y.exe problem

y.exe problem

offline
  • Pridružio: 20 Sep 2008
  • Poruke: 15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:41:25, on 23.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ljupco\Desktop\TR3.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2871 bytes

Dopuna: 23 Nov 2008 23:57

Desava mi se sledece::: Imam NOD32 antivirus,i pocevsi od jucer javlja mi da ima neku verziju trojanca u system32,y.exe file,i i da obrisem to opet ga javlja,znaci dosad je skenirao i izbrisao 6 inficiranih fajlova i tome nema kraja za pola saata ce biti 20 pa 50 i tako dalje.kad izvucem kabel sa interneta i ocistim viruse nema problema a odmah cim uklucim kabel opet me napada taj "virus",,ako neko zna kako da se toga rjesim molim vas za pomoc!!!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...



Potrebno je privremeno isključiti TeaTimer:

Pokrenite Spybot S&D
Kliknite Mode stavku u meniju
Odaberite Advance Mode
Na traci levo kliknite na Tools
Kliknite na Resident
Destiklirajte Resident Tea-Timer
Zatvorite Spybot S&D
Restartujte kompjuter.

- Zatim skinuti program sa ovog linka na Desktop.
- Pokrenuti ga dvoklikom i ispratiti uputstva.

Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsimo ciscenje.





* Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.






Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 20 Sep 2008
  • Poruke: 15

ComboFix 08-11-22.02 - Ljupco 2008-11-24 19:15:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.706 [GMT 1:00]
Running from: c:\documents and settings\Ljupco\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-24 00:09 . 2008-11-24 00:30 56,026 --a------ C:\asd.exe
2008-11-23 23:23 . 2008-11-23 23:23 <DIR> d-------- c:\documents and settings\Ljupco\Contacts
2008-11-23 23:22 . 2008-11-23 23:22 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-23 23:21 . 2008-11-23 23:21 <DIR> d-------- c:\program files\MSN Messenger
2008-11-23 23:13 . 2008-11-24 00:38 <DIR> d-------- c:\documents and settings\Ljupco\Application Data\Skype
2008-11-23 23:10 . 2008-11-24 00:40 59 --a------ c:\windows\system32\i

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 22:18 --------- d-----w c:\documents and settings\Ljupco\Application Data\DMCache
2008-11-23 22:15 --------- d-----w c:\program files\ESET
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-01-25 949376]
"CameraFixer"="c:\windows\CameraFixer.exe" [2005-12-06 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"nwiz"="nwiz.exe" [2005-10-10 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2002-12-31 77312]
S2 SVCHOSTS32;Windows Host Services ;"c:\windows\system\svchost.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a01bc05d-c404-11da-9f13-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Ljupco\Application Data\Mozilla\Firefox\Profiles\fx5k2sk3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-24 19:16:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\imon.dll
.
Completion time: 2008-11-24 19:17:22
ComboFix-quarantined-files.txt 2008-11-24 18:17:03

Pre-Run: 12.052.619.264 bytes free
Post-Run: 12,043,317,248 bytes free

85

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Bilo je sasvim dovoljno jednom pokrenuti ComboFix. A vidim da ni TeaTimer nisi isključio.

Poenta je ispratiti uputstvo.




Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\asd.exe

Driver::
SVCHOSTS32


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 20 Sep 2008
  • Poruke: 15

ComboFix 08-11-22.02 - Ljupco 2008-11-24 21:01:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.695 [GMT 1:00]
Running from: c:\documents and settings\Ljupco\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ljupco\Desktop\CFScript.txt.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\asd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\asd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCHOSTS32
-------\Service_SVCHOSTS32


((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-23 23:23 . 2008-11-24 19:23 <DIR> d-------- c:\documents and settings\Ljupco\Contacts
2008-11-23 23:22 . 2008-11-23 23:22 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-23 23:21 . 2008-11-23 23:21 <DIR> d-------- c:\program files\MSN Messenger
2008-11-23 23:13 . 2008-11-24 00:38 <DIR> d-------- c:\documents and settings\Ljupco\Application Data\Skype
2008-11-23 23:10 . 2008-11-24 00:40 59 --a------ c:\windows\system32\i

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 22:18 --------- d-----w c:\documents and settings\Ljupco\Application Data\DMCache
2008-11-23 22:15 --------- d-----w c:\program files\ESET
.

((((((((((((((((((((((((((((( snapshot@2008-11-24_ 0.35.35.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-01-25 949376]
"CameraFixer"="c:\windows\CameraFixer.exe" [2005-12-06 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"nwiz"="nwiz.exe" [2005-10-10 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2002-12-31 77312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a01bc05d-c404-11da-9f13-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-24 21:03:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(728-)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-11-24 21:05:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-24 20:04:57
ComboFix2.txt 2008-11-24 18:17:24

Pre-Run: 12.019.339.264 bytes free
Post-Run: 11,964,260,352 bytes free

102

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Kakvo je sada stanje? Prijavljuje li NOD nešto?

offline
  • Pridružio: 20 Sep 2008
  • Poruke: 15

ne nista sve je u normalu kako treba,komp.mi je odlican radi bas onako Normalno,brze startuje aplikacije nego prije itd....

Hvala najlepse brate!!!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Još samo ovo:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore



poz

Ko je trenutno na forumu
 

Ukupno su 617 korisnika na forumu :: 23 registrovanih, 4 sakrivenih i 590 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Acronis, Battlehammer, Dorcolac, Georgius, JOntra, Kruger, laze2, ljuba, ljuba.b, LonelyWolf, mercedesamg, mikrimaus, Nemanja.M, novator, operniki, Outis, procesor, sickmouse, t.mile, yrraf, |_MeD_|, 1107