y.exe problem

y.exe problem

offline
  • Pridružio: 20 Sep 2008
  • Poruke: 15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:41:25, on 23.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\CameraFixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ljupco\Desktop\TR3.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2871 bytes

Dopuna: 23 Nov 2008 23:57

Desava mi se sledece::: Imam NOD32 antivirus,i pocevsi od jucer javlja mi da ima neku verziju trojanca u system32,y.exe file,i i da obrisem to opet ga javlja,znaci dosad je skenirao i izbrisao 6 inficiranih fajlova i tome nema kraja za pola saata ce biti 20 pa 50 i tako dalje.kad izvucem kabel sa interneta i ocistim viruse nema problema a odmah cim uklucim kabel opet me napada taj "virus",,ako neko zna kako da se toga rjesim molim vas za pomoc!!!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...



Potrebno je privremeno isključiti TeaTimer:

Pokrenite Spybot S&D
Kliknite Mode stavku u meniju
Odaberite Advance Mode
Na traci levo kliknite na Tools
Kliknite na Resident
Destiklirajte Resident Tea-Timer
Zatvorite Spybot S&D
Restartujte kompjuter.

- Zatim skinuti program sa ovog linka na Desktop.
- Pokrenuti ga dvoklikom i ispratiti uputstva.

Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsimo ciscenje.





* Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.






Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 20 Sep 2008
  • Poruke: 15

ComboFix 08-11-22.02 - Ljupco 2008-11-24 19:15:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.706 [GMT 1:00]
Running from: c:\documents and settings\Ljupco\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-24 00:09 . 2008-11-24 00:30 56,026 --a------ C:\asd.exe
2008-11-23 23:23 . 2008-11-23 23:23 <DIR> d-------- c:\documents and settings\Ljupco\Contacts
2008-11-23 23:22 . 2008-11-23 23:22 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-23 23:21 . 2008-11-23 23:21 <DIR> d-------- c:\program files\MSN Messenger
2008-11-23 23:13 . 2008-11-24 00:38 <DIR> d-------- c:\documents and settings\Ljupco\Application Data\Skype
2008-11-23 23:10 . 2008-11-24 00:40 59 --a------ c:\windows\system32\i

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 22:18 --------- d-----w c:\documents and settings\Ljupco\Application Data\DMCache
2008-11-23 22:15 --------- d-----w c:\program files\ESET
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-01-25 949376]
"CameraFixer"="c:\windows\CameraFixer.exe" [2005-12-06 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"nwiz"="nwiz.exe" [2005-10-10 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2002-12-31 77312]
S2 SVCHOSTS32;Windows Host Services ;"c:\windows\system\svchost.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a01bc05d-c404-11da-9f13-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Ljupco\Application Data\Mozilla\Firefox\Profiles\fx5k2sk3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-24 19:16:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\imon.dll
.
Completion time: 2008-11-24 19:17:22
ComboFix-quarantined-files.txt 2008-11-24 18:17:03

Pre-Run: 12.052.619.264 bytes free
Post-Run: 12,043,317,248 bytes free

85

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Bilo je sasvim dovoljno jednom pokrenuti ComboFix. A vidim da ni TeaTimer nisi isključio.

Poenta je ispratiti uputstvo.




Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\asd.exe

Driver::
SVCHOSTS32


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 20 Sep 2008
  • Poruke: 15

ComboFix 08-11-22.02 - Ljupco 2008-11-24 21:01:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.695 [GMT 1:00]
Running from: c:\documents and settings\Ljupco\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ljupco\Desktop\CFScript.txt.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\asd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\asd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCHOSTS32
-------\Service_SVCHOSTS32


((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-23 23:23 . 2008-11-24 19:23 <DIR> d-------- c:\documents and settings\Ljupco\Contacts
2008-11-23 23:22 . 2008-11-23 23:22 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-23 23:21 . 2008-11-23 23:21 <DIR> d-------- c:\program files\MSN Messenger
2008-11-23 23:13 . 2008-11-24 00:38 <DIR> d-------- c:\documents and settings\Ljupco\Application Data\Skype
2008-11-23 23:10 . 2008-11-24 00:40 59 --a------ c:\windows\system32\i

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 22:18 --------- d-----w c:\documents and settings\Ljupco\Application Data\DMCache
2008-11-23 22:15 --------- d-----w c:\program files\ESET
.

((((((((((((((((((((((((((((( snapshot@2008-11-24_ 0.35.35.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-01-25 949376]
"CameraFixer"="c:\windows\CameraFixer.exe" [2005-12-06 20480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"nwiz"="nwiz.exe" [2005-10-10 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2002-12-31 77312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a01bc05d-c404-11da-9f13-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-24 21:03:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(728-)
c:\windows\system32\msprivs.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-11-24 21:05:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-24 20:04:57
ComboFix2.txt 2008-11-24 18:17:24

Pre-Run: 12.019.339.264 bytes free
Post-Run: 11,964,260,352 bytes free

102

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Kakvo je sada stanje? Prijavljuje li NOD nešto?

offline
  • Pridružio: 20 Sep 2008
  • Poruke: 15

ne nista sve je u normalu kako treba,komp.mi je odlican radi bas onako Normalno,brze startuje aplikacije nego prije itd....

Hvala najlepse brate!!!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Još samo ovo:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore



poz

Ko je trenutno na forumu
 

Ukupno su 916 korisnika na forumu :: 38 registrovanih, 9 sakrivenih i 869 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 5.56, A.R.Chafee.Jr., Altay, awathorn, Bahuss, bato3, Belac91, Duh sa sekirom, havoc995, helen1, hyla, ivance95, Kanaris, konstruktor, kovinacc, lekso, Majstorr, Marko Marković, mikrimaus2, milos.cbr, nebkv, nenad812, ninareflex, nuke92, ozz2, RJ, ruma, sevenino, Srki94, Srna2, suton, svetac, tomigun, Trpe Grozni, vladas87, voja64, VP3987, zodiac94