Poslao: 10 Dec 2010 20:29
|
offline
- Pridružio: 09 Dec 2004
- Poruke: 6488
- Gde živiš: Nis -> ***Durlan City***
|
Sve je počelo kada sam hteo da očistim jedan sajt od "virusa". Bio je inficiran jednim kodom koji u sebi sadrži neki sajt. Kako sam bio znatiželjan otišao sam da pogledam i trt.
Krenulo je sa onim klasičnim scamom kao da imam problem u PCu. Microsoft Sec Essential AV i te gluposti...
Jedva nekako očistih iz safe moda sa Avirom i MBAM-om.
Ali, opet se javlja već danima...
Evo nekih logova iz Avire
Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\Documents and Settings\SSpin\Local Settings\Temporary Internet Files\Content.IE5\IZBB057H\inst[1].exe.
Action performed: Allow access
Virus or unwanted program 'TR/Fraud.Gen [trojan]'
detected in file 'C:\Documents and Settings\SSpin\Local Settings\Temporary Internet Files\Content.IE5\IZBB057H\21[1].exe.
Action performed: Deny access
The file 'C:\Documents and Settings\SSpin\Local Settings\Application Data\302610570.exe'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen2' [trojan]
Action(s) taken:
The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\302610570> was removed successfully.
An error has occurred and the file was not deleted. ErrorID: 26003.
The file could not be deleted!
Attempting to perform action using the ARK library.
The file was moved to the quarantine directory under the name '568ded62.qua'.
Itd. Hoću da ga se rešim trajno. Znam da imate mnogo posla, ne bih otvarao temu da mi baš nije zazviždalo...
Imam 1 Mbit konekciju, od zaštite Aviru, SpyBot, i MBAM. Uglavnom koristim FF.
DDS.txt
--
DDS (Ver_10-12-05.01) - NTFSx86
Run by SSpin at 20:03:42.79 on Fri 12/10/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.644 [GMT 1:00]
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira FireWall *disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\SSpin\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = https://webebank.ebb-bg.com/webbank/frames.jsp
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
uWinlogon: Shell=c:\documents and settings\sspin\application data\hotfix.exe
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DebugBar BHO: {69fc0024-10eb-480a-bbf2-3bf4e78e17b1} - c:\program files\core services\debugbar\DebugInfoBar.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: DebugBar: {3e1201f4-1707-409f-bb45-a5f192381da0} - c:\program files\core services\debugbar\DebugToolBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [{F900AF04-D757-5AFE-D57B-8C4BE292DEC4}] "c:\documents and settings\sspin\application data\ypym\xuubh.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = avnotify.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {5C53B829-BB74-4B24-8B5D-8D597B397852} = 208.67.222.222,208.67.220.220
TCP: {6DF862F7-CE13-4B35-881A-32275696F818} = 92.60.224.20 92.60.224.30
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~4\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 188.2.219.185 web.thh
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2077543&SearchSource=13
FF - component: c:\documents and settings\sspin\application data\mozilla\firefox\profiles\aky8ynt5.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\sspin\application data\mozilla\firefox\profiles\aky8ynt5.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\winnt-32\MinimizeToTrayPlus.dll
FF - plugin: c:\documents and settings\sspin\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\sspin\local settings\application data\flock\update\1.2.213.0\npFlockOneClick8.dll
FF - plugin: c:\documents and settings\sspin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Extension: Firebug: firebug@software.joehewitt.com - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\firebug@software.joehewitt.com
FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Extension: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\youtube2mp3@mondayx.de
FF - Extension: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Extension: MinimizeToTrayPlus: {de1b245c-de57-11da-ba2d-0050c2490048} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}
FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Extension: Gmail Checker: {6BFD307A-C040-11DA-9749-FB1C850B47DF} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{6BFD307A-C040-11DA-9749-FB1C850B47DF}
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-5 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-5 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-5 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-5 61960]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-4-15 54752]
S0 FGXSCSI;FGXSCSI;c:\windows\system32\drivers\fgxscsi.sys --> c:\windows\system32\drivers\fgxscsi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-9-26 30192]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [2009-3-4 30336]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\drivers\SIVX32.sys [2009-9-22 48736]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-12-10 17:49:44 -------- d-----w- c:\docume~1\sspin\applic~1\Etopid
2010-12-07 20:16:29 -------- d-----w- c:\program files\Cain
2010-12-07 16:52:06 -------- d-----w- c:\docume~1\sspin\applic~1\Ifykn
2010-11-24 19:42:38 -------- d-----w- c:\program files\Core Services
2010-11-24 10:28:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-11-24 10:28:17 -------- d-----w- c:\documents and settings\sspin\WINDOWS
==================== Find3M ====================
2009-03-11 17:21:05 478720 ----a-w- c:\program files\usbnorisk.exe
2003-01-03 19:36:52 77824 ----a-w- c:\program files\Startup.exe
============= FINISH: 20:05:33.84 ===============
https://www.mycity.rs/must-login.png
https://www.mycity.rs/must-login.png
Zaista vam hvala unapred, i znajte da cenim i poštujem duboko vaš rad!
|
|
|
|
|
Poslao: 11 Dec 2010 12:07
|
offline
- Pridružio: 09 Dec 2004
- Poruke: 6488
- Gde živiš: Nis -> ***Durlan City***
|
Results
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell deleted successfully.
========== FILES ==========
File/Folder c:\documents and settings\sspin\application data\hotfix.exe not found.
OTM by OldTimer - Version 3.1.17.2 log created on 12112010_120305
-notpad-
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell deleted successfully.
========== FILES ==========
File/Folder c:\documents and settings\sspin\application data\hotfix.exe not found.
OTM by OldTimer - Version 3.1.17.2 log created on 12112010_120305
Ništa ne držim u onim folderima, izgleda da je to virus napravio.
Jedan je prazan a jedan ima neki qivae.uli fajl. Da ih shift deletnem
|
|
|
|
|
|