Virtumonde

Virtumonde

offline
  • spike 
  • Novi MyCity građanin
  • Pridružio: 13 Mar 2008
  • Poruke: 6

Cao ja sam nov na forumu i treba mi vasa pomoc...

Uleteo mi je Virtumonde i nema sanse da ga skinem...probao sam sa VunoFixom i malo sam se zezao sa Hijack this ali nisam bas nesto ves tu..Evo sta mi prijavljuje Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:10 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {ADA4AB54-F034-41A4-9A68-95DF06976B68} - C:\WINDOWS\system32\mljjhig.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [InstantOn] "C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe" /c
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com/windowsupdate/v6/V5Con.....3878753968
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - news.beograd.com/AxisCamControl.ocx
O20 - Winlogon Notify: mljjhig - C:\WINDOWS\SYSTEM32\mljjhig.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/markor/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 6504 bytes


Molim za pomoc...hvala unapred

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Dobro dosao,

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • spike 
  • Novi MyCity građanin
  • Pridružio: 13 Mar 2008
  • Poruke: 6

Evo log-a od Combo fixa:

ComboFix 08-03-10.1 - markor 2008-03-13 13:16:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.899 [GMT 1:00]
Running from: C:\Documents and Settings\markor\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-13 13:12 . 2008-03-13 13:12 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-03-13 13:12 . 2008-03-13 13:12 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-03-13 13:11 . 2008-03-13 13:11 <DIR> d-------- C:\Documents and Settings\markor\Application Data\Sunbelt Software
2008-03-13 13:11 . 2008-03-13 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-03-13 13:10 . 2008-03-13 13:10 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-13 11:40 . 2008-03-13 11:40 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-03-13 11:24 . 2008-03-13 11:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-13 11:14 . 2008-03-13 11:42 <DIR> d-------- C:\VundoFix Backups
2008-03-13 10:58 . 2008-03-13 10:58 41,984 --a------ C:\WINDOWS\system32\mljjhig.dll
2008-03-13 10:52 . 2008-03-13 10:52 <DIR> d-------- C:\Program Files\EKAf Incorporated
2008-03-03 10:56 . 2008-03-03 10:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 10:56 . 2008-03-03 10:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-28 10:00 . 2008-02-28 10:00 <DIR> d-------- C:\Program Files\Real
2008-02-28 10:00 . 2008-02-28 10:00 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-28 09:59 . 2008-02-28 10:00 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-28 09:49 . 2008-02-28 10:09 <DIR> d-------- C:\Program Files\Super Internet TV
2008-02-27 11:31 . 2008-02-27 11:31 <DIR> d-------- C:\Documents and Settings\markor\Application Data\fltk.org
2008-02-27 09:01 . 2008-02-27 09:02 <DIR> d-------- C:\Program Files\TVUPlayer
2008-02-27 09:01 . 2008-02-27 09:01 <DIR> d-------- C:\Program Files\TVAnts
2008-02-27 09:01 . 2008-02-27 09:01 <DIR> d-------- C:\Documents and Settings\markor\Application Data\TVU Networks
2008-02-27 09:00 . 2008-02-27 09:01 <DIR> d-------- C:\Program Files\Satellite TV for PC
2008-02-18 09:58 . 2008-02-18 09:58 <DIR> d-------- C:\Program Files\Telenor
2008-02-14 12:56 . 2008-02-14 12:56 <DIR> d-------- C:\Documents and Settings\markor\Application Data\vlc
2008-02-14 12:52 . 2008-02-14 12:52 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-14 12:51 . 2008-02-14 12:51 <DIR> d-------- C:\Documents and Settings\markor\Application Data\vtcmovies
2008-02-14 12:51 . 2008-02-14 12:51 <DIR> d-------- C:\Documents and Settings\markor\Application Data\vtc_language
2008-02-14 12:51 . 2008-02-14 12:51 <DIR> d-------- C:\Documents and Settings\markor\Application Data\vtc_demo_setup
2008-02-14 12:51 . 2008-02-14 12:51 <DIR> d-------- C:\Documents and Settings\markor\Application Data\VTC Preferences Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 11:24 --------- d-----w C:\Program Files\XoftSpySE
2008-03-13 10:02 --------- d-----w C:\Documents and Settings\markor\Application Data\uTorrent
2008-03-12 10:28 --------- d-----w C:\Program Files\Planplus
2008-02-08 00:43 --------- d-----w C:\Program Files\ESET
2008-02-06 12:24 --------- d-----w C:\Program Files\Neoretix
2008-02-04 10:09 --------- d-----w C:\Documents and Settings\markor\Application Data\Nokia
2008-02-01 10:11 --------- d-----w C:\Program Files\SourceTec
2008-02-01 10:06 --------- d-----w C:\Documents and Settings\markor\Application Data\Nokia Multimedia Player
2008-02-01 10:03 --------- d-----w C:\Program Files\DIFX
2008-02-01 10:02 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-02-01 10:02 --------- d-----w C:\Program Files\Nokia
2008-02-01 10:02 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-02-01 10:02 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-01 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-01-31 12:02 --------- d-----w C:\Program Files\uTorrent
2008-01-28 10:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 10:01 --------- d-----w C:\Documents and Settings\markor\Application Data\U3
2008-01-17 15:53 --------- d-----w C:\Program Files\sdc205
2008-01-17 13:05 --------- d-----w C:\Program Files\Torrent-Search
2008-01-17 13:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-17 13:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-17 10:55 --------- d-----w C:\Program Files\SystemRequirementsLab
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADA4AB54-F034-41A4-9A68-95DF06976B68}]
2008-03-13 10:58 41984 --a------ C:\WINDOWS\system32\mljjhig.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-09-24 12:27 5674352]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 15:25 94208]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"InstantOn"="C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe" [2005-05-11 17:28 93640]
"Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-26 13:59 949376]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-28 09:59 185896]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ADA4AB54-F034-41A4-9A68-95DF06976B68}"= C:\WINDOWS\system32\mljjhig.dll [2008-03-13 10:58 41984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjhig]
mljjhig.dll 2008-03-13 10:58 41984 C:\WINDOWS\system32\mljjhig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-05-23 11:02 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SMSERIAL"=sm56hlpr.exe
"AlcWzrd"=ALCWZRD.EXE
"Alcmtr"=ALCMTR.EXE
"SoundMan"=SOUNDMAN.EXE
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mcoinstall.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Evil Msn\\Evil Msn 3.0.exe"=
"C:\\Program Files\\sdc205\\StrongDC.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

S3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys [2006-11-01 17:45]
S3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys [2005-09-20 17:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c233b09f-cd87-11dc-a56c-0013cef19ab1}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 16:16:19 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-03-13 12:23:43 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-10 07:50:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-03-13 13:24:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\mljjhig.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-03-13 13:31:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-13 12:31:19
.
2008-03-12 10:02:03 --- E O F ---

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\mljjhig.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADA4AB54-F034-41A4-9A68-95DF06976B68}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ADA4AB54-F034-41A4-9A68-95DF06976B68}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjhig]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • spike 
  • Novi MyCity građanin
  • Pridružio: 13 Mar 2008
  • Poruke: 6

Hvala ti puno !!! Ocistio ga je, konacno Smile

Evo log fila, da li treba jos nesto da uradim:

ComboFix 08-03-10.1 - markor 2008-03-14 8:54:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.945 [GMT 1:00]
Running from: C:\Documents and Settings\markor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\markor\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\mljjhig.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mljjhig.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-13 13:12 . 2008-03-13 13:12 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-03-13 13:12 . 2008-03-13 13:12 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-03-13 13:11 . 2008-03-13 13:11 <DIR> d-------- C:\Documents and Settings\markor\Application Data\Sunbelt Software
2008-03-13 11:40 . 2008-03-13 11:40 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-03-13 11:24 . 2008-03-13 11:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-13 11:14 . 2008-03-13 11:42 <DIR> d-------- C:\VundoFix Backups
2008-03-13 10:52 . 2008-03-13 10:52 <DIR> d-------- C:\Program Files\EKAf Incorporated
2008-03-03 10:56 . 2008-03-03 10:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 10:56 . 2008-03-03 10:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-28 10:00 . 2008-02-28 10:00 <DIR> d-------- C:\Program Files\Real
2008-02-28 10:00 . 2008-02-28 10:00 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-28 09:59 . 2008-02-28 10:00 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-28 09:49 . 2008-02-28 10:09 <DIR> d-------- C:\Program Files\Super Internet TV
2008-02-27 11:31 . 2008-02-27 11:31 <DIR> d-------- C:\Documents and Settings\markor\Application Data\fltk.org
2008-02-27 09:01 . 2008-02-27 09:02 <DIR> d-------- C:\Program Files\TVUPlayer
2008-02-27 09:01 . 2008-02-27 09:01 <DIR> d-------- C:\Program Files\TVAnts
2008-02-27 09:01 . 2008-02-27 09:01 <DIR> d-------- C:\Documents and Settings\markor\Application Data\TVU Networks
2008-02-27 09:00 . 2008-02-27 09:01 <DIR> d-------- C:\Program Files\Satellite TV for PC
2008-02-18 09:58 . 2008-02-18 09:58 <DIR> d-------- C:\Program Files\Telenor
2008-02-14 12:56 . 2008-02-14 12:56 <DIR> d-------- C:\Documents and Settings\markor\Application Data\vlc
2008-02-14 12:52 . 2008-02-14 12:52 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-14 12:51 . 2008-02-14 12:51 <DIR> d-------- C:\Documents and Settings\markor\Application Data\vtcmovies
2008-02-14 12:51 . 2008-02-14 12:51 <DIR> d-------- C:\Documents and Settings\markor\Application Data\vtc_language
2008-02-14 12:51 . 2008-02-14 12:51 <DIR> d-------- C:\Documents and Settings\markor\Application Data\vtc_demo_setup
2008-02-14 12:51 . 2008-02-14 12:51 <DIR> d-------- C:\Documents and Settings\markor\Application Data\VTC Preferences Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 07:58 --------- d-----w C:\Documents and Settings\markor\Application Data\uTorrent
2008-03-13 11:24 --------- d-----w C:\Program Files\XoftSpySE
2008-03-12 10:28 --------- d-----w C:\Program Files\Planplus
2008-02-08 00:43 --------- d-----w C:\Program Files\ESET
2008-02-06 12:24 --------- d-----w C:\Program Files\Neoretix
2008-02-04 10:09 --------- d-----w C:\Documents and Settings\markor\Application Data\Nokia
2008-02-01 10:11 --------- d-----w C:\Program Files\SourceTec
2008-02-01 10:06 --------- d-----w C:\Documents and Settings\markor\Application Data\Nokia Multimedia Player
2008-02-01 10:03 --------- d-----w C:\Program Files\DIFX
2008-02-01 10:02 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-02-01 10:02 --------- d-----w C:\Program Files\Nokia
2008-02-01 10:02 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-02-01 10:02 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-01 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-01-31 12:02 --------- d-----w C:\Program Files\uTorrent
2008-01-28 10:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 10:01 --------- d-----w C:\Documents and Settings\markor\Application Data\U3
2008-01-17 15:53 --------- d-----w C:\Program Files\sdc205
2008-01-17 13:05 --------- d-----w C:\Program Files\Torrent-Search
2008-01-17 13:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-17 13:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-17 10:55 --------- d-----w C:\Program Files\SystemRequirementsLab
.

((((((((((((((((((((((((((((( snapshot@2008-03-13_13.30.56.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-13 11:10:41 63,814 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-13 12:28:45 63,814 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-13 11:10:41 405,160 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-13 12:28:45 405,160 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-09-24 12:27 5674352]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 15:25 94208]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"InstantOn"="C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe" [2005-05-11 17:28 93640]
"Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-26 13:59 949376]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-28 09:59 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-05-23 11:02 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SMSERIAL"=sm56hlpr.exe
"AlcWzrd"=ALCWZRD.EXE
"Alcmtr"=ALCMTR.EXE
"SoundMan"=SOUNDMAN.EXE
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mcoinstall.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Evil Msn\\Evil Msn 3.0.exe"=
"C:\\Program Files\\sdc205\\StrongDC.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

S3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys [2006-11-01 17:45]
S3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys [2005-09-20 17:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c233b09f-cd87-11dc-a56c-0013cef19ab1}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 16:16:19 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-03-14 07:59:35 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-10 07:50:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-03-14 08:59:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-03-14 9:02:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 08:02:37
ComboFix2.txt 2008-03-13 12:31:25
.
2008-03-12 10:02:03 --- E O F ---

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

offline
  • spike 
  • Novi MyCity građanin
  • Pridružio: 13 Mar 2008
  • Poruke: 6

HVALA TI PUNO....sve radi kao i pre Smile

veliki pozdrav,

Ko je trenutno na forumu
 

Ukupno su 945 korisnika na forumu :: 12 registrovanih, 2 sakrivenih i 931 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: bobomicek, galijot, hyla, ILGromovnik, indja, jukeboxer, Lazarus, Mi lao shu, panzerwaffe, suton, Tvrtko I, voja64