IE Script Error

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Win mi, cim se upali, izbacuje gresku
. Sta da radim da to uklonim?



Logfile of HijackThis v1.99.1
Scan saved at 13:24:51, on 16.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programi\Opera\Opera.exe
C:\Documents and Settings\Vasa\Desktop\New Folder\TR3.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [Link mogu videti samo ulogovani korisnici]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...



Sudeći po postavljenom logu, reklo bi se da problem nije prouzrokovan malware-om.
No, proverićemo još nešto...



Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-02-16.2 - Vasa 2008-02-16 13:56:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1627 [GMT 1:00]
Running from: C:\Documents and Settings\Vasa\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-16 12:55 . 2008-02-16 12:55 32,768 --a------ C:\t2b4
2008-02-16 12:04 . 2008-02-16 12:04 268 --ah----- C:\sqmdata08.sqm
2008-02-16 12:04 . 2008-02-16 12:04 244 --ah----- C:\sqmnoopt08.sqm
2008-02-16 00:42 . 2008-02-16 00:42 268 --ah----- C:\sqmdata07.sqm
2008-02-16 00:42 . 2008-02-16 00:42 244 --ah----- C:\sqmnoopt07.sqm
2008-02-15 23:59 . 2008-02-15 23:59 <DIR> d-------- C:\Program Files\ImageShack
2008-02-15 23:34 . 2008-02-15 23:34 5,760,054 --a------ C:\WINDOWS\ALX_1600x1200.bmp
2008-02-15 23:33 . 2008-02-15 23:33 5,760,054 --a------ C:\WINDOWS\AW_1600x1200.bmp
2008-02-15 23:31 . 2005-02-01 14:20 5,760,056 --a------ C:\WINDOWS\Darkstar.bmp
2008-02-15 23:30 . 2008-02-15 23:30 3,932,214 --a------ C:\WINDOWS\InvaderDark1280.bmp
2008-02-15 22:59 . 2008-02-15 22:59 268 --ah----- C:\sqmdata06.sqm
2008-02-15 22:59 . 2008-02-15 22:59 244 --ah----- C:\sqmnoopt06.sqm
2008-02-15 13:52 . 2008-02-15 13:52 268 --ah----- C:\sqmdata05.sqm
2008-02-15 13:52 . 2008-02-15 13:52 244 --ah----- C:\sqmnoopt05.sqm
2008-02-15 12:10 . 2008-02-15 12:10 268 --ah----- C:\sqmdata04.sqm
2008-02-15 12:10 . 2008-02-15 12:10 244 --ah----- C:\sqmnoopt04.sqm
2008-02-15 11:39 . 2008-02-15 11:39 268 --ah----- C:\sqmdata03.sqm
2008-02-15 11:39 . 2008-02-15 11:39 244 --ah----- C:\sqmnoopt03.sqm
2008-02-15 11:25 . 2008-02-15 11:25 268 --ah----- C:\sqmdata02.sqm
2008-02-15 11:25 . 2008-02-15 11:25 244 --ah----- C:\sqmnoopt02.sqm
2008-02-15 11:22 . 2008-02-15 11:22 268 --ah----- C:\sqmdata01.sqm
2008-02-15 11:22 . 2008-02-15 11:22 244 --ah----- C:\sqmnoopt01.sqm
2008-02-15 10:50 . 2008-02-15 10:50 268 --ah----- C:\sqmdata00.sqm
2008-02-15 10:50 . 2008-02-15 10:50 244 --ah----- C:\sqmnoopt00.sqm
2008-02-14 22:56 . 2008-02-16 12:20 <DIR> d-------- C:\Documents and Settings\Vasa\Contacts
2008-02-14 22:55 . 2008-02-14 22:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-14 22:54 . 2008-02-14 22:54 <DIR> d-------- C:\Program Files\MSN Messenger
2008-02-14 22:45 . 2008-02-14 22:45 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-02-14 22:45 . 2008-02-15 23:34 <DIR> d-------- C:\Program Files\AlienGUIse
2008-02-14 22:45 . 2008-02-15 23:29 3,932,214 --a------ C:\WINDOWS\AW_XenoMorph1280.bmp
2008-02-14 22:45 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-02-14 22:45 . 2008-02-15 23:28 56 --a------ C:\WINDOWS\wb.ini
2008-02-14 22:30 . 2008-02-14 22:34 <DIR> d-------- C:\Program Files\Winamp
2008-02-14 22:30 . 2008-02-14 22:36 <DIR> d-------- C:\Documents and Settings\Vasa\Application Data\Winamp
2008-02-14 17:17 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-02-14 17:12 . 2008-02-14 17:12 <DIR> d-------- C:\Program Files\Sega
2008-02-14 16:45 . 2008-02-14 16:45 <DIR> d-------- C:\Program Files\Valve Hammer Editor
2008-02-13 21:20 . 2008-02-13 21:20 <DIR> d-------- C:\Program Files\Gramatika-engleskog-jezika
2008-02-13 20:26 . 2008-02-13 20:27 <DIR> d-------- C:\Program Files\Taxi3 eXtreme Rush
2008-02-13 20:10 . 2008-02-13 20:10 <DIR> d-------- C:\Program Files\Ares
2008-02-13 19:58 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-02-13 19:55 . 2002-04-01 17:53 102,400 --a------ C:\WINDOWS\system32\TrackerNET.dll
2008-02-13 19:54 . 2001-07-31 10:55 217,088 --a------ C:\WINDOWS\system32\libmySQL.dll
2008-02-13 19:52 . 2008-02-13 19:53 <DIR> d-------- C:\SIERRA
2008-02-13 19:52 . 2008-02-13 19:53 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-02-12 21:37 . 2008-02-12 21:37 <DIR> d-------- C:\Program Files\Game_Maker7
2008-02-12 21:37 . 2008-02-12 21:37 0 --ah----- C:\WINDOWS\SwSys2.bmp
2008-02-12 21:37 . 2008-02-12 21:37 0 --ah----- C:\WINDOWS\SwSys1.bmp
2008-02-11 23:01 . 2008-02-13 10:58 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-11 22:57 . 2008-02-11 22:57 <DIR> d-------- C:\Program Files\easetech
2008-02-11 19:00 . 2008-02-11 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-02-11 18:15 . 2008-02-11 18:15 60 --a------ C:\WINDOWS\wininit.ini
2008-02-11 18:05 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-02-11 17:26 . 2008-02-11 17:26 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-11 17:22 . 2008-02-11 17:22 <DIR> d-------- C:\WINDOWS\solcache
2008-02-11 17:16 . 2008-02-11 17:16 <DIR> d-------- C:\Documents and Settings\Vasa\WINDOWS
2008-02-11 17:16 . 1998-10-30 22:21 1,022,976 --a------ C:\WINDOWS\system32\SierraNW.dll
2008-02-11 17:16 . 1997-07-14 17:42 314,880 --a------ C:\WINDOWS\IsUninst.exe
2008-02-11 17:16 . 1998-10-30 22:21 231,936 --a------ C:\WINDOWS\system32\SNWValid.dll
2008-02-11 17:16 . 2008-02-13 19:53 455 --a------ C:\WINDOWS\SIERRA.INI
2008-02-11 17:04 . 2008-02-11 17:04 <DIR> d-------- C:\Program Files\CCleaner
2008-02-11 16:56 . 2008-02-11 16:56 <DIR> d-------- C:\Program Files\Avira

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 16:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-02-11 14:40 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-11 14:40 --------- d-----w C:\Program Files\Ahead
2008-02-11 14:40 --------- d-----w C:\Documents and Settings\Vasa\Application Data\Ahead
2008-02-11 14:34 --------- d-----w C:\Program Files\MSBuild
2008-02-11 14:34 --------- d-----w C:\Program Files\Microsoft Works
2008-02-11 14:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-11 14:11 --------- d-----w C:\Program Files\MT882
2008-02-11 14:10 --------- d-----w C:\Documents and Settings\Vasa\Application Data\Comodo
2008-02-11 14:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\comodo
2008-02-11 13:56 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-02-11 13:56 --------- d-----w C:\Documents and Settings\Vasa\Application Data\Media Player Classic
2008-02-11 13:49 --------- d-----w C:\Program Files\Realtek
2008-02-11 13:49 --------- d-----w C:\Documents and Settings\Vasa\Application Data\InstallShield
2008-02-11 13:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-11 13:32 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-10 12:16 159,839 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-01-10 12:15 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll
2007-12-24 12:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-12-31 15:29 962560]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 10:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-11 17:50 249896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 23:54 37376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= ,wbsys.dll

R3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2006-03-20 08:32]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-02-16 13:57:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 13:57:21
.
2008-02-13 18:34:38 --- E O F ---

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uploaduj mi file: C:\t2b4

preko ovog linka: [Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Kako? Uploadovao sam ga ali ne znam gde.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Sve je ok - file je stigao gde treba.

Takođe, file je legitiman i svi logovi su čisti => ovaj problem nije prouzrokovan malware-om.

''Vrati'' su u temu u Windows forumu - dobiješ tamo savete/ideje za dalje...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

OK. Hvala ti puno!

Dopuna: 16 Feb 2008 14:36

OK. Hvala ti puno! Nego mogu li sada da brisem HT, Combofix, logove i fajl t2b4?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

HT, CF i logove možeš obrisati.

Za file t2b4 ti ne mogu reći da li je ''bezbedno'' da ga brišeš. Znam samo da nije maliciozan.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

@vasa-93

Izvrsi uninstall programa pod nazivom Ares. Nakon toga iz startupa ukloni aplikaciju takodje pod nazivom Ares (naravno, ukoliko se jos uvek tu nalazi).
Restartuj komp i javi da li ti se ponovo javlja script error.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ok. Ostavicu t2b4. Hvala!

Dopuna: 16 Feb 2008 14:53

Uninstalirao sam Ares i nema vise script errora. HVALA!