Trojan horse Generic 12.XSP

macka vracarka · 12.01.2009. u 13:04

..elem ovo sam negde uhvatila..
AvG mi je detektovao virus i pise ovako:C:\Windows\system32\drivers\fips 32 cup.sys

Sta sam uradila..iskljucila sam avg na trenutak i skinula Combofix koji je skenirao i evo sad vam kopiram log:
ComboFix 09-01-11.02 - Maja 2009-01-12 12:32:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222.26 [GMT 1:00]
Running from: c:\documents and settings\Maja\Contacts\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Maja\Application Data\FunWebProducts
c:\documents and settings\Maja\Application Data\FunWebProducts\Data\Maja\avatar.dat
c:\documents and settings\Maja\Application Data\FunWebProducts\Data\Maja\zbucks.dat
c:\documents and settings\Maja\Favorites\Online Security Test.url
c:\documents and settings\Maja\Maja.exe
c:\documents and settings\Maja\My Documents\My Music\My Music.url
c:\documents and settings\Maja\My Documents\My Videos\My Video.url
c:\program files\AntiSpywareShield
c:\program files\AntiSpywareShield\AntiSpywareShield.lic
c:\program files\AntiSpywareShield\AntiSpywareShield1.ad
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\windows\system32\834668
c:\windows\system32\834668\834668.dll
c:\windows\system32\shell31.dll
c:\windows\system32\wpv681230262576.cpx
c:\windows\system32\wpv821230262509.cpx
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-12 07:34 . 2009-01-12 07:34 22,016 --a------ c:\windows\system32\drivers\nicsk32.sys
2009-01-11 23:44 . 2009-01-11 23:44 22,016 --a------ c:\windows\system32\drivers\port135sik.sys
2008-12-25 21:22 . 2008-12-25 21:49 <DIR> d-------- c:\documents and settings\Maja\Application Data\Apple Computer
2008-12-25 20:48 . 2009-01-12 11:15 <DIR> d-------- c:\program files\eMule
2008-12-25 18:15 . 2008-12-25 18:15 <DIR> d-------- c:\program files\Bonjour
2008-12-25 18:13 . 2008-12-25 18:15 <DIR> d-------- c:\program files\QuickTime
2008-12-25 18:13 . 2008-12-25 21:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-25 18:11 . 2008-12-25 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 07:00 --------- d-----w c:\documents and settings\Maja\Application Data\AVG7
2008-12-15 12:18 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-06 11:24 --------- d-----w c:\documents and settings\Maja\Application Data\NeroVision
2008-11-22 21:42 --------- d-----w c:\documents and settings\Maja\Application Data\Skype
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 09:04 12,297,167 ------w C:\avg7qt.dat
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:20 667,648 ----a-w c:\windows\system32\wininet.dll
2008-02-05 21:28 37,728 ----a-w c:\documents and settings\Maja\Application Data\GDIPFONTCACHEV1.DAT
2008-12-19 17:21 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 17:21 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 17:21 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 17:21 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 17:21 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 761945]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-01-28 1589248]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Samsung LBP SM"="c:\windows\Samsung\LaserSMMgr\ssmmgr.exe" [2003-04-04 266240]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"CAP3ON"="c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE" [2007-01-19 28288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"TPSMain"="TPSMain.exe" [2006-02-08 c:\windows\system32\TPSMain.exe]
"CFSServ.exe"="CFSServ.exe" [BU]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-29 113664]
Canon LASER SHOT LBP-1120 Status Window.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAP3LAK.EXE [2007-01-09 38976]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-02-13 225792]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [2008-03-04 30336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 acpi32;acpi32;\??\c:\windows\system32\drivers\acpi32.sys --> c:\windows\system32\drivers\acpi32.sys [?]
S4 fips32cup;fips32cup;\??\c:\windows\system32\drivers\fips32cup.sys --> c:\windows\system32\drivers\fips32cup.sys [?]
S4 nicsk32;nicsk32;c:\windows\system32\drivers\nicsk32.sys [2009-01-12 22016]
S4 port135sik;port135sik;c:\windows\system32\drivers\port135sik.sys [2009-01-11 22016]
S4 ws2_32sik;ws2_32sik;\??\c:\windows\system32\drivers\ws2_32sik.sys --> c:\windows\system32\drivers\ws2_32sik.sys [?]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Maja - c:\documents and settings\Maja\Maja.exe
HKCU-Run-toscdspd - TOSCDSPD.EXE

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://internetsearchservice.com
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
mSearchURL = hxxp://internetsearchservice.com
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: online.bancaintesabeograd.com

c:\windows\Downloaded Program Files\FSINT.dll - O16 -: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A}
hxxps://online.bancaintesabeograd.com/RetailDLL/FSINT.dll

c:\windows\Downloaded Program Files\SGCMSCCD.DLL - O16 -: {76326493-E84F-4D4B-939C-1E07B50037F2}
hxxps://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL

c:\windows\Downloaded Program Files\CONFLICT.1\FSINT.dll - O16 -: {A7C346A3-B076-46B3-97F0-D00F6B479451}
hxxps://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
FF - ProfilePath - c:\documents and settings\Maja\Application Data\Mozilla\Firefox\Profiles\og7dnlgl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 12:35:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\Ati2evxx.dll

Pre-Run: 28,348,440,576 bytes free
Post-Run: 28,476,039,168 bytes free

I sta sad..Ima li mi spasa i viditite li ovde nesto sumnjivo...

macka vracarka · 12.01.2009. u 13:05

I od kad sam to uradila ponovo sam ukljucila AVG i sada nemam vise stalno satic,tj ne pokazuje kao da stalno nesto searchuje,,,

snejks · 12.01.2009. u 13:45

Izgleda kao da si zakačila Vundo-trojanca ,možda si ga i uklonila sa combofix-om , ali pošto se on relativno dosta teško uklanja moj savet ti je da skineš malwerebytes napraviš sa njim scan i ukloniš ako je nešto zaostalo.
Zatim skineš HijackThis i napraviš samo scan sa njim i staviš ovde logfile koji ti da na analizu s tim da pre skeniranje preimenuješ hijackthis.exe u recimo blabla.exe .

A da dodam ne zaboravi i log od Malwerebytes da postaviš.

sasa6 · 12.01.2009. u 22:34

Zato ja koristim Bit Defender, imao sam prilike da se suocim sa njim, BD ga guta.
Jedan dan sam bio na netu, a istekla mi licenca, pa se umuvalo, kada sam opet aktivirao AV, odma ga je detektovao.

Preporuka umesto AVG, BD moze da ga rastrgne i virus i AVG. z:mrgreen:

Southwind · 12.01.2009. u 23:15

sasa6:
Zato ja koristim Bit Defender, imao sam prilike da se suocim sa njim, BD ga guta.
Jedan dan sam bio na netu, a istekla mi licenca, pa se umuvalo, kada sam opet aktivirao AV, odma ga je detektovao.

Preporuka umesto AVG, BD moze da ga rastrgne i virus i AVG.

Potpisujem.
BD brise 99% napasti.

macka vracarka · 13.01.2009. u 13:50

snejks:
Izgleda kao da si zakačila Vundo-trojanca ,možda si ga i uklonila sa combofix-om , ali pošto se on relativno dosta teško uklanja moj savet ti je da skineš malwerebytes napraviš sa njim scan i ukloniš ako je nešto zaostalo.
Zatim skineš HijackThis i napraviš samo scan sa njim i staviš ovde logfile koji ti da na analizu s tim da pre skeniranje preimenuješ hijackthis.exe u recimo blabla.exe .

A da dodam ne zaboravi i log od Malwerebytes da postaviš.

Hvala ti puno..evo ga prvo ovaj log...

Malwarebytes' Anti-Malware 1.32
Verzija baze podataka: 1648
Windows 5.1.2600 Service Pack 2

13.1.2009 13:31:55
mbam-log-2009-01-13 (13-31-55).txt

Tip skeniranja: Brzo Skeniranje
Skeniranih objekata: 51566
Proteklo vreme: 7 minute(s), 50 second(s)

Inficirani procesi u memoriji: 0
Inficirani moduli u memoriji: 0
Inficirani kljuèevi u registru: 22
Inficirane vrednosti u registru: 12
Inficirani podaci u registru: 7
Inficirane fascikle: 0
Inficirane datoteke: 3

Inficirani procesi u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani moduli u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani kljuèevi u registru:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nicsk32 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\nicsk32 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nicsk32 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\port135sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\port135sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\port135sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Inficirane vrednosti u registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Inficirani podaci u registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Inficirane fascikle:
(Maliciozne stavke nisu detektovane)

Inficirane datoteke:
C:\WINDOWS\system32\drivers\nicsk32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\port135sik.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN1.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

macka vracarka · 13.01.2009. u 14:04

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:56:10, on 13.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CAP3RSK.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\WINDOWS\vsnpstd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--
End of file - 1781 bytes
..i drugi sa hijacka...
Sta mi je sada ciniti?

Baba??? · 13.01.2009. u 14:47

macka vracarka:
..i drugi sa hijacka...
Sta mi je sada ciniti?

Prvo, nisi promenila naziv HJT-a u nešto drugo, kao i direktorijum u kom Če da ti stoji!!
Izbegni da se iz bilo čega u putanji može videti da je u pitanju HijackThis ili Trend Micro!!
Znači, uradi rename hijackthis.exe u blabla.exe, prebaci ga na particiju D: i odatle poteraj.

Drugo, fali ti drugi deo log fajla!!
Znači, kad poteraš HJT i on ti izbaci log u Notepadu, desni klik na tekst i prvo izaberi
Select All pa tek ondaK Copy!!
I onda postiraj ovDi!!

snejks · 13.01.2009. u 15:02

Restartuj Računar , pri podizanju sistema stiskaj funkcijski taster F8 , uđi u Safe Mod , napravi još jedan scan sa Malwarebytes-om i obavezno posle njega restartuj računar , rootkitovi se ne uklanjaju tek tako lako , zatim kao što Baba??? kaže log od HijackThis postavi opet ovde taj log radi u Normal modu računara. Naravno opet te molim da sačuvaš Log od malwerebytesa i da ga postuješ ovde.

macka vracarka · 13.01.2009. u 17:57

Baba???:
Prvo, nisi promenila naziv HJT-a u nešto drugo, kao i direktorijum u kom Če da ti stoji!!
Izbegni da se iz bilo čega u putanji može videti da je u pitanju HijackThis ili Trend Micro!!
Znači, uradi rename hijackthis.exe u blabla.exe, prebaci ga na particiju D: i odatle poteraj.

Drugo, fali ti drugi deo log fajla!!
Znači, kad poteraš HJT i on ti izbaci log u Notepadu, desni klik na tekst i prvo izaberi
Select All pa tek ondaK Copy!!
I onda postiraj ovDi!!

Sve ovo boldovao za mene su spanska sela..ne znam gde to da promenim ...nii da prebacim na particiju D ni ..ni... :zstidljivko:

Uradicu ovo iz safe moda z:)

macka vracarka · 13.01.2009. u 18:31

Evo ga log iz Safe Moda...
alwarebytes' Anti-Malware 1.32
Verzija baze podataka: 1648
Windows 5.1.2600 Service Pack 2

13.1.2009 18:21:03
mbam-log-2009-01-13 (18-21-03).txt

Tip skeniranja: Brzo Skeniranje
Skeniranih objekata: 50295
Proteklo vreme: 16 minute(s), 31 second(s)

Inficirani procesi u memoriji: 0
Inficirani moduli u memoriji: 0
Inficirani kljuèevi u registru: 0
Inficirane vrednosti u registru: 0
Inficirani podaci u registru: 0
Inficirane fascikle: 0
Inficirane datoteke: 0

Inficirani procesi u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani moduli u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani kljuèevi u registru:
(Maliciozne stavke nisu detektovane)

Inficirane vrednosti u registru:
(Maliciozne stavke nisu detektovane)

Inficirani podaci u registru:
(Maliciozne stavke nisu detektovane)

Inficirane fascikle:
(Maliciozne stavke nisu detektovane)

Inficirane datoteke:
(Maliciozne stavke nisu detektovane)

snejks · 13.01.2009. u 21:32

Malwarebytes , je kao što i sama vidiš čudo od programa .
Tamo gde ti je izvršna datoteka za Hijjack this ideš na njega desnim tasterom miša i odabiraš "Rename" i kada se zaplavi ti ukucaš blabla.exe. zatim udariš enter. Dupli klik na blabla.exe i Samo Skeniraj komp postuj ovde CEO log koji ti izađe u notepadu , please. pozdrav

macka vracarka · 14.01.2009. u 12:41

Sve uradila...
evo ga log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:38, on 14.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CAP3RSK.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\WINDOWS\vsnpstd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - https://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O16 - DPF: {A7C346A3-B076-46B3-97F0-D00F6B479451} (FileInterface Class) - https://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6854 bytes

Sisidora-97 · 14.01.2009. u 15:21

Heur trojan win 32 Sta je to?Ja stvarno ne znam kako da obrisem ako je virus!Ima kako crven iznak uvvicnik.Molim vas da mi pomognete jel sam glupa za te stvari

snejks · 14.01.2009. u 15:38

Sisidora-97:
Heur trojan win 32 Sta je to?Ja stvarno ne znam kako da obrisem ako je virus!Ima kako crven iznak uvvicnik.Molim vas da mi pomognete jel sam glupa za te stvari

Otvori novi topic skini hijack this program i uradi log kao što je uradila gospođica iznad i postavi ga u taj topic.

snejks · 14.01.2009. u 15:48

macka vracarka , opet ćeš pokrenuti hijack this i u onome otvorenom prozoru čekirati kockice ispred sledećih redova:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

i dole klikni na Fix
i to bi bilo to , ostatak loga je čist , jedino me interesuje šta imaš od Tošibe zakačen na komp

Nadam se da nemaš više nekih problema sa kompom ili nekih neželjenih efekata

Sisidora-97 · 14.01.2009. u 21:44

snejks:
Otvori novi topic skini hijack this program i uradi log kao što je uradila gospođica iznad i postavi ga u taj topic.

Objasni!Molim te objasni mi ja sam glupa za komnpjutere.Imam 5 virusa tako pise trokanskih programa imam 0.STVARNI NE KAPIRAM! z:(

macka vracarka · 14.01.2009. u 23:06

snejks:
macka vracarka , opet ćeš pokrenuti hijack this i u onome otvorenom prozoru čekirati kockice ispred sledećih redova:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

i dole klikni na Fix
i to bi bilo to , ostatak loga je čist , jedino me interesuje šta imaš od Tošibe zakačen na komp
Nadam se da nemaš više nekih problema sa kompom ili nekih neželjenih efekata

Uradila i to.. z:)

Hvala do neba...Sad fercera bez problema... z:lol:

Baba??? · 15.01.2009. u 00:41

Sisidora-97:
Heur trojan win 32 Sta je to?Ja stvarno ne znam kako da obrisem ako je virus!Ima kako crven iznak uvvicnik.Molim vas da mi pomognete jel sam glupa za te stvari

http://www.scanforfree.com/07/remove-win32.heur.html

GostM · 15.01.2009. u 02:39

macka vracarka:
Uradila i to..
Hvala do neba...Sad fercera bez problema...

Pošto si koristila ComboFix, trebaš ga sada deinstalirati iz kompjutera:

Start > Run > (kucaš) combofix /u (napomena: postoji razmak između 'x' i '/'), sačekaš da odradi posao i to je to.

cizmice · 15.01.2009. u 02:48

DekiM:
Pošto si koristila ComboFix, trebaš ga sada deinstalirati iz kompjutera:

Start > Run > (kucaš) combofix /u (napomena: postoji razmak između 'x' i '/'), sačekaš da odradi posao i to je to.

Nema potrebe.
Combo Fix se moze jednostavno baciti u korpu i to je to.

Inace odlican program koji napravi recovery konzolu.

GostM · 15.01.2009. u 03:18

cizmice:
Nema potrebe.
Combo Fix se moze jednostavno baciti u korpu i to je to...

Ima potrebe, a to naravno nisam ja izmislio!
Ona komanda će:

Obrisati sledeće:
- ComboFix i njegove file-ove i foldere
- VundoFix backup folder, ako postoji
- C:\Deckard folder, ako postoji
- C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove, ako je potrebno
Resetovati System Restore

http://www.myantispyware.com/2008/03/26/how-to-uninstall-combofix/

snejks · 15.01.2009. u 08:37

DekiM:
Pošto si koristila ComboFix, trebaš ga sada deinstalirati iz kompjutera:

Start > Run > (kucaš) combofix /u (napomena: postoji razmak između 'x' i '/'), sačekaš da odradi posao i to je to.

Mačka Vračarka , uradi ovo što ti DekiM kaže , ja sam zaboravio na to i na isključivanje sistem restorea i zatim njegovo ponovno uključivanje.
DekiM hvala na asistenciji

snejks · 15.01.2009. u 08:47

Sisidora-97:
Heur trojan win 32 Sta je to?Ja stvarno ne znam kako da obrisem ako je virus!Ima kako crven iznak uvvicnik.Molim vas da mi pomognete jel sam glupa za te stvari

snejks:
Otvori novi topic skini hijack this program i uradi log kao što je uradila gospođica iznad i postavi ga u taj topic.

Sisidora-97:
Objasni!Molim te objasni mi ja sam glupa za komnpjutere.Imam 5 virusa tako pise trokanskih programa imam 0.STVARNI NE KAPIRAM!

Misliiim , zar ima tu šta da se razume? pročitaš topic i vidiš šta su ostali radili sa kompjuterima i uradiš istu stvar. ako ti je to tako komplikovano misliim , pa nemam ja vremena da vas učim osnovnim radnjama na računaru. saberite se malo ,
Lepo sam napisao da otvoriš posebni temu (novi topic) da joj daš smisleniji naziv (ne UPOMOOOOOOOOOOOĆ i sl.), napišeš u temi koji ti je problem , koji ti antivirus postoji na računaru , šta detektuje računar i kako ti se pojavljuju te poruke , i skineš programe koje sam predlagao i ostalima i obaviš istu proceduru za početak jedan scan sa programom Hijjack this i postavljanje loga ovde će biti dovoljan za početak.

jevta.bg · 15.01.2009. u 12:23

Ma lepo skeniras komp sa antivirusom, i on sve obrise i resen problem.
Ne vidim cemu ovolika skeniranja , logovi i ostalo.

Trojan horse Generic 12.XSP

Veoma poznat

Veoma poznat

Elita

Aktivan član

Domaćin

Veoma poznat

Veoma poznat

Aktivan član

Elita

Veoma poznat

Veoma poznat

Elita

Veoma poznat

Obećava

Elita

Elita

Obećava

Veoma poznat

Aktivan član

Ističe se

Buduća legenda

Ističe se

Elita

Elita

Aktivan član