Poslao: 30 Okt 2007 15:00
|
offline
- provolta
- Novi MyCity građanin
- Pridružio: 30 Okt 2007
- Poruke: 19
|
Potrebna mi je pomoc!
Prosle sedmice Nod mi je javio postojanje ovog virusa. Poslije toga nisam palila komp par dana i jutros nije javio nista. Medjutim kolege s kojima sam na MSN-u su mi javili da dobijaju cudne poruke od mene.
Saljem vam Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:49:00, on 30.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\Linksts.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\winfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Eset\nod32krn.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\ben\Desktop\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - picasaweb.google.com/s/v/24.11/uploader2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MIKROFIN.ISTOK
O17 - HKLM\Software\..\Telephony: DomainName = MIKROFIN.ISTOK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MIKROFIN.ISTOK
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
Unaprijed hvala na pomoci!
|
|
|
|
Poslao: 30 Okt 2007 17:34
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Uradi sledeće:
Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.
Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
Otvori Notepad, pa klikni desno dugme misa i odaberi Paste
Snimi sada taj log u fajl (File> Save As) i prikaci ga uz sledecu poruku (opcija Prikaci fajl ispod polja za pisanje poruke na forumu)
|
|
|
|
|
|
Poslao: 01 Nov 2007 08:37
|
offline
- provolta
- Novi MyCity građanin
- Pridružio: 30 Okt 2007
- Poruke: 19
|
Evo ga log.
mycity.rs/must-login.png
ComboFix 07-11-01.1** - ben 2007-11-01 8:21:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.182 [GMT 1:00]
Running from: C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\QV6JYDER\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\ben\~tmp74.exe
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll.cla
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\wsnpoem
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_MSUPDATE
-------\msupdate
-------\nm
((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.
2007-11-01 08:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 15:57 36,864 -r-hs---- C:\WINDOWS\sfhgj.exe
2007-10-08 08:57 12,866 --a------ C:\WINDOWS\system32\mssrv32.exe
2007-10-04 07:36 27,648 --a------ C:\jashfkjah.exe
2007-10-02 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-02 07:47 17,054 --a------ C:\WINDOWS\img122.zip
2007-10-01 14:22 17,068 --a------ C:\WINDOWS\fuckin-around.zip
2007-10-01 14:22 17,048 --a------ C:\WINDOWS\img4851.zip
2007-10-01 14:22 16,896 -r-hs---- C:\WINDOWS\winfp.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 08:18 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys.tmp
2007-09-25 10:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-03-22 13:57]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-03-22 13:53]
"SMSERIAL"="sm56hlpr.exe" [2005-04-26 11:15 C:\WINDOWS\sm56hlpr.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 16:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 16:24]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-08-05 17:16]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-07-12 08:05]
"ISDN Monitor"="Linksts.exe" [1999-11-25 12:58 C:\WINDOWS\system32\linksts.exe]
"WinampAgent"="C:\Program Files\Winamp3\winampa.exe" [2002-07-23 17:58]
"Audio Device Manager"="winfp.exe" [2007-10-01 11:23 C:\WINDOWS\winfp.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-12-12 15:34:46]
R0 DiMaint;Eicon Maintenance Driver;C:\WINDOWS\system32\DRIVERS\DISDN\dimaint.sys
R0 isdnlink;isdnlink;C:\WINDOWS\system32\DRIVERS\linkisdn.sys
R2 DiCapi;Eicon CAPI 2.0 Driver;C:\WINDOWS\system32\DRIVERS\DISDN\capi20.sys
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 DiWan;Eicon Driver for all DIVA PnP cards;C:\WINDOWS\system32\DRIVERS\DISDN\Diwan.sys
R3 wanlink;wanlink;C:\WINDOWS\system32\DRIVERS\wanlink.sys
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe"
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2007-11-01 08:28:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-01 8:28:54 - machine was rebooted
.
--- E O F ---
|
|
|
|
Poslao: 01 Nov 2007 10:22
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Rekao bih da je tvoj komp ili bio, ili jos uvek jeste, inficiran i nekim crvom koji se siri preko MSN Messengera.
Zamolio bih te da mi u jedan ZIP spakujes sledece fajlove da ih proverim:
- ceo folder C:\QooBox\
- sledece fajlove:
C:\WINDOWS\sfhgj.exe
C:\WINDOWS\system32\mssrv32.exe
C:\jashfkjah.exe
C:\WINDOWS\img122.zip
C:\WINDOWS\fuckin-around.zip
C:\WINDOWS\img4851.zip
C:\WINDOWS\winfp.exe
Uploaduj mi taj ZIP preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php
|
|
|
|
Poslao: 01 Nov 2007 12:22
|
offline
- provolta
- Novi MyCity građanin
- Pridružio: 30 Okt 2007
- Poruke: 19
|
Svi moji problemi su i poceli kad sam preko MSN dobila ovaj fajl fuckin-around.
Fajl sfgj.exe nisam pronasla na ovoj putanju koju ste mi naveli vec na c:\WINDOWS\Prefetch\sfgj.exe
Fajl winfp.exe nisam nigdje uspjela da pronadjem, ali onaj dan kad sam dobila gore spomenutu poruku, kolega od koje sam je dobila mi je preporucio da obrisem fajl c:\WINDOWS\Prefetch\winfp.exe
|
|
|
|
|
Poslao: 01 Nov 2007 13:22
|
offline
- provolta
- Novi MyCity građanin
- Pridružio: 30 Okt 2007
- Poruke: 19
|
Sad sam pronasla sve fajlove i uploaodovala sam ih.
Uradila sam upload i maloprije, ocigledno nije stiglo.
|
|
|
|
|