Trojan mnogo smara, kako da ga uklonim

Trojan mnogo smara, kako da ga uklonim

offline
  • SSpin 
  • Saradnik foruma
  • Pridružio: 09 Dec 2004
  • Poruke: 6488
  • Gde živiš: Nis -> ***Durlan City***

Sve je počelo kada sam hteo da očistim jedan sajt od "virusa". Bio je inficiran jednim kodom koji u sebi sadrži neki sajt. Kako sam bio znatiželjan otišao sam da pogledam i trt.

Krenulo je sa onim klasičnim scamom kao da imam problem u PCu. Microsoft Sec Essential AV i te gluposti...

Jedva nekako očistih iz safe moda sa Avirom i MBAM-om.

Ali, opet se javlja već danima...

Evo nekih logova iz Avire
Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\Documents and Settings\SSpin\Local Settings\Temporary Internet Files\Content.IE5\IZBB057H\inst[1].exe.
Action performed: Allow access

Virus or unwanted program 'TR/Fraud.Gen [trojan]'
detected in file 'C:\Documents and Settings\SSpin\Local Settings\Temporary Internet Files\Content.IE5\IZBB057H\21[1].exe.
Action performed: Deny access

The file 'C:\Documents and Settings\SSpin\Local Settings\Application Data\302610570.exe'
contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen2' [trojan]
Action(s) taken:
The registration entry <HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\302610570> was removed successfully.
An error has occurred and the file was not deleted. ErrorID: 26003.
The file could not be deleted!
Attempting to perform action using the ARK library.
The file was moved to the quarantine directory under the name '568ded62.qua'.


Itd. Hoću da ga se rešim trajno. Znam da imate mnogo posla, ne bih otvarao temu da mi baš nije zazviždalo...

Imam 1 Mbit konekciju, od zaštite Aviru, SpyBot, i MBAM. Uglavnom koristim FF.

DDS.txt
--

DDS (Ver_10-12-05.01) - NTFSx86
Run by SSpin at 20:03:42.79 on Fri 12/10/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1279.644 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira FireWall *disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\SSpin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://webebank.ebb-bg.com/webbank/frames.jsp
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
uWinlogon: Shell=c:\documents and settings\sspin\application data\hotfix.exe
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DebugBar BHO: {69fc0024-10eb-480a-bbf2-3bf4e78e17b1} - c:\program files\core services\debugbar\DebugInfoBar.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: DebugBar: {3e1201f4-1707-409f-bb45-a5f192381da0} - c:\program files\core services\debugbar\DebugToolBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [{F900AF04-D757-5AFE-D57B-8C4BE292DEC4}] "c:\documents and settings\sspin\application data\ypym\xuubh.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = avnotify.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {5C53B829-BB74-4B24-8B5D-8D597B397852} = 208.67.222.222,208.67.220.220
TCP: {6DF862F7-CE13-4B35-881A-32275696F818} = 92.60.224.20 92.60.224.30
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~4\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 188.2.219.185 web.thh

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2077543&SearchSource=13
FF - component: c:\documents and settings\sspin\application data\mozilla\firefox\profiles\aky8ynt5.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\sspin\application data\mozilla\firefox\profiles\aky8ynt5.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\winnt-32\MinimizeToTrayPlus.dll
FF - plugin: c:\documents and settings\sspin\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\sspin\local settings\application data\flock\update\1.2.213.0\npFlockOneClick8.dll
FF - plugin: c:\documents and settings\sspin\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Extension: Firebug: firebug@software.joehewitt.com - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\firebug@software.joehewitt.com
FF - Extension: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Extension: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Extension: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
FF - Extension: YouTube to MP3: youtube2mp3@mondayx.de - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\youtube2mp3@mondayx.de
FF - Extension: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Extension: MinimizeToTrayPlus: {de1b245c-de57-11da-ba2d-0050c2490048} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}
FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Extension: Gmail Checker: {6BFD307A-C040-11DA-9749-FB1C850B47DF} - c:\docume~1\sspin\applic~1\mozilla\firefox\profiles\aky8ynt5.default\extensions\{6BFD307A-C040-11DA-9749-FB1C850B47DF}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-5 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-5 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-5 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-5 61960]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-4-15 54752]
S0 FGXSCSI;FGXSCSI;c:\windows\system32\drivers\fgxscsi.sys --> c:\windows\system32\drivers\fgxscsi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-9-26 30192]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [2009-3-4 30336]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\drivers\SIVX32.sys [2009-9-22 48736]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-12-10 17:49:44 -------- d-----w- c:\docume~1\sspin\applic~1\Etopid
2010-12-07 20:16:29 -------- d-----w- c:\program files\Cain
2010-12-07 16:52:06 -------- d-----w- c:\docume~1\sspin\applic~1\Ifykn
2010-11-24 19:42:38 -------- d-----w- c:\program files\Core Services
2010-11-24 10:28:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-11-24 10:28:17 -------- d-----w- c:\documents and settings\sspin\WINDOWS

==================== Find3M ====================

2009-03-11 17:21:05 478720 ----a-w- c:\program files\usbnorisk.exe
2003-01-03 19:36:52 77824 ----a-w- c:\program files\Startup.exe

============= FINISH: 20:05:33.84 ===============

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png


Zaista vam hvala unapred, i znajte da cenim i poštujem duboko vaš rad! Ziveli

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Pozdrav...

Arrow Preuzmi program OTM na Desktop.

Dvoklikom pokreni OTM.exe

U (levi) prozor programa (ispod Paste Instructions for Items to be Moved) iskopiraj sve što se nalazi unutar Kod polja:
:reg
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-

:files
c:\documents and settings\sspin\application data\hotfix.exe

Klikni MoveIt!

Po završetku procesa, u desnom prozoru programa (ispod Results), će se nalaziti tekst koji je potrebno iskopirati u poruku na forumu.


Ukoliko se pojavi upit:

Confirm ::The system requires a reboot to finish removing files.
Do you want to reboot now?


kliknuti Yes kako bi se kompjuter restartovao i proces bio dovršen.

Nakon ponovnog pokretanja sistema, logfile će se automatski otvoriti u Notepadu.
Potrebno je iskopirati sadržaj tog loga u poruku na forumu.


Arrow Pogledaj sta imas u ovim folderima i da li su ti poznati :


Citat:c:\docume~1\sspin\applic~1\Etopid
c:\docume~1\sspin\applic~1\Ifykn

offline
  • SSpin 
  • Saradnik foruma
  • Pridružio: 09 Dec 2004
  • Poruke: 6488
  • Gde živiš: Nis -> ***Durlan City***

Results

========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell deleted successfully.
========== FILES ==========
File/Folder c:\documents and settings\sspin\application data\hotfix.exe not found.

OTM by OldTimer - Version 3.1.17.2 log created on 12112010_120305

-notpad-


========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell deleted successfully.
========== FILES ==========
File/Folder c:\documents and settings\sspin\application data\hotfix.exe not found.

OTM by OldTimer - Version 3.1.17.2 log created on 12112010_120305

Ništa ne držim u onim folderima, izgleda da je to virus napravio.
Jedan je prazan a jedan ima neki qivae.uli fajl. Da ih shift deletnem Very Happy

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Ja zaboravih na tebe Razz

Ponovo isti postupak samo druga skripta :

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{F900AF04-D757-5AFE-D57B-8C4BE292DEC4}"=-

:files
c:\documents and settings\sspin\application data\ypym\xuubh.exe
c:\docume~1\sspin\applic~1\Etopid
c:\docume~1\sspin\applic~1\Ifykn

:Commands
[resethosts]
[Reboot]

offline
  • SSpin 
  • Saradnik foruma
  • Pridružio: 09 Dec 2004
  • Poruke: 6488
  • Gde živiš: Nis -> ***Durlan City***

Napisano: 11 Dec 2010 23:48

Dobro je, uspešno je obrisan Smile

Trebalo bi da je ok, javljam sutra ako nešto primetim.

Dopuna: 12 Dec 2010 15:59

Sve je cakup-pakum. Hvala!!! Ziveli Zagrljaj

Ko je trenutno na forumu
 

Ukupno su 963 korisnika na forumu :: 48 registrovanih, 10 sakrivenih i 905 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, _Sale, A.R.Chafee.Jr., babaroga, bobomicek, bojank, bojcistv, BORUTUS, Brana01, Bubimir, cemix, DeerHunter, DENIRO, Dimitrije Paunovic, Doca, dragoljub11987, Duh sa sekirom, dule10savic, Futog 74, Georgius, Još malo pa deda, kobaja77, Lieutenant, maiden6657, Metanoja, mgolub, MiG-29M2, milenko crazy north, Milometer, muaddib, Nemanja.M, nick79, Papadubi, Regrut Boskica, Ripanjac, RJ, ruma, S2M, sap, Seeker, slonic_tonic, suton, uruk, VJ, wolf431, Zimbabwe, Žrnov, Čivi