pregled racunara

1

pregled racunara

offline
  • Pridružio: 26 Apr 2007
  • Poruke: 34

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:38 AM, on 2/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MyFreeWeather\myweather.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Eset\nod32krn.exe
C:\app\Administrator\product\11.1.0\client_1\bin\omtsreco.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\slax\slax.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.conduit.com?SearchSource=10&ctid=CT1392740
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Program Files\MyPlayCity\tbMyPl.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Program Files\MyPlayCity\tbMyPl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - c:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: MyPlayCity Toolbar - {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - C:\Program Files\MyPlayCity\tbMyPl.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [myweather] "C:\Program Files\MyFreeWeather\myweather.exe" /autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\VISUAL~1\NTXcontext.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\VISUAL~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04E231F6-8A30-4146-92AB-957F56D698AD}: NameServer = 81.93.89.195,81.93.89.194
O17 - HKLM\System\CS1\Services\Tcpip\..\{04E231F6-8A30-4146-92AB-957F56D698AD}: NameServer = 81.93.89.195,81.93.89.194
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\app\Administrator\product\11.1.0\client_1\bin\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe

--
End of file - 6831 bytes

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

A na sta se to konkretno zalis?

offline
  • Pridružio: 26 Apr 2007
  • Poruke: 34

radi usporeno i da li ima virusa prikljucivao sam zarazene usb.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 26 Apr 2007
  • Poruke: 34

ComboFix 09-02-21.01 - Administrator 2009-02-22 12:20:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.403 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-20 11:17 . 2009-02-20 11:17 <DIR> d-------- c:\program files\7-Zip
2009-02-18 18:24 . 2009-02-18 18:24 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-17 12:50 . 2009-02-17 12:50 <DIR> d-------- c:\windows\system32\scripting
2009-02-17 12:50 . 2009-02-17 12:50 <DIR> d-------- c:\windows\system32\en
2009-02-17 12:50 . 2009-02-17 12:50 <DIR> d-------- c:\windows\system32\bits
2009-02-17 12:50 . 2009-02-17 12:50 <DIR> d-------- c:\windows\l2schemas
2009-02-17 12:42 . 2009-02-17 12:42 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-14 13:27 . 2009-02-14 13:35 189,924,970 --a------ C:\grafika.rar
2009-02-14 10:18 . 2009-02-14 10:18 <DIR> d-------- c:\program files\CCleaner
2009-02-14 09:41 . 2009-02-14 09:41 <DIR> d-------- c:\program files\Bit Che
2009-02-14 09:41 . 2009-02-14 09:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Convivea
2009-02-13 15:07 . 2009-02-13 15:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SSH
2009-02-13 14:56 . 2009-02-13 14:56 <DIR> d-------- c:\program files\SSH Communications Security
2009-02-13 10:05 . 2009-02-13 10:05 118 --a------ c:\windows\system32\MRT.INI
2009-02-11 12:01 . 2009-02-11 12:01 <DIR> d-------- c:\program files\FDRLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 11:17 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-02-22 10:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-17 10:50 --------- d-----w c:\program files\MyFreeWeather
2009-02-13 13:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 09:12 --------- d-----w c:\program files\Common Files\Adobe
2009-01-16 20:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-23 07:50 --------- d-----w c:\program files\Common Files\Macromedia
2008-12-23 07:49 --------- d-----w c:\program files\Macromedia
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-12 08:58 520,192 ----a-w c:\windows\system32\Dexter Screen Saver.scr
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-11-25 17:07 5,429 ----a-w c:\windows\Sysnv32.dll
1999-04-23 22:22 12 --sha-w c:\windows\system\WININETICMP32.drv
.

((((((((((((((((((((((((((((( SnapShot@2009-02-18_11.14.50.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-18 09:55:58 239,424 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-20 15:24:14 239,422 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyPl.dll" [2008-08-05 1610264]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
2008-08-05 02:13 1610264 --a------ c:\program files\MyPlayCity\tbMyPl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyPl.dll" [2008-08-05 1610264]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\program files\MyPlayCity\tbMyPl.dll" [2008-08-05 1610264]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"myweather"="c:\program files\MyFreeWeather\myweather.exe" [2009-01-22 1585152]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-11 270128]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-03-28 949376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 01:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\myweather]
--a------ 2009-01-22 21:51 1585152 c:\program files\MyFreeWeather\MyWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-06 16:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--ah----- 2001-07-24 22:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-04 00:02 36352 c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_05\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_05\\jre\\bin\\java.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-03-28 15424]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2006-02-01 204800]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 55664]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a551df2-0797-11dd-8008-000ffe128688}]
\Shell\AutoRun\command - E:\ur0.com
\Shell\open\Command - E:\ur0.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e17bdc7-f9ae-11dd-80b4-000ffe128688}]
\Shell\AutoRun\command - E:\opgde.exe
\Shell\open\Command - E:\opgde.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e17bdcb-f9ae-11dd-80b4-000ffe128688}]
\Shell\AutoRun\command - E:\opgde.exe
\Shell\open\Command - E:\opgde.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e857e3c4-0d15-11dd-8011-000ffe128688}]
\Shell\AutoOpen\command - e:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2009-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2037756552-2343093921-4187683305-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 10:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1392740
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
IE: &NeoTrace It! - c:\progra~1\VISUAL~1\NTXcontext.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {04E231F6-8A30-4146-92AB-957F56D698AD} = 81.93.89.195,81.93.89.194
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sk9b4yt2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1425.4532\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-02-22 12:21:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\imon.dll
.
Completion time: 2009-02-22 12:23:34
ComboFix-quarantined-files.txt 2009-02-22 11:23:26
ComboFix2.txt 2009-02-22 11:17:22
ComboFix3.txt 2009-02-18 10:16:22

Pre-Run: 1,419,300,864 bytes free
Post-Run: 1,401,729,024 bytes free

161 --- E O F --- 2009-02-18 02:00:41

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

offline
  • Pridružio: 26 Apr 2007
  • Poruke: 34

USBNoRisk 1.5 by bobby

Started at 2/22/2009 12:36:17 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {7bb3f11e-fcf9-11dc-89b7-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------
Autorun.inf on C: - None
----------------------------------------

Sanitizing Shell Menu...
----------------------------------------
No key found for C:
No key found for 7bb3f11e-fcf9-11dc-89b7-806d6172696f
========================================



New device connected at 2/22/2009 12:36:58 PM

Scanning for connected USB mass storage...
----------------------------------------
E: {08a739b5-ff26-11dd-80b9-000ffe128688}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
----------------------------------------
Autorun.inf on E: - None
----------------------------------------

Sanitizing Shell Menu...
----------------------------------------
No key found for 08a739b5-ff26-11dd-80b9-000ffe128688
========================================

----------------------------------------

Desktop.ini on E: - None
----------------------------------------

========================================

========================================
Removed E:
========================================


New device connected at 2/22/2009 12:37:03 PM

Scanning for connected USB mass storage...
----------------------------------------
E: {08a739b5-ff26-11dd-80b9-000ffe128688}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
----------------------------------------
Autorun.inf on E: - None
----------------------------------------

Sanitizing Shell Menu...
----------------------------------------
No key found for 08a739b5-ff26-11dd-80b9-000ffe128688
========================================

----------------------------------------

Desktop.ini on E: - None
----------------------------------------

========================================

========================================
Removed E:
========================================


New device connected at 2/22/2009 12:37:05 PM

Scanning for connected USB mass storage...
----------------------------------------
E: {08a739b5-ff26-11dd-80b9-000ffe128688}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
----------------------------------------
Autorun.inf on E: - None
----------------------------------------

Sanitizing Shell Menu...
----------------------------------------
No key found for 08a739b5-ff26-11dd-80b9-000ffe128688
========================================

----------------------------------------

Desktop.ini on E: - None
----------------------------------------

========================================

========================================
Removed E:
========================================

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a551df2-0797-11dd-8008-000ffe128688}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e17bdc7-f9ae-11dd-80b4-000ffe128688}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e17bdcb-f9ae-11dd-80b4-000ffe128688}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e857e3c4-0d15-11dd-8011-000ffe128688}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Dopuna: 22 Feb 2009 12:48

Daj mi sledeci fajl na upload da bih ga proverio:
c:\windows\Sysnv32.dll

Upload uradi preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

offline
  • Pridružio: 26 Apr 2007
  • Poruke: 34

ComboFix 09-02-21.01 - Administrator 2009-02-22 12:47:28.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.403 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-22 12:37 . 2009-02-22 12:38 <DIR> d-------- C:\USBNoRisk
2009-02-20 11:17 . 2009-02-20 11:17 <DIR> d-------- c:\program files\7-Zip
2009-02-18 18:24 . 2009-02-18 18:24 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-17 12:50 . 2009-02-17 12:50 <DIR> d-------- c:\windows\system32\scripting
2009-02-17 12:50 . 2009-02-17 12:50 <DIR> d-------- c:\windows\system32\en
2009-02-17 12:50 . 2009-02-17 12:50 <DIR> d-------- c:\windows\system32\bits
2009-02-17 12:50 . 2009-02-17 12:50 <DIR> d-------- c:\windows\l2schemas
2009-02-17 12:42 . 2009-02-17 12:42 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-14 13:27 . 2009-02-14 13:35 189,924,970 --a------ C:\grafika.rar
2009-02-14 10:18 . 2009-02-14 10:18 <DIR> d-------- c:\program files\CCleaner
2009-02-14 09:41 . 2009-02-14 09:41 <DIR> d-------- c:\program files\Bit Che
2009-02-14 09:41 . 2009-02-14 09:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Convivea
2009-02-13 15:07 . 2009-02-13 15:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SSH
2009-02-13 14:56 . 2009-02-13 14:56 <DIR> d-------- c:\program files\SSH Communications Security
2009-02-13 10:05 . 2009-02-13 10:05 118 --a------ c:\windows\system32\MRT.INI
2009-02-11 12:01 . 2009-02-11 12:01 <DIR> d-------- c:\program files\FDRLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 11:45 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-02-22 10:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-17 10:50 --------- d-----w c:\program files\MyFreeWeather
2009-02-13 13:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 09:12 --------- d-----w c:\program files\Common Files\Adobe
2009-01-16 20:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-23 07:50 --------- d-----w c:\program files\Common Files\Macromedia
2008-12-23 07:49 --------- d-----w c:\program files\Macromedia
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-12 08:58 520,192 ----a-w c:\windows\system32\Dexter Screen Saver.scr
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-11-25 17:07 5,429 ----a-w c:\windows\Sysnv32.dll
1999-04-23 22:22 12 --sha-w c:\windows\system\WININETICMP32.drv
.

((((((((((((((((((((((((((((( SnapShot@2009-02-18_11.14.50.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-18 09:55:58 239,424 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-20 15:24:14 239,422 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyPl.dll" [2008-08-05 1610264]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
2008-08-05 02:13 1610264 --a------ c:\program files\MyPlayCity\tbMyPl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyPl.dll" [2008-08-05 1610264]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\program files\MyPlayCity\tbMyPl.dll" [2008-08-05 1610264]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"myweather"="c:\program files\MyFreeWeather\myweather.exe" [2009-01-22 1585152]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-11 270128]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-03-28 949376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 01:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\myweather]
--a------ 2009-01-22 21:51 1585152 c:\program files\MyFreeWeather\MyWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-06 16:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--ah----- 2001-07-24 22:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-04 00:02 36352 c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_05\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_05\\jre\\bin\\java.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-03-28 15424]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2006-02-01 204800]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 55664]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 16:39]

2009-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2037756552-2343093921-4187683305-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 10:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1392740
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
IE: &NeoTrace It! - c:\progra~1\VISUAL~1\NTXcontext.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {04E231F6-8A30-4146-92AB-957F56D698AD} = 81.93.89.195,81.93.89.194
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sk9b4yt2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1425.4532\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-02-22 12:50:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\imon.dll
.
Completion time: 2009-02-22 12:52:45
ComboFix-quarantined-files.txt 2009-02-22 11:52:38
ComboFix2.txt 2009-02-22 11:23:36
ComboFix3.txt 2009-02-22 11:17:22
ComboFix4.txt 2009-02-18 10:16:22

Pre-Run: 1,413,554,176 bytes free
Post-Run: 1,395,552,256 bytes free

153 --- E O F --- 2009-02-18 02:00:41

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Propustio si jedan deo moje prethodne poruke.

Daj mi sledeci fajl na upload da bih ga proverio:
c:\windows\Sysnv32.dll

Upload uradi preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

Ko je trenutno na forumu
 

Ukupno su 966 korisnika na forumu :: 15 registrovanih, 0 sakrivenih i 951 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: DonRumataEstorski, draganl, Hans Gajger, havoc995, koom0001, kybonacci, laki_bb, M1los, radionica1, rovac, Srki94, Srky Boy, VJ, Žrnov, šumar bk2