MyCity » Ambulanta -> Arhiva Ambulante » trojanci

trojanci

Napisano na dan: 4.6.2009
1

trojanci
Sledeća strana Pagination

Idi na vrh

Poslao: 04 Jun 2009 10:45
Idi na vrh
offline
  • Pridružio: 29 Mar 2006
  • Poruke: 2215
  • Gde živiš: in the heart of the city

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:46 AM, on 6/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ninja\ninja.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\TR3.exe.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - Global Startup: ninja.lnk = C:\Program Files\Ninja\ninja.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V.....8875848359
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3895 bytes

Kompjuter na poslu i setih se danas da nemam AV pa resila da instaliram Avast i kad sam skenirala shvatim da sam puna gamadi (bar on tako kaze). Imam ADSL tako da mogu da skinem sta god da je potrebno od vecih programa. Hvala. smešak

Poslao: 04 Jun 2009 10:49
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Zdravo,

dobro si se setila da AV postoji Mr. Green

Preuzmi sUBs-ov ComboFix sa jedne od sledećih adresa na Desktop:


Bleeping Computer . . . . . Geeks to Go!
Klikni desnim tasterom na neki od linkova i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

Poslao: 04 Jun 2009 11:39
Idi na vrh
offline
  • Pridružio: 29 Mar 2006
  • Poruke: 2215
  • Gde živiš: in the heart of the city

Stidim se. Embarassed

Evo ComboFix-a:

ComboFix 09-06-03.04 - Administrator 06/04/2009 11:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.233 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090603-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\2a.exe
C:\Autorun.inf
C:\gclwpivc.cmd
C:\lc.exe
C:\n68mqcra.exe
C:\q9.cmd
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
C:\ukvr.bat
C:\w.com
c:\windows\AhnRpta.exe
c:\windows\system32\ckvo1.dll
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrwef.exe
c:\windows\system32\vbsdfe1.dll
C:\xh319r9b.bat
C:\yhh.bat
C:\ysep1.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVPsys


((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-04 07:54 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-04 07:54 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-04 07:54 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-04 07:54 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-04 07:54 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-04 07:54 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-04 07:54 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-04 07:54 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-04 07:53 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-04 07:53 . 2003-03-18 19:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-06-04 07:53 . 2003-03-18 18:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-06-04 07:53 . 2003-02-21 02:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-06-04 07:53 . 2009-06-04 07:53 -------- d-----w- c:\program files\Alwil Software
2009-06-04 07:52 . 2009-06-04 07:52 -------- d-----w- c:\program files\Ninja
2009-05-25 10:08 . 2009-06-03 12:28 10 ----a-w- c:\windows\popcinfo.dat
2009-05-25 10:07 . 2009-05-25 10:07 -------- d-----w- c:\program files\GameHouse
2009-05-11 11:31 . 2009-05-12 07:53 25 ----a-w- c:\windows\popcinfot.dat
2009-05-11 11:30 . 2009-05-11 11:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-05-11 11:12 . 2009-05-12 07:53 -------- d-----w- c:\program files\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 07:27 . 2008-08-17 10:47 -------- d-----w- c:\program files\Winamp
2009-04-28 07:26 . 2008-08-17 10:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-04-15 10:46 . 2009-04-15 10:46 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2001-08-23 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-08-03 1826816]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-03 16841216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ninja.lnk - c:\program files\Ninja\ninja.exe [2009-6-4 695296]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\WSC-V5.1PREZENTACIJA\\diskw\\usr\\local\\Apache2\\bin\\Apache.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\WSC-V5.1PREZENTACIJA\\diskw\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\Program Files\\Ninja\\ninja.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/4/2009 9:54 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/4/2009 9:54 AM 20560]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4n5x5733.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 11:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-06-04 11:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 09:30

Pre-Run: 70,408,757,248 bytes free
Post-Run: 70,578,544,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

132

Poslao: 04 Jun 2009 13:50
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Ako imas tu neke fleske da ih pogledamo:

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

Poslao: 04 Jun 2009 13:59
Idi na vrh
offline
  • Pridružio: 29 Mar 2006
  • Poruke: 2215
  • Gde živiš: in the heart of the city

Evo ga:

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/4/2009 1:57:43 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {fcfe42ed-6b64-11dd-9bcd-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for fcfe42ed-6b64-11dd-9bcd-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

autorun.inf found in Qoobox
----------------------------------------
Content of C:\QooBox\Quarantine\C\autorun.inf.vir
----------------------------------------
[AutoRun]
open=gclwpivc.cmd
shell\open\Command=gclwpivc.cmd
----------------------------------------
========================================
Initial scan finished!
========================================


New device connected at 6/4/2009 1:57:48 PM

Scanning for connected USB mass storage...
----------------------------------------
E: {05007218-6e8c-11dd-ad23-001d608c55f1}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for 05007218-6e8c-11dd-ad23-001d608c55f1
----------------------------------------

No Desktop.ini files found on E:
----------------------------------------

No mimics found on drive E:
========================================


Jedino sto imam nekog nindzu za proveru USB-a i nikako ne mogu da ga iskljucim a on preimenuje neke fajlove kada ubacim USB pa je moguce da ovaj log nece valjati zbog toga. Sad

Poslao: 04 Jun 2009 14:02
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

OK. To bi bilo to.

Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

combofix /u

Primeti da postoji razmak između "ComboFix" i "/u".



a zatim klikni OK (ili pritisni Enter).

Sačekaj da se proces deinstalacije završi.


Ako ima nekih prblema, kazi.

Poslao: 04 Jun 2009 14:07
Idi na vrh
offline
  • Pridružio: 29 Mar 2006
  • Poruke: 2215
  • Gde živiš: in the heart of the city

Napisano: 04 Jun 2009 14:06

Sve je proslo ok. Smile

Dopuna: 04 Jun 2009 14:07

A da, uspela da maknem nindzu malo pre i log USBNoRisk-a se nije promenio. smešak

Poslao: 04 Jun 2009 14:09
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Mislis na ovo: ninja.exe ?

Poslao: 04 Jun 2009 14:10
Idi na vrh
offline
  • Pridružio: 29 Mar 2006
  • Poruke: 2215
  • Gde živiš: in the heart of the city

Da. Smile

Poslao: 04 Jun 2009 14:12
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Zar to nije program za menjanje teksta na ruski, ili tako nesto?

MyCity » Ambulanta -> Arhiva Ambulante » trojanci

Ko je trenutno na forumu
 

Ukupno su 988 korisnika na forumu :: 49 registrovanih, 7 sakrivenih i 932 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: anta, Bokiboks, ccoogg123, darios, Darko001, Djokkinen, doktor123, Dr.Strangelove, drimer, esx66, Fog of War, Fulcrum, Georgius, goxin, h8propaganda, HogarStrashni, ILGromovnik, Ilija Cvorovic, Još malo pa deda, kalens021, Karla, Koridor, kubura91, ladro, Levi, Mercury, MiroslavD, Misirac, mrav pesadinac, naki011, ozzy, pein, rasok, royst33, S1Mk3, saputnik plavetnila, Sir Budimir, slonic_tonic, sombrero, Srle993, Stefan M, suton, t84dar, theNedjeljko, tubular, voja64, Webb, zeo, žeks62