Problem Slaper.c

1

Problem Slaper.c

offline
  • viper 
  • Novi MyCity građanin
  • Pridružio: 23 Dec 2006
  • Poruke: 27

Imam problem sa trojancem TrojanProxy.Slaper .C nod ga registruje skoro svaki put kad upalim racunar bez obzira sta sam do sad radio.Zadnje sto sam radio jeste gasenje system restor-a i skeniranje iz safety moda tu sam uspeo da obrisem sledece c:\widows\system 32\helpersysem.exe bar mislim da sam posto kasnije skeniranje nije pokazalo nista,ali jutros mi je opet nod prikazao da je i dalje prisutan .Sinoc sam imao 19 a danas 25 zarazenih fajlova
Prilazem HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:36:09 PM, on 12/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Documents and Settings\q\1.exe
C:\WINDOWS\SYSTEM32\SRPSKEY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\q\1.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\q\Desktop\New Folder\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\Run: [sysemls] C:\Documents and Settings\q\1.exe
O4 - HKLM\..\Run: [srpskey] C:\WINDOWS\SYSTEM32\SRPSKEY.EXE
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [sysemls] C:\Documents and Settings\q\1.exe
O4 - Startup: Shadow Ops_ Red Mercury Registration.lnk = C:\Documents and Settings\q\Local Settings\Temp\{0B7E09AE-A2D2-41E8-A28C-E1D20FA53B0A}\{021CB753-D388-4C3B-8E40-554E226F54F2}\ATR1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Preuzmi sa FlashGet-om - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Preuzmi sve sa FlashGet-om - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0C9B7B5-7C9E-4068-B94B-33C4FF8D6A86}: NameServer = 194.247.192.1 194.247.192.33
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Hvala unapred.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pozdrav viper. Log pokazuje par fajlova koji su sporni.
Zamolio bih te da nam dostavis spisak foldera i fajlova koji se nalaze u folderu C:\Documents and Settings\

Pre toga ukljuci opciju za prikazivanje skrivenih i sistemskih fajlova po sledecem uputstvu:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-videti-skrivene-fajlove.html

offline
  • viper 
  • Novi MyCity građanin
  • Pridružio: 23 Dec 2006
  • Poruke: 27

Kako da posaljem taj spisak

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pa mislim da nemas tu vise od 6-7 foldera, mozes li da otkucas njihova imena ovde?

offline
  • viper 
  • Novi MyCity građanin
  • Pridružio: 23 Dec 2006
  • Poruke: 27

Evo odmah :
All Users ,Default Users,LocalService,NetworkService, q,All User.log,Default User.log

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Jel ti se user (nalog pod kojim si logovan) zove q?

offline
  • viper 
  • Novi MyCity građanin
  • Pridružio: 23 Dec 2006
  • Poruke: 27

Da, ne znam dali ima veze nedavno sam menjao iz srdjan u q a pre je isto naziv bio q

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Sledeci link je nasa upload stranica za malware:
http://www.mycity.rs/ambulanta-upload.php

Zamolio bih te da mi spakujes u jedan ZIP sledece fajlova i da mi ih uploadujes na taj link:

C:\Documents and Settings\q\1.exe
c:\documents and settings\q\start menu\programs\startup\svcchost.exe
c:\documents and settings\All Users\start menu\programs\startup\svcchost.exe
C:\Documents and Settings\q\Local Settings\Temp\{0B7E09AE-A2D2-41E8-A28C-E1D20FA53B0A}\{021CB753-D388-4C3B-8E40-554E226F54F2}\ATR1.EXE

Ukoliko u folderu c:\documents and settings\q ima jos EXE ili DLL fajlova, obavezno posalji i njih.


Pregledaj onaj TEMP folder koji sam gore spomenuo i vidi da li u njemu ima jos EXE, BAT, PIF ili DLL fajlova.

Kada od tebe dobijem ove fajlove (kad uradis upload), znacu sa cime imamo posla tacno, pa da vidim koje tacno korake da preduzmemo.

offline
  • viper 
  • Novi MyCity građanin
  • Pridružio: 23 Dec 2006
  • Poruke: 27

Nasao sam samo prvi fajl ova tri ostala nisam a isao sam sve na osnovu adresa koje sam dobio jeli to normalno dali sam nesto propustio.U c:\documents and settings\q nema vise exe i dll fajlova.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Idi na Start > Search > For Files and Folders
Pogledaj sliku

Gde pise ime fajla unesi svcchost.exe (obrati paznju na duplo "c")
Opcije podesi kao na slici, osim opcije Case Sensitive, koja treba da bude iskljucena.
Vidi da li ce sada fajl biti nadjen, i u kom tacno folderu.

Ko je trenutno na forumu
 

Ukupno su 1081 korisnika na forumu :: 59 registrovanih, 8 sakrivenih i 1014 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Asparagus, babaroga, bankulen, bojanM84, bokisha253, BORUTUS, BraneS, brundo65, ccoogg123, CrazyDiablo, Dannyboy, djboj, Djokkinen, Doca, DonRumataEstorski, DragoslavS, Duh sa sekirom, dule10savic, GandorCC, GenZee, helen1, ikan, Ivan Campo, Karla, kunktator, kybonacci, ljuba, ljubacv, loon123, LUDI, Luka Blažević, mean_machine, Metanoja, mgolub, milenko crazy north, milimoj, misa1xx, naki011, Nemanja.M, nenad81, opt1, Panter, panzerwaffe, Parker, royst33, sap, sasakrajina, savaskytec, Seeker, slonic_tonic, solic, stalja, Stija zmija, theNedjeljko, VJ, vladulns, voja64, Wrangler