|
Poslao: 08 Jun 2013 22:19
|
offline
- E.L.I.T.E.
- Legendarni građanin
- Pridružio: 23 Maj 2012
- Poruke: 4575
|
Evo ovako, u Google Chrome-u je otišao na Podešavanja >> Preuzimanja (inače nema Internet konekciju) i došao do foldera gde se nalaze sva preuzimanja. Rekao mi je daje fajl imao ikonicu foldera i da ga je to zbunilo. Kada ga je pokrenuo dvoklikom AVG (Free Edition 2011) mu je detektovao trojanca, kako on kaže (pisalo mu je navodno nešto tipa 'trojanski konj'). Detaljnim skeniranjem smo utvrdili da se nalazi jedna zaražena stvaka, no međutim i nakon dubinskog skeniranja Avast-a (kog sam mu instalirao jer je ovaj zastareo), nije pronađen malware. Ipak sam doneo izveštaj da mi vi kažete situaciju.
I da, u pitanju je neki sistemski fajl , a pisalo je i Win32 / Heur crvenim slovima.
 DDS
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Milijana at 15:27:23 on 2013-06-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.370 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\UnsignedThemesSvc.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\PROGRA~1\UXPACK~1\VISTAD~1\DrvIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Milijana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MCShield\mcshieldrtm.exe
C:\DOCUME~1\Milijana\LOCALS~1\Temp\SDM143\Free Ride Games.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\UXPACK~1\WinMetro\MetroBar.exe
C:\PROGRA~1\UXPACK~1\WinMetro\MetroStart.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Bandoo\Bandoo.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\System32\alg.exe
\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.windowsxlive.net
uSearch Page = hxxp://www.toggle.com/en/index.php?rvs=google
mStart Page = hxxp://home.sweetim.com/?st=1&barid={843103C3-0C86-11E1-B134-1C6F65532D3D}
mSearch Page = hxxp://www.toggle.com/en/index.php?rvs=google
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: SearchHook Class: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} -
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTo2.dll
uURLSearchHooks: SweetIM ToolbarURLSearchHook Class: {EEE6C35D-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgHelper.dll
mWinlogon: SFCDisable = dword:-99
BHO: Babylon toolbar helper: {2EECD738-5844-4a99-B4B6-146BF802613B} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\bh\BabylonToolbar.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} -
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\program files\windows ilivid toolbar\datamngr\toolbar\searchqudtx.dll
BHO: Loader Class: {9D717F81-9148-4f12-8568-69135F087DB0} - c:\program files\windows ilivid toolbar\datamngr\BrowserConnection.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTo2.dll
BHO: BandooIEPlugin Class: {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - c:\program files\bandoo\plugins\ie\ieplugin.dll
BHO: SweetIM Toolbar Helper: {EEE6C35C-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: Zynga Toolbar: {7B13EC3E-999A-4B70-B9CB-2617B8323822} -
TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\utorrentbar\prxtbuTo2.dll
TB: SweetIM Toolbar for Internet Explorer: {EEE6C35B-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} -
TB: Babylon Toolbar: {98889811-442D-49dd-99D7-DC866BE87DBC} - c:\program files\babylontoolbar\babylontoolbar\1.4.31.2\BabylonToolbarTlbr.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTo2.dll
TB: SweetIM Toolbar for Internet Explorer: {EEE6C35B-6118-11DC-9C72-001320C79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\program files\windows ilivid toolbar\datamngr\toolbar\searchqudtx.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\milijana\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MCShield Monitor] c:\program files\mcshield\mcshieldrtm.exe
uRun: [Exent_SDM] c:\docume~1\milijana\locals~1\temp\sdm143\Free Ride Games.exe "l 'Startup' u 'http://www.freeridegames.com/do/SDM?action=config&type=NO_TB&contentId=%d' p '143' c '615450'"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"
mRun: [DATAMNGR] c:\progra~1\wi371a~1\datamngr\DATAMN~1.EXE
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [DrvIcon] c:\progra~1\uxpack~1\vistad~1\DrvIcon.exe
mRun: [UX Launcher] c:\program files\ux pack\uxlaunch.exe
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: ForceClassicControlPanel = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: ForceClassicControlPanel = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Search the Web - c:\program files\sweetim\toolbars\internet explorer\resources\menuext.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: %windir%\system32\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292113007604
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
AppInit_DLLs= c:\progra~1\wi371a~1\datamngr\datamngr.dll c:\progra~1\wi371a~1\datamngr\iebho.dll c:\progra~1\bandoo\bndhook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2012-7-6 71152]
R0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2013-6-1 61296]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 297168]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2013-5-24 188176]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2013-5-24 94480]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2009-10-15 223464]
R2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [2009-7-13 21096]
R2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [2009-7-13 25448]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2012-8-1 719512]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2013-4-12 104720]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2013-4-12 115984]
S2 MetroServ;WinMetro Service;c:\program files\ux pack\winmetro\MetroSvc.exe [2013-5-11 314176]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]
.
=============== Created Last 30 ================
.
2013-06-01 14:44:45 -------- d-----w- c:\documents and settings\milijana\VirtualBox VMs
2013-06-01 14:01:25 -------- d-----w- c:\documents and settings\milijana\local settings\application data\VMware
2013-06-01 14:00:59 63128 ----a-w- c:\windows\system32\vsocklib.dll
2013-06-01 14:00:59 61296 ----a-w- c:\windows\system32\drivers\vsock.sys
2013-06-01 14:00:55 25624 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2013-06-01 14:00:19 357016 ----a-w- c:\windows\system32\vmnetdhcp.exe
2013-06-01 14:00:17 435864 ----a-w- c:\windows\system32\vmnat.exe
2013-06-01 14:00:17 25752 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2013-06-01 14:00:12 779928 ----a-w- c:\windows\system32\vnetlib.dll
2013-06-01 14:00:10 41496 ----a-w- c:\windows\system32\drivers\hcmon.sys
2013-06-01 13:59:35 -------- d-----w- c:\program files\VMware
2013-06-01 13:59:35 -------- d-----w- c:\program files\common files\VMware
2013-05-31 13:57:51 -------- d-----w- c:\program files\Counter-Strike
2013-05-31 13:45:22 -------- d-----w- c:\program files\The Game Creators
2013-05-24 20:35:06 -------- d-----w- c:\documents and settings\milijana\.VirtualBox
2013-05-24 13:34:21 -------- d-----w- c:\documents and settings\milijana\application data\inkscape
2013-05-24 13:32:39 -------- d-----w- c:\program files\Inkscape
2013-05-24 13:30:58 188176 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2013-05-24 13:30:46 94480 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2013-05-24 13:30:43 -------- d-----w- c:\program files\Oracle
2013-05-24 13:22:09 -------- d-----w- C:\Counter-Strike 2D
2013-05-20 13:09:49 -------- d-----w- c:\documents and settings\all users\application data\MCShield
2013-05-20 13:09:48 -------- d-----w- c:\program files\MCShield
2013-05-11 14:59:52 -------- d-----w- c:\windows\system32\appmgmt
2013-05-11 14:52:00 118845 ----a-w- c:\windows\Flurry.scr
2013-05-11 14:43:47 -------- d-----w- c:\documents and settings\milijana\application data\IObit
2013-05-11 14:40:33 -------- d-----w- c:\windows\UXBackup
2013-05-11 14:40:07 69632 ----a-w- c:\windows\system32\moveex.exe
2013-05-11 14:40:07 -------- d-----w- c:\program files\UX Pack
.
==================== Find3M ====================
.
2013-04-12 10:33:02 104720 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2013-04-12 10:32:06 115984 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2013-04-12 10:32:04 174864 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll
.
============= FINISH: 15:27:43,25 ===============
[url=https://www.mycity.rs/must-login.png
GMER
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-06-08 15:37:00
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD5000AAKS-00V0A0 rev.05.01D05 465,76GB
Running: ei2ox2d2.exe; Driver: C:\DOCUME~1\Milijana\LOCALS~1\Temp\pxtdapow.sys
---- System - GMER 2.1 ----
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwOpenProcess [0xF77B0738]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateProcess [0xF77B07DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwTerminateThread [0xF77B0878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys ZwWriteVirtualMemory [0xF77B0914]
---- Kernel code sections - GMER 2.1 ----
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF66CC3A0, 0x59FFE5, 0xE8000020]
? C:\DOCUME~1\Milijana\LOCALS~1\Temp\mbr.sys The filename, directory name, or volume label syntax is incorrect. !
---- User code sections - GMER 2.1 ----
.text C:\PROGRA~1\UXPACK~1\WinMetro\MetroBar.exe[3180] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 5983DB6D C:\PROGRA~1\UXPACK~1\WinMetro\madExcept_.bpl
.text C:\PROGRA~1\UXPACK~1\WinMetro\MetroStart.exe[3284] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 5983DB6D C:\PROGRA~1\UXPACK~1\WinMetro\madExcept_.bpl
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys
Device \Driver\usbohci \Device\USBPDO-0 hcmon.sys
Device \Driver\usbehci \Device\USBPDO-1 hcmon.sys
Device \Driver\usbhub \Device\USBPDO-3 hcmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys
Device \Driver\usbhub \Device\00000075 hcmon.sys
Device \Driver\usbhub \Device\00000077 hcmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys
Device \Driver\usbohci \Device\USBFDO-0 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-1 hcmon.sys
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys
|
|
|
|
|
|
|
|
|
Poslao: 08 Jun 2013 23:57
|
offline
- E.L.I.T.E.
- Legendarni građanin
- Pridružio: 23 Maj 2012
- Poruke: 4575
|
Napisano: 08 Jun 2013 23:52
TwinHeadedEagle :: Kazes da si instalirao Avast? Da li si pre toga obrisao AVG? Koja verzija AVG-a je sada na sistemu?
Naravno, obrisao sam mu AVG prvo, pa tek onda instalirao Avast. AVG je bio 2011.
TwinHeadedEagle :: Mozes li da uslikas naziv te detekcije, da vidimo sta je tacno detektovano i naziv fajla?
Teško, AVG smo deinstalirali, a Avast ništa ne prikazuje. Uglavnom, početak direktorijuma je bio C:/Documents and settings, mada ne znam kako se tu našao fajl.
AdwCleaner ću odneti sutra pa ću doneti izveštaj.
Dopuna: 08 Jun 2013 23:54
Pokušao sam koristiti Restoration program kako bi povratili taj fajl kog je on obrisao odmah nakon toga verujući daj zaražen, ali za to je potrebna Internet konekcija.
Dopuna: 08 Jun 2013 23:57
I da , zaboravio sam još da napomenem ovo; gledao sam celu Istoriju AVG-a i otkrio još jednu prijavu zaraženog fajla tokom 2012. godine, a u pitanju je bio HL.EXE (C:/games/CS1.6V44/HL.EXE).
Dođavola, nikako da se setim naziva tog sistemskog fajla  Nešto i3g..
|
|
|
|
|
|
|
Poslao: 09 Jun 2013 00:13
|
offline
- TwinHeadedEagle
- Anti Malware Fighter
Rank 2
- Pridružio: 09 Avg 2011
- Poruke: 15879
- Gde živiš: Beograd
|
Ok, dostavi Adwcleaner izvestaj kad mozes, pa cemo nastaviti sutra...
|
|
|
|
|
|
|
|
|
|
Preuzmi 
dugme i pričekaj da se skeniranje završi.
