Log HijackThis :)

Logfile of Trend Micro HiJackThis v2.0.2
Scan saved at 22:24:39, on 09.04.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\VMSnap5.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\bora\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ro/
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Asistenta legaturi Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VMSnap5] C:\WINDOWS\VMSnap5.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{13123971-2FB4-46E7-8ADE-3AFACBDCDA8F}: NameServer = 192.168.0.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Filezilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Cryptographic Service - Google - C:\WINDOWS\Fonts\GoogleToolbarcheck.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\Aspam.spam.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5265 bytes

------------------------------------------------------------------------------------------------------------------------

astept raspuns

Pune urmatoarele fisiere intr-o arhiva cu parola infected si trimite-mi un PM cu ea sau urc-o pe un server (de exemplu: http://www.rapidshare.com ) si trimite-mi PM cu link-ul de download sa trimit la analiza.

Quote

NU ATASA ARHIVA SI NU POSTA LINK-UL DE DOWNLOAD PE FORUM !

Dupa ce ai facut asta si numai dupa ce faci asta...


Descarca Dr. Web CureIt: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

Scaneaza cu el full.

crysty2k5, on Apr 9 2009, 21:36, said:

din pacate nu mai am fisierul :| ... am scanat cu o utilitate de la BitDefender pt Conficker si a gasit 3 fisiere printre care si acela ... shi le-am dat delete ... asta a fost inainte ca tu sa-mi dai raspunsul ...  acum ce pot face?

Scaneaza cu Dr. Web cum ti-am spus mai sus.

crysty2k5, on Apr 10 2009, 09:12, said:

am scanat si nu a gasit nimic  

Pai tu ce probleme ai?

Edited by xxvirusxx, 10 April 2009 - 09:42.

Din cate zice a avut urme de Conficker.

Descarca Malwarebytes Anti-Malware si salveaza-l pe Desktop.
Instaleaza-l si la sfarsit asigura-te ca ai bifat urmatoarele: Update Malwarebytes' Anti-Malware si Launch Malwarebytes' Anti-Malware. Apoi apasa Finish.
Dupa lansarea programului, selecteaza Perform full scan si apoi apasa pe Scan.
La terminarea scanarii apasa OK si apoi Show Results. Asigura-te ca e totul bifat si apoi apasa Remove Selected.
La final se va deschide un fisier in Notepad cu rezultatele scanarii. Posteaza continutul lui aici.

Edited by crysty2k5, 12 April 2009 - 10:22.

xxvirusxx, on Apr 10 2009, 09:38, said:

nu ma pot conecta la http://www.virustotal.com/ si nici http://www.kaspersky.com …  

Ia vezi aici: http://forum.softped...t...t&p=6288866

Cred ca urmele de Conficker nu au disparut.

Primul Log dupa scanare :

Malwarebytes' Anti-Malware 1.36
Database version: 1970
Windows 5.1.2600 Service Pack 2

12.04.2009 11:56:43
mbam-log-2009-04-12 (11-56-37).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 166222
Time elapsed: 49 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\WINDOWS\tmpie (Backdoor.Bot) -> No action taken.

Files Infected:
C:\WINDOWS\tmpie\msado25.tlb (Backdoor.Bot) -> No action taken.
C:\WINDOWS\tmpie\MSVBVM60.DLL (Backdoor.Bot) -> No action taken.
C:\WINDOWS\tmpie\MSWINSCK.OCX (Backdoor.Bot) -> No action taken.
C:\WINDOWS\tmpie\RICHTX32.OCX (Backdoor.Bot) -> No action taken.
C:\WINDOWS\tmpie\SubclassingSink.tlb (Backdoor.Bot) -> No action taken.
C:\WINDOWS\tmpie\urlmon.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\tmpie\wbemdisp.tlb (Backdoor.Bot) -> No action taken.
C:\WINDOWS\tmpie\wininet.dll (Backdoor.Bot) -> No action taken.
C:\WINDOWS\tmpie\ws2_32.dll (Backdoor.Bot) -> No action taken.
C:\loadhdd.bat (Trojan.Agent) -> No action taken.
C:\svchost.bat (Trojan.Agent) -> No action taken.
C:\WINDOWS\Tasks\taskeng.exe (Spyware.OnlineGames) -> No action taken.
C:\svchost.exe (Trojan.Agent) -> No action taken.


Al doilea log dupa dezinfectare :

Malwarebytes' Anti-Malware 1.36
Database version: 1970
Windows 5.1.2600 Service Pack 2

12.04.2009 11:56:52
mbam-log-2009-04-12 (11-56-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 166222
Time elapsed: 49 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\tmpie (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\tmpie\msado25.tlb (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\tmpie\MSVBVM60.DLL (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\tmpie\MSWINSCK.OCX (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\tmpie\RICHTX32.OCX (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\tmpie\SubclassingSink.tlb (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\tmpie\urlmon.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\tmpie\wbemdisp.tlb (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\tmpie\wininet.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\tmpie\ws2_32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\loadhdd.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\svchost.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\taskeng.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Astept raspuns

Bun bun...

Ai curatat tot ce era.

Poti accesa site-urile acelea acum ?!

Edited by crysty2k5, 13 April 2009 - 14:51.

crysty2k5, on Apr 12 2009, 11:04, said:

nu , inca nu pot ... poate pentru ca nu am dat restart la PC ... inca nu pot da restart ... dupa ce dau restart o sa iti zic daca pot intra sau nu ... oricum merci mult de tot !

am dat restart ... tot nu  pot

knutz0r, on Apr 13 2009, 09:22, said:

Ce tip de conexiune ai?

Daca nu ai wireless, incearca programul atasat. Il instalezi, apoi il rulezi si apesi cele doua butoane: "Reset TCP\IP" si "Reset Winsock".

pykko, on Apr 13 2009, 12:20, said:

am bagat si asta ... mi-a stricat conexiunea la internet ... nu mai merge netul deloc ... tot nu pot accesa paginile

Pai daca ai de facut setarila net, intreaba ISP-ul IP-ul, DNS, etc

Daca nu ai lasa-le pe auto.

crysty2k5, on Apr 15 2009, 20:32, said:

tocmai k io am setate si dupa ce am dat aia mi sa pus pe auto ... le-am resetat si tot nu merge

Descarca SUPERAntiSpyware si salveaza-l pe Desktop.
Instaleaza-l, apoi deschide fereasta principala si apasa Check for Updates...
Dupa update, apasa Scan Computer...Asigura-te ca e bifat Perform Complete Scan si apasa Next.

Posteaza apoi aici rezultatele scanarii.