.227.712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

175 --- E O F --- 2009-07-24 14:06

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Citat:Imam pitanje u vezi tog da je "mrežni". Ja nisam ni sa kim umrežena, jedino ako je to moguće preko internet veze nekako, ja imam wireless?

Jedan od metoda širenja (mrežnih) crva je i korišćenje interneta.

Anyway... Ovo je čisto. Isprati uputstvo za deinst. korišćenog programa, a nakon toga bi bilo dobro da instaliraš Service Pack 3 i novi Internet Explorer (veoma bitno kako bi PC i dalje bio čist).


klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

combofix /u

Primeti da postoji razmak između "ComboFix" i "/u".



a zatim klikni OK (ili pritisni Enter).


Sačekaj da se proces deinstalacije završi.


To je sve...

offline
  • Pridružio: 06 Jan 2006
  • Poruke: 64

Ok! Videću da uradim predloženo Wink
Hvala još jednom dr Bora!
Svaki put me oduševite brzinom i voljom da pomognete!
Puno pozdrava celoj ekipi!
Sjajni ste!

Ko je trenutno na forumu
 

Ukupno su 729 korisnika na forumu :: 19 registrovanih, 1 sakriven i 709 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aramis s, Bloody, cezar 35, Dukelander, goxin, hooraay, MarKhan, MB120mm, Mercury, operniki, sasa76, stegonosa, Trpe Grozni, vlvl, W123, yrraf, |_MeD_|, 1107