Problem sa Trojancem

1

Problem sa Trojancem

offline
  • Pridružio: 14 Avg 2006
  • Poruke: 108

Da li neko ima ideju kako da uklonim trojance? Vec par dana mi KAV 6.0.2. 614 izbacuje "Trojan-Proxy.Win32.Horst.pu". Obrise ga, ali se pri dizanju sistema opet pojavljuje. Naravno, javlja se i tokom rada na racunaru. Od zastite koristim KAV, SpyBot, AVG Anty Spyware 7.5, a malopre sam ubacila i Ewido micro.

Hvala unapred!

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Procitaj sledeu temu:
http://www.mycity.rs/Ambulanta/Procitati-pre-otvaranja-teme.html

pa nam onda postavi log programa HijackThis.

offline
  • Pridružio: 14 Avg 2006
  • Poruke: 108

Logfile of HijackThis v1.99.1
Scan saved at 13:10:31, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Misa\Desktop\New Folder\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - D:\Programi\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe"
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Snip to my eSnips account - C:\Program Files\eSnips\res\SnipIt.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5552D92D-932E-44F0-9725-163F2D0F2AAD}: NameServer = 194.247.192.33,194.247.192.1
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: winhld32 - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Nadji i spakuj mi u jedan ZIP sledeci fajl:
C:\WINDOWS\system\smss.exe

pa mi posalji preko sledeceg linka:
http://www.mycity.rs/ambulanta-upload.php

offline
  • Pridružio: 14 Avg 2006
  • Poruke: 108

Moram priznati da sam lenja sa citanjem tako da nisam odradila sve kako je navedeno. Internet konekcija je ADSL 768/192. Virus je Trojan-Proxy.Win32 i nalazi ga u local\temp (deleted: Trojan program Trojan-Proxy.Win32.Horst.sv File: C:\DOCUME~1\Misa\LOCALS~1\Temp\4exinjs.a2.exe//UPX).

Dopuna: 10 Mar 2007 13:26

Poslala sam fajl.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Ajde onda spakuj i taj fajl u ZIP pa ga uploaduje.
Puna putanja do fajla je:
C:\Documents and Settings\Misa\Local Settings\Temp\4exinjs.a2.exe

Mozda ces morati da ugasis KAV da bi mi spakovala taj fajl.
Ukoliko ne mozes da nadjes folder Local Settings, onda je potrebno da ukljucis View Hidden Files. Uputstvo za ukljucivanje te opcije imas ovde:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-videti-skrivene-fajlove.html

offline
  • Pridružio: 14 Avg 2006
  • Poruke: 108

Nije problem, saljem ti nekoliko takvih fajlova u zipu.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pregledaj da li imas i ovaj fajl:
C:\WINDOWS\SYSTEM32\winhld32.dll

Onaj smss.exe sam pregledao, u pitanju je trojanac kog KAV ne prepoznaje.

offline
  • Pridružio: 14 Avg 2006
  • Poruke: 108

Nemamam winhld32.dll (ovaj put sam detaljno pregledala :-) ).

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Preuzmi program ATF Cleaner ali ga nemoj jos pokretati, trebace nam za kasnije.

Skeniraj HJT-om i stikliraj polje ispred sledecih linija:
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O20 - Winlogon Notify: winhld32 - C:\WINDOWS\

Klikni Fix Checked

Restartuj komp u Safe Mode po sledecem uputstvu:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-uci-u-SAFE-MODE.html

Kada budes u Safe Mode, prvo obrisi sporni C:\WINDOWS\system\smss.exe, a nakon toga pokreni ATF Cleaner. ATF Cleaner se koristi na sledeci nacin:
Stiklaraj Select All i nakon toga klikni na Empty Selected.
Kada se pojavi poruka Done Cleaning mozete ovaj program zatvoriti.

Nakon toga restartuj komp u normalan mod rada i napravi novi log programa HijackThis koji ces postaviti ovde.

12 Mar 2007 01:36 bobby Zaključavanje topica Razlog: Javiti se na PP ukoliko je potrebno aktiviranje teme  
Ko je trenutno na forumu
 

Ukupno su 734 korisnika na forumu :: 55 registrovanih, 2 sakrivenih i 677 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _commandos_, A.R.Chafee.Jr., Andrija357, Apok, Arhiv, ArmyBoss, Atomski čoban, cenejac111, crnitrn, danilopu, darkangel, Dekster, Doca, doktor1964, Dorcolac, Drug pukovnik, Ilija Grubor, Ivan Campo, Kaplar2, kovinacc, Kruger, kunktator, kvcali, kybonacci, liman, Marko Marković, MB120mm, mercedesamg, Miskohd, Mixelotti, mrkanidja, mushroom, nedeljkovici, nenad81, Oluj2.1, Panter, Pohovani_00, Profica, Recce, rovac, Sale.S, saputnik plavetnila, sekretar, Skywhaler, Smd, Snorks, spektorsky, ss10, Toni, Trpe Grozni, USSVoyager, VJ, wizzardone, xJeremijAx, Yellow Pinky