|
Poslao: 30 Nov 2006 17:45
|
offline
- Pridružio: 26 Okt 2006
- Poruke: 52
|
prijatelj mi je pokupio ovo, i sad muku muci da se rijeshi, ako moze pomoc?
NOD32 kaze da se zove TrojanDownloader.Zlob.AKI
unaprijed hvala
PS. ubacio sam ime trojanca u trazilicu, al nisam nashao nishta, pa ako vec postoji ova tema, ispricavam se
|
|
|
|
|
|
|
|
|
|
|
Poslao: 01 Dec 2006 13:04
|
offline
- rapha
- Mod u pemziji
- Pridružio: 14 Feb 2005
- Poruke: 9113
- Gde živiš: Beograd
|
@B3AST
Ja ću rešavati tvoj slučaj (slučaj tvog prijatelja). Upravo "češljam" log koji si postavio i uskoro ti se javljam sa prvim uputstvima sta treba raditi...
|
|
|
|
|
|
|
|
|
Poslao: 01 Dec 2006 21:53
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Posto kolega nije tu, dajem sebi pravo da te uputim na prvi korak.
Potrazi na svom disku sledece fajlove:
F:\Program Files\BIHnet\BIHnet.exe
F:\Program Files\Gold Codec\isaddon.dll
F:\Program Files\Gold Codec\iesplugin.dll
F:\WINDOWS\system32\dcvwaah.dll
F:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
F:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
E:\Setup.exe
F:\DOCUME~1\PENZIO~1\APPLIC~1\ONLINE~1\Flaw Flag.exe
Spakuj ih u ZIP arhivu, i uploaduj ih na
http://www.mycity.rs/ambulanta-upload.php
Obrati paznju da na gornjem spisku postoje skracena imena (ona koja imaju ~ u imenu). Mislim da ti nece biti tesko da zakljucis koja su dugacka (uobicajena) imena tih foldera.
Ukoliko ne uspes da uploadujes fajl na adresu koju sam ti dao, napisi to ovde da bi smo pronasli drugog nacina za upload.
Zasto trazimo od tebe da nam posaljes fajlove?
Sumnjamo da na tvom kompjuteru postoji barem jedan fajl koji je nova infekcija, jos uvek nedetektovana od strane antivirus programa.
Jedan od nasih zadataka je da takve primerke sakupimo i posaljemo anti-virus laboratorijama na analizu.
Izvinjavamo se jos jednom zbog ovako kasnog odgovora, ali nam je bilo potrebno dosta vremena dok nismo pretrazili sve nase izvore informacija u potrazi za informacijama o spomenutom spornom fajlu.
Hvala na strpljenju.
Slucaj ce nadalje resavati AMF clan koji se vec javio u ovoj temi.
|
|
|
|
|
|
|
Poslao: 04 Dec 2006 03:33
|
offline
- rapha
- Mod u pemziji
- Pridružio: 14 Feb 2005
- Poruke: 9113
- Gde živiš: Beograd
|
@B3AST
Molio bih te, pošto je sa uploadom bilo nekih problema, da pokušaš ponovo da ih pošalješ na adresu http://www.mycity.rs/ambulanta-upload.php ...
Zatim uradi sledeće:
- Fajlove BIHnet.exe i Flaw Flag.exe obavezno zipuj i sačuvaj ih negde na disku kao backup za svaki slučaj
- Nakon što si sačuvao ova dva EXE fajla obriši sa diska sve fajlove koje su uploadovao
- Instaliraj neki Anti Spyware program (recimo Ewido) i downloaduj najnovije definicije
- Otvori HijackThis i čekiraj sledece linije:
F:\Program Files\BIHnet\BIHnet.exe
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - F:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - F:\Program Files\Gold Codec\isaddon.dll (file missing)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - F:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - F:\Program Files\Gold Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKCU\..\Run: [waythat] F:\DOCUME~1\PENZIO~1\APPLIC~1\ONLINE~1\Flaw Flag.exe
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - F:\WINDOWS\system32\dcvwaah.dll (file missing)
- Klikni na Fix Checked
- Restartuj racunar u Safe Modu (pritisnuti F8 pri butovanju, zatim odaberi Safe Mode)
- Pokreni Anti Spyware program i uradi kompletno skeniranje sistema
- Nakon toga restartuj računar u normal modu
- Skeniraj racunar sa nekim online skenerom
Online skeneri:
- BitDefender - http://www.bitdefender.com/scan8/ie.html
- Kaspersky - http://www.kaspersky.com/virusscanner
Nakon toga napravi ponovo log u HijackThis (HijackThis.exe preimenuj u recimo h3t.exe ili stavi neko drugo ime) i postavi ga da vidimo da li je racunar cist.
|
|
|
|
|
|
|
Poslao: 06 Dec 2006 22:02
|
offline
- Penzioner
- Novi MyCity građanin
- Pridružio: 06 Dec 2006
- Poruke: 21
|
Upravo sam poslao novi log.
popup je iskocio samo jednom prilikom online skena sa kaspersky AV, ali nije pokazao nista. Samo se otvorio bez icega i vise nije nikada.
Hvala vam puno na dosadasnjoj pomoci, nadam se da ce s ovim logom biti sve ok.
|
|
|
|
|
|
|
Poslao: 06 Dec 2006 22:31
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Log koji je Penzioner uploadovao:
Logfile of HijackThis v1.99.1
Scan saved at 17:41:44, on 6.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Eset\nod32krn.exe
F:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\WFXSVC.EXE
F:\Program Files\Symantec\WinFax\WFXMOD32.EXE
F:\PROGRA~1\eSnips\ClientGW.exe
F:\WINDOWS\system32\wfxsnt40.exe
F:\Program Files\Motherboard Monitor 5\MBM5.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\DAP\DAP.EXE
F:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\Program Files\ICQLite\ICQLite.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINDOWS\system32\Rscmpt.exe
F:\WINDOWS\system32\taskswitch.exe
F:\WINDOWS\Mixer.exe
F:\Program Files\Macrogaming\SweetIM\SweetIM.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\Runcheck.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Google\Google Talk\googletalk.exe
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
F:\Program Files\Skype\Phone\Skype.exe
F:\Program Files\Internet Explorer\iexplore.exe
f:\progra~1\intern~1\iexplore.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\ntvdm.exe
F:\Documents and Settings\Penzioner\Desktop\New Folder\h3t.exe.exe
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - F:\PROGRA~1\eSnips\SnipBar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [eSnips] "F:\PROGRA~1\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MBM 5] "F:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] "F:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ICQ Lite] "F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Rscmpt] F:\WINDOWS\system32\Rscmpt.exe
O4 - HKLM\..\Run: [CoolSwitch] F:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Cool Sect Deaf Site] F:\Documents and Settings\All Users\Application Data\Flap Mpeg Cool Sect\LoadLicense.exe
O4 - HKLM\..\Run: [SweetIM] F:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "F:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SweetIM] F:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [waythat] F:\DOCUME~1\PENZIO~1\APPLIC~1\ONLINE~1\Flaw Flag.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &MSN Search - res://F:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Open in new background tab - res://F:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?24f26e7b6c67479681c237c5b6c2a2e
O8 - Extra context menu item: Open in new foreground tab - res://F:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?24f26e7b6c67479681c237c5b6c2a2e
O8 - Extra context menu item: Snip to my eSnips account - F:\Program Files\eSnips\res\SnipIt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Con.....4287612571
O17 - HKLM\System\CCS\Services\Tcpip\..\{8735214C-5837-4C76-A635-2C05E499A9B6}: NameServer = 195.222.32.10 195.222.32.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{8735214C-5837-4C76-A635-2C05E499A9B6}: NameServer = 195.222.32.10 195.222.32.20
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: RvscomSv - RVS Datentechnik GmbH, Munich - F:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE
O23 - Service: RVS Installer (RVSINST) - RVS Datentechnik GmbH, Munich - F:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - F:\WINDOWS\system32\WFXSVC.EXE
Dopuna: 06 Dec 2006 22:31
Par pitanja:
1. Jel koristis GeForce 2 MX karticu sa programom za prepoznavanje 64mb memorije na kartici?
2. Jesi li sam instalirao eSnips i SweetIM ili su sami "uleteli" ?
3. Sta je Flap Mpeg Cool Sect ? O ovome ne mozemo da nadjemo nikakvu informaciju.
Ucitava se odavde: F:\Documents and Settings\All Users\Application Data\Flap Mpeg Cool Sect\LoadLicense.exe
4. Sta je Flaw Flag.exe? Jesi li to sam instalirao ili je "uletelo"?
|
|
|
|
|
|
|
Poslao: 07 Dec 2006 09:49
|
offline
- Penzioner
- Novi MyCity građanin
- Pridružio: 06 Dec 2006
- Poruke: 21
|
1. Kartica je GeForce 2 MX/MX 400 i sama je instalirala svoj program prilikom pokusaja spajanja preko S-video na tv. Sada to radi ok.
2. Ja sam instalirao i eSnips i SweetIM. eSnips je free galerija i na nju stavljam svoje fotografije za prijatelje. sweetIM je neki dodatak za MSN, ne znam kakvu funkciju ima, mislim da je za neke animacije prilikom razgovora, kao nudge i sl. Prijatelj koji mi je poslao neku animaciju mi je rekao da to instaliram i da cu onda to moci koristiti.
3. Flap Mpeg nemam pojma sta je, malo sam rovio i kada pogledam datum, ispada da i to ima neke veze sa MSN. ovdje F:\Documents and Settings\All Users\Application Data\online junk rvggsyfg nesto??? uklapa mi se sa chatom na MSN
4. nemam pojma ni sta je to, Flaw Flag je smjesten minutu ranije od Flap mpeg, opet MSN i ima ga i u F:\windows\prefetch u .pf obliku
Dopuna: 07 Dec 2006 9:49
NAPOMENA: SWEET JE instaliran u istih par minuta kada i ovo dvoje zadnjih
Hvala
|
|
|
|
|
|
