Neka dosadna zaraza

Neka dosadna zaraza

offline
  • Marko Šolajić
  • Pridružio: 03 Apr 2004
  • Poruke: 987
  • Gde živiš: Novi Sad

Znaci, problemi se javljaju sa mrezom, posle nekog vremena racunar jednostavno prestaje da komunicira sa internetom, nece da stampa na mrezni stampac itd. Povremeno se zablokiraju mis i tastatura, i desava se da se sam od sebe otvori My Documents.
Pokusavao sam da skeniram sa Malwarebytes-om, BitDefender online i ESET Online, navodno nadju infekcije i obrisu, ali se posle reboota vraca.
Na masini nema instaliranog antivirusa (nikad do sada nije ni trebao), a mislim da je zaraza dosla preko nekog USB drajva.


DDS (Ver_09-10-26.01) - NTFSx86
Run by RTV Duga at 9:55:11,51 on sre 11.11.2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.1023.649 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mv2Player\Mv2Player.exe
C:\totalcmd\WINCMD32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
C:\Documents and Settings\RTV Duga\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\rtv duga\junaa.exe \s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [FileZilla Server Interface] "c:\program files\filezilla server\FileZilla Server Interface.exe"
mRun: [WMI RPC Server] c:\windows\system32\wmisrpc.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: LMIinit - LMIinit.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rtvdug~1\applic~1\mozilla\firefox\profiles\ddvi9pb9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\rtv duga\application data\mozilla\firefox\profiles\ddvi9pb9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\documents and settings\rtv duga\application data\mozilla\firefox\profiles\ddvi9pb9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\rtv duga\application data\mozilla\firefox\profiles\ddvi9pb9.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll

============= SERVICES / DRIVERS ===============

R0 hafgrgkp;hafgrgkp;c:\windows\system32\drivers\hafgrgkp.sys [2009-11-10 40128]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-3 47640]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2006-9-9 70016]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-4-22 33792]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-11-11 08:42:57 15360 ---ha-w- c:\documents and settings\rtv duga\junaa.exe
2009-11-11 08:39:46 15360 ---ha-w- c:\documents and settings\rtv duga\uuon.exe
2009-11-11 08:11:30 24576 ----a-w- c:\windows\system32\userinit.exe
2009-11-10 14:00:37 0 d-----w- C:\!!
2009-11-10 13:46:35 0 d-----w- c:\program files\SHOUTcast
2009-11-10 13:36:07 0 d-----w- c:\docume~1\rtvdug~1\applic~1\Malwarebytes
2009-11-10 13:36:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 13:36:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 13:36:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 13:36:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-10 13:33:07 68608 ---h--w- c:\windows\system32\secupdat.dat
2009-11-10 13:33:00 697 ----a-w- c:\documents and settings\rtv duga\netsf_m.inf
2009-11-10 13:33:00 56576 ----a-w- c:\windows\system32\drivers\ndisvvan.sys
2009-11-10 13:33:00 1754 ----a-w- c:\documents and settings\rtv duga\netsf.inf
2009-11-10 13:10:35 98816 ----a-w- c:\windows\sed.exe
2009-11-10 13:10:35 77312 ----a-w- c:\windows\MBR.exe
2009-11-10 13:10:35 267264 ----a-w- c:\windows\PEV.exe
2009-11-10 13:10:35 161792 ----a-w- c:\windows\SWREG.exe
2009-11-10 08:28:07 40128 ----a-w- c:\windows\system32\drivers\hafgrgkp.sys
2009-11-10 08:17:59 0 d-----w- c:\program files\ESET
2009-11-10 07:11:51 0 d-----w- c:\docume~1\rtvdug~1\applic~1\QuickScan
2009-11-08 19:24:42 151040 ----a-w- c:\windows\system32\wmisrpc.exe

==================== Find3M ====================

2009-10-02 13:28:36 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-02 13:28:32 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-02 13:28:31 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-09-08 13:24:21 11552 -c--a-w- c:\windows\system32\LMImirr2.dll
2009-09-08 13:24:20 25248 -c--a-w- c:\windows\system32\LMImirr.dll

============= FINISH: 9:55:23,65 ===============

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Malo kompleksnija zaraza pa mi je trebalo malo vremena


Arrow Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder

Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:


Files to delete:
c:\documents and settings\rtv duga\junaa.exe
c:\documents and settings\rtv duga\uuon.exe
c:\windows\system32\drivers\hafgrgkp.sys
c:\windows\system32\wmisrpc.exe
c:\windows\system32\drivers\ndisvvan.sys
c:\windows\system32\secupdat.dat
c:\documents and settings\rtv duga\netsf_m.inf
c:\documents and settings\rtv duga\netsf.inf

Drivers to delete:
hafgrgkp
Passthru

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | WMI RPC Server 


Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u

Iskopiraj sadržaj dobijenog loga u temu na forumu.


Arrow Zatim importuj ovaj regfile(dvoklik pa yes)

https://www.mycity.rs/must-login.png

Arrow Ako se desi da posle pracenja ovog uputstva nestane net...

Pokusaj repair sa ovim programom

http://www.snapfiles.com/get/winsockxpfix.html

Ne mora da znaci da ce se desiti al je moguce

offline
  • Marko Šolajić
  • Pridružio: 03 Apr 2004
  • Poruke: 987
  • Gde živiš: Novi Sad

Evo ga log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\documents and settings\rtv duga\junaa.exe" deleted successfully.
File "c:\documents and settings\rtv duga\uuon.exe" deleted successfully.
File "c:\windows\system32\drivers\hafgrgkp.sys" deleted successfully.
File "c:\windows\system32\wmisrpc.exe" deleted successfully.
File "c:\windows\system32\drivers\ndisvvan.sys" deleted successfully.
File "c:\windows\system32\secupdat.dat" deleted successfully.
File "c:\documents and settings\rtv duga\netsf_m.inf" deleted successfully.
File "c:\documents and settings\rtv duga\netsf.inf" deleted successfully.
Driver "hafgrgkp" deleted successfully.
Driver "Passthru" deleted successfully.
Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|WMI RPC Server" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


Inace net radi, pisem sa tog kompa.

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Daj mi svez DDS log

Jedno pitanje: a koji je tacan razlog zbog kog ovaj racunar nema nikakvu real-time zastitu?

offline
  • Marko Šolajić
  • Pridružio: 03 Apr 2004
  • Poruke: 987
  • Gde živiš: Novi Sad

Samo mi je ovo cudno, u Device Manageru mi se javljanju jos neke stavke oko mrezne karte, koje nikako ne mogu ni da apdejtujem drajvere, ni da ih uklonim... Evo slike.

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

To vec nije u mojoj nadleznosti...probaj negde na netu da nadjes odgovarajuce drajvere pa ih rucno instaliraj..

Nego :




Citat:Daj mi svez DDS log

Jedno pitanje: a koji je tacan razlog zbog kog ovaj racunar nema nikakvu real-time zastitu?

offline
  • Marko Šolajić
  • Pridružio: 03 Apr 2004
  • Poruke: 987
  • Gde živiš: Novi Sad

Napisano: 11 Nov 2009 18:31

Nisam video poruku, mora da smo pisali istovremeno...


https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

Dopuna: 11 Nov 2009 18:33

U medjuvremenu sam instalirao NOD, a nije imao zastitu jer se sa njega internet do nedavno koristio samo iz specificne aplikacije koja povlaci XML sa jednog servera i to je sve. Jes' da nije neki izgovor, ali to je to.

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Ok ovo je sad cisto... Kako se tebi cini stanje? Smile

offline
  • Marko Šolajić
  • Pridružio: 03 Apr 2004
  • Poruke: 987
  • Gde živiš: Novi Sad

NOD je nasao par zaostalih fajlova i obrisao, koliko mi se cini sve radi OK. Ako primetim nesto da zeza javicu.

Ko je trenutno na forumu
 

Ukupno su 595 korisnika na forumu :: 31 registrovanih, 3 sakrivenih i 561 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., amaterSRB, bojank, botest, Buzdovan, carpbuster, danilopu, dragoljub11987, Duh sa sekirom, Georgius, goxin, GUARIN, HrcAk47, Joja, kovinacc, Kruger, lekso, Misirac, Panter, pavle_pzs, pedja2506, Pohovani_00, Roman, S-lash, theNedjeljko, Van, Vlada1389, zile54, zixmix, |_MeD_|