Kako prepoznati trojanca?

M

mexxx

Zainteresovan član
Poruka
132
Imam Trojanca u kompu ,Skenirao sam sa programom Trend Micro HijackThis v2.0.2
Ali ne znam sta smem da obrisem .Ako neko zna sta treba da se obrise neka napise.
Evo ga LOG FILE:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:49, on 23.9.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {31CBB13B-244D-4C44-AED5-DCAD70F66281} - C:\WINDOWS\nsduo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &3rtg - {85E0B173-04FA-11D1-B7DA-00A0C90348D6} - C:\Program Files\3rtg\3rtg.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [melg34] C:\WINDOWS\system32\mdmd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [staeck12] C:\WINDOWS\system32\mfcee.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [melg3445] C:\WINDOWS\System32\4.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188413140072
O21 - SSODL: msmhost - {488CF753-18FD-48DE-B72D-91955BBD5498} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {22CD2041-DBA3-4D0D-837C-EF498BD9F639} - C:\WINDOWS\msmdev.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOTEPAD - Unknown owner - C:\WINDOWS\system\NOTEPAD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5034 bytes



HVALA!
 
Pokreni HijackThis, skeniraj i čekiraj sledeće linije:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: MSVPS System - {31CBB13B-244D-4C44-AED5-DCAD70F66281} - C:\WINDOWS\nsduo.dll
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKUS\S-1-5-18\..\Run: [melg34] C:\WINDOWS\system32\mdmd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [staeck12] C:\WINDOWS\system32\mfcee.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [melg3445] C:\WINDOWS\System32\4.exe (User 'SYSTEM')
O21 - SSODL: msmhost - {488CF753-18FD-48DE-B72D-91955BBD5498} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {22CD2041-DBA3-4D0D-837C-EF498BD9F639} - C:\WINDOWS\msmdev.dll
O23 - Service: NOTEPAD - Unknown owner - C:\WINDOWS\system\NOTEPAD.exe

a zatim klikni na Fix Checked.

-----------------------------------------------------

Restartuj kompjuter u Safe Mode ( pritiskuj F8 pri paljenju kompjutera i izaberi Safe Mode iz menija ).

----------------------------------------------------

Pronađi i obriši sledeće file-ove:

C:\WINDOWS\nsduo.dll
svcchosst.exe ( odradi pretragu za ovim pa ga ukloni )
C:\WINDOWS\system32\mdmd.exe
C:\WINDOWS\system32\mfcee.exe
C:\WINDOWS\System32\4.exe
C:\WINDOWS\msmhost.dll
C:\WINDOWS\msmdev.dll
C:\WINDOWS\system\NOTEPAD.exe

-----------------------------------------------------

Restartuj pc u normal mode. Promeni naziv programu HijackThis ( nazovi ga recimo, ''123'' ). Takođe, promeni i naziv foldera u kome se program nalazi, a zatim napravi novi log file i postavi ga ovde.


Edit: kada završiš sa ovim gore, pronađi i uploaduj file:

C:\Program Files\3rtg\3rtg.dll

Idi na RapidShare , klikni na taster Choose..., izaberi file a zatim klikni na taster Upload!
Kada upload bude gotov, klikni na link I don't want a collector's account right now. Just give me the download-link. koji se nalazi na dnu stranice i iskopiraj download link koji dobiješ u poruku.
 
Sve sam uradio kao sto si mi rekao dr_Boro ali
O4 - HKUS\S-1-5-18\..\Run: [melg34] C:\WINDOWS\system32\mdmd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [staeck12] C:\WINDOWS\system32\mfcee.exe (User 'SYSTEM')
O23 - Service: NOTEPAD - Unknown owner - C:\WINDOWS\system\NOTEPAD.exe mi se nisu nalazili na listi kada ga je Hijack This skenirao.
Takodje kada sam u Safe modu brisao stavke:
C:\WINDOWS\nsduo.dll
svcchosst.exe ( odradi pretragu za ovim pa ga ukloni )
C:\WINDOWS\system32\mdmd.exe
C:\WINDOWS\system32\mfcee.exe
C:\WINDOWS\msmhost.dll
C:\WINDOWS\msmdev.dll
nisu postojale.
Moram napomenuti da sam pre nego sto sam procitao tvoje savete-uputstva osvezio definicije mig AV Simantek-a i on je otkrio Trojanca i stavio ga u karantin.Mozda nedostatak ovih stavki su posledica toga.

Sto se Hijack This programa tice promenio sam mu ime u 456 skenirao i evo ga log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:52:38, on 24.9.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TI ADSL\bin\win2k\tidslmon.exe
C:\Program Files\456\456\456.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &3rtg - {85E0B173-04FA-11D1-B7DA-00A0C90348D6} - C:\Program Files\3rtg\3rtg.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188413140072
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4221 bytes

Onaj fajl sa sam uploadovao ali mi nije jasno za cega je to potrebno.Interesuje me sta dalje i da li mozes ukratko da mi objasnis kako da iz LOG FILA prepoznam sta suTrojanci?


HVALA!!!!


File 3rtg.dll (200 KB) uploaded!
http://rs118l3.rapidshare.com/cgi-bin/upload.cgi?rsuploadid=136014977068425169#
 
Ovaj log je čist.

Link za onaj file nije dobar - kada odradiš upload treba da klikneš na I don't want a... pa da iskopiraš link koji će se pojaviti ispod toga.
File sam tražio jer nisam siguran koja je njegova funkcija. Ti ako znaš šta je u pitanju i čemu služi, ne moraš ga uploadovati.

Što se tiče prepoznavanja malware-a iz logova, to je ''malo'' duža priča...
 
Evo i ja sam sada našao... U svakom slučaju, legitimno je.

Ovde je sada sve ok. Potrebno je da isključiš System Restore, restartuješ kompjuter i zatim ponovo uključiš SR.

Control Panel - System - System Restore: čekiraj Turn Off SR on all drives.
Nakon restarta, samo dečekiraj tu opciju.

Takođe, pobriši i privremene file-ove ( Disk Cleanup možeš koristiti ).

To bi bilo to.

Poz...


Edit: btw, zašto SP1? Bilo bi od koristi da imaš SP2... Čisto da znaš... :wink:
 
Ako instaliram SP 2 trebao bi da dobijem na bezbednosti ,zar ne?
A sta ce biti sa vec instaliranim programima i igricama,da li ce to funkcionisati?
Imam disk samo SP2 ,prijavio sam se kada ga je Microsoft tek napravio i poslali su mi za DZ!?
 
Preporuka..

Obavezno instaliraj SP2. sa programima i igricama ne bi trebalo da bude problema..
Posebno kada imas originalan SP2.
Na bezbjednosti dobijas mnogo i mnogo kvalitetnije stanje na svom kompu, pored toga, od instalacije SP2 izaslo je dosta zakrpa za XP, pa ako je moguce da i njih skines i instaliras, mnogo ce tvoj komp biti srecniji a i ti sa njim..

Poz...
 
Prijavite se ili registrujte da biste poslali poruku.

Slične teme

bmaxa
kako debagujete programe?
Odgovora
5
Pregleda
306
bmaxa
bmaxa
Plauerone
kako kontaktirati fb zbog problema
Odgovora
4
Pregleda
222
Meklaud
Meklaud
bmaxa
libreoffice, kako promeniti u svetlu temu?
Odgovora
13
Pregleda
422
ДраганЖ
ДраганЖ

Back
Top