Win32/PSW.OnLineGames.NMY trojan

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 18 Maj 2009 20:25

pozdrav
sam sam sebi rekao da necu vise nikad davati svoje uredjaje drugima al sta cu popustio sam
radi se o ext hard disku koji je bio na posudbi i po prikljucivanju na moj komp nod se aktivirao.pisalo je da ga(trojana) ne moze obrisati ali ga je cini mi se uklonio.ima li ostataka?takodje ni mbm nista ne prijavljuje!

slika


log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:22, on 5/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Documents and Settings\PST\Desktop\mixer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ALCATech\BPM-Studio Profi\BPM.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\PST\Desktop\New Folder\FG5.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{81D323A9-3773-4DF3-972D-1E5BD598DEAB}: NameServer = 62.68.96.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 3885 bytes

Dopuna: 18 Maj 2009 20:27

jedino sto je ostalo cini mi se ikonica od diska. vise nije originalna plave boje na kojoj pise WD vec obicna ona od hard diska sto mi je bas krivo

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozzz,

Preuzmi sUBs-ov ComboFix sa jedne od sledećih adresa na Desktop:


Bleeping Computer . . . . . Geeks to Go!
Klikni desnim tasterom na neki od linkova i odaberi opciju Save Target As... (Save As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

samo da napomenem da ext hard disk nije bio ukljucen za vrijeme skeniranja!!i da picim u nocnu smjenu ovog momenta do sest ujutro
evo log cf-a
ComboFix 09-05-17.08 - PST 05/18/2009 20:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1089 [GMT 2:00]
Running from: c:\documents and settings\PST\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\#aaifnt.ttf

.
((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-15 13:41 . 2009-05-15 13:41 -------- d-----w c:\program files\RocketDock
2009-05-01 19:29 . 2009-05-01 21:21 -------- d-----w c:\documents and settings\PST\Application Data\Steinberg
2009-05-01 19:27 . 2000-05-12 12:48 8768 ----a-w c:\windows\system32\drivers\asapi.sys
2009-05-01 19:26 . 2000-09-07 12:06 1441792 ----a-w c:\windows\system32\nspw7.dll
2009-05-01 19:26 . 2000-09-07 12:05 1306624 ----a-w c:\windows\system32\nsppx.dll
2009-05-01 19:26 . 2000-09-07 12:06 1318912 ----a-w c:\windows\system32\nspp6.dll
2009-05-01 19:26 . 2000-09-07 12:06 1404928 ----a-w c:\windows\system32\nspm6.dll
2009-05-01 19:26 . 2000-09-07 12:06 1335296 ----a-w c:\windows\system32\nspm5.dll
2009-05-01 19:26 . 2000-09-07 12:06 1429504 ----a-w c:\windows\system32\nspa6.dll
2009-05-01 19:26 . 2000-09-07 12:04 114688 ----a-w c:\windows\system32\nsp.dll
2009-05-01 19:26 . 2009-05-01 19:27 -------- d-----w c:\program files\Steinberg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 14:19 . 2009-01-30 16:57 -------- d-----w c:\program files\SpeedFan
2009-04-07 17:33 . 2008-09-22 20:33 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 13:32 . 2008-09-22 20:33 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 . 2008-09-22 20:33 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-28 20:08 . 2009-03-28 20:08 -------- d-----w c:\program files\Auslogics
2009-03-25 05:38 . 2009-03-25 05:38 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-03-25 05:37 . 2009-03-25 05:37 362240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-03-25 05:37 . 2009-03-25 05:37 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-03-20 17:16 . 2005-06-07 10:10 12524 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-11 18:20 . 2009-03-11 18:20 299392 ----a-w c:\windows\system32\imon.dll
2009-03-11 18:19 . 2009-03-11 18:20 512096 ----a-w c:\windows\system32\drivers\amon.sys
2009-03-11 18:19 . 2009-03-11 18:20 15424 ----a-w c:\windows\system32\drivers\nod32drv.sys
2009-03-11 18:08 . 2008-12-15 21:01 87 ----a-w c:\windows\system32\EpfwUser.dat
2009-02-28 01:50 . 2008-04-27 12:50 56416 ----a-w c:\documents and settings\PST\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-26 19:40 . 2007-06-27 19:03 40 ----a-w c:\windows\popcinfo.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClocX"="c:\program files\ClocX\ClocX.exe" [2005-01-26 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-03-11 950664]

c:\documents and settings\PST\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-1-18 155648]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Native Instruments\\Traktor DJ Studio 2\\TraktorDJStudio2.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\PST\\Desktop\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/21/2009 10:09 PM 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [5/31/2005 2:21 PM 77056]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [3/11/2009 8:20 PM 15424]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [5/1/2009 9:27 PM 8768]
R2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [6/1/2005 6:52 PM 8864]
R2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [6/1/2005 6:52 PM 8864]
R2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [6/1/2005 6:52 PM 8864]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [3/25/2009 7:38 AM 603904]
S2 Tdlpt;Tdlpt;c:\windows\system32\drivers\TDLPT.SYS [6/1/2005 6:52 PM 8012]
S3 usb2vcom;USB Data Cable;c:\windows\system32\drivers\usb2vcom.sys [5/16/2006 6:44 PM 29152]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 15:28]
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {81D323A9-3773-4DF3-972D-1E5BD598DEAB} = 62.68.96.2
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 21:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:08,ba,fd,b4,13,86,b8,1d,30,a4,bc,0b,43,49,74,77,5c,91,08,35,d9,
ae,9c,55,6a,f3,5b,93,fd,14,49,29,5e,73,be,2f,17,29,64,ab,8a,f8,b5,2f,00,6e,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|ù•Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"=""
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:08,ba,fd,b4,13,86,b8,1d,30,a4,bc,0b,43,49,74,77,5c,91,08,35,d9,
ae,9c,55,6a,f3,5b,93,fd,14,49,29,5e,73,be,2f,17,29,64,ab,8a,f8,b5,2f,00,6e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(688-)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(3456)
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-05-18 21:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 19:05

Pre-Run: 7,222,034,432 bytes free
Post-Run: 7,119,761,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

145

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ne vidim nista sporno.


Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

combofix /u

Primeti da postoji razmak između "ComboFix" i "/u".



a zatim klikni OK (ili pritisni Enter).

Sačekaj da se proces deinstalacije završi.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ok helen1
bunilo me to sto je nod prijavljivao da ne moze obrisati infekciju ali je ipak cini se odradio posao.
pozdrav i hvala