[bobby] Kompjuter se sam restarta

[bobby] Kompjuter se sam restarta

offline
  • Pridružio: 10 Okt 2008
  • Poruke: 38
  • Gde živiš: Rijeka

Dobar dan!
Trebala bih savjet u vezi kompjutera moje prijateljice.
Čim pokušamo otvoriti bilo kakav program, ili instalirati (HijackThis ili sl.), kompjuter se odmah sam restarta. Bilo da se Windowsi otvaraju normalno, bilo u Safe Modu.
Inače, kompjuter nije konektiran na internet (uopće) i podaci se u njega unose isključivo preko USB-a.
Ima li tko kakvu ideju o čemu se radi (virus?) i kako je dospio u kompjuter, za ubuduće?
Može li se virus unijeti u kompjuter sa CD-a (ako bude potrebna reinstalacija, mogu li se bezopasnosti spremiti na CD podaci koji su trenutno u kompjuteru?).
Puno hvala i srdačan pozdrav!

Dopuna: 24 Jan 2009 17:56

Evo i log od Combofixa. Njega smo jedino uspjeli instalirati.

ComboFix 09-01-21.04 - TINA 2009-01-24 17:40:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.191.37 [GMT 1:00]
Running from: E:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\lsass.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\services.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\winlogon.exe
c:\documents and settings\TINA\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\TINA\Local Settings\Application Data\lsass.exe
c:\documents and settings\TINA\Local Settings\Application Data\services.exe
c:\documents and settings\TINA\Local Settings\Application Data\winlogon.exe
c:\documents and settings\TINA\ravmonlog
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe
c:\windows\knight.exe
c:\windows\recover.reg
E:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-23 15:49 . 2009-01-23 15:49 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-23 15:18 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2009-01-23 15:18 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2009-01-23 14:30 . 2009-01-23 14:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-23 14:08 . 2009-01-23 14:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-23 14:08 . 2009-01-23 14:08 <DIR> d-------- c:\documents and settings\TINA\Application Data\Malwarebytes
2009-01-23 14:08 . 2009-01-23 14:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-23 14:08 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-23 14:08 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 07:09 42,713 ---h--w c:\windows\eksplorasi.exe
2009-01-17 07:09 42,713 ----a-w c:\windows\system32\TINA's Setting.scr
2009-01-17 07:09 42,713 ----a-w c:\windows\system32\System's Setting.scr
2009-01-17 07:09 42,713 ----a-w C:\Brengkolang.com
2009-01-09 18:18 --------- d-----w c:\program files\Microsoft Picture It! 10
2008-10-04 18:08 50,248 ----a-w c:\documents and settings\TINA\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2004-08-04 08:56 666624 aa91579c55b499080a90b6b3fe28a32a c:\windows\system32\wininet.dll
2004-08-04 08:56 666624 aa91579c55b499080a90b6b3fe28a32a c:\windows\system32\dllcache\wininet.dll
2004-08-04 08:56 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\XPize\Backup\wininet.dll

2004-08-04 08:56 949760 9d0ea3c6eac49b36e329527ec25b748c c:\windows\explorer.exe
2004-08-04 08:56 949760 9d0ea3c6eac49b36e329527ec25b748c c:\windows\system32\dllcache\explorer.exe
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 c:\windows\XPize\Backup\explorer.exe

2004-08-04 08:56 30208 de8fa9cf18f95341079c7e6a215c226a c:\windows\system32\ctfmon.exe
2004-08-04 08:56 30208 de8fa9cf18f95341079c7e6a215c226a c:\windows\system32\dllcache\ctfmon.exe
2004-08-04 08:56 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\XPize\Backup\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 30208]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"Tok-Cirrhatus"="c:\documents and settings\TINA\Local Settings\Application Data\smss.exe" [2009-01-17 42713]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-10-23 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-23 688218]
"STDSB"="c:\windows\system32\drivers\STDSB.exe" [2005-10-23 28672]
"Icon"="c:\windows\system32\drivers\Icon.exe" [2005-10-23 221184]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2002-04-26 12288]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Bron-Spizaetus"="c:\windows\ShellNew\sempalong.exe" [2009-01-17 42713]
"SoundMan"="SOUNDMAN.EXE" [2005-10-23 c:\windows\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2005-10-23 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-10-23 c:\windows\system32\VTTrayp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 30208]
"Tok-Cirrhatus"="c:\documents and settings\NetworkService\Local Settings\Application Data\smss.exe" [2009-01-17 42713]

c:\documents and settings\NetworkService\Start Menu\Programs\Startup\
Empty.pif [2009-01-17 42713]

c:\documents and settings\TINA\Start Menu\Programs\Startup\
Empty.pif [2009-01-17 42713]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe \"c:\windows\eksplorasi.exe\""
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18429:TCP"= 18429:TCP:NortonAV
"17195:TCP"= 17195:TCP:NortonAV
"12450:TCP"= 12450:TCP:NortonAV
"13427:TCP"= 13427:TCP:NortonAV
"16628:TCP"= 16628:TCP:NortonAV
"17526:TCP"= 17526:TCP:NortonAV
"12383:TCP"= 12383:TCP:NortonAV
"13085:TCP"= 13085:TCP:NortonAV
"17338:TCP"= 17338:TCP:NortonAV
"18218:TCP"= 18218:TCP:NortonAV
"16765:TCP"= 16765:TCP:NortonAV
"17297:TCP"= 17297:TCP:NortonAV
"15299:TCP"= 15299:TCP:NortonAV
"14104:TCP"= 14104:TCP:NortonAV
"14352:TCP"= 14352:TCP:NortonAV
"15458:TCP"= 15458:TCP:NortonAV
"15131:TCP"= 15131:TCP:NortonAV
"13528:TCP"= 13528:TCP:NortonAV
"12059:TCP"= 12059:TCP:NortonAV
"12641:TCP"= 12641:TCP:NortonAV
"17607:TCP"= 17607:TCP:NortonAV
"12166:TCP"= 12166:TCP:NortonAV
"15428:TCP"= 15428:TCP:NortonAV
"18121:TCP"= 18121:TCP:NortonAV
"16926:TCP"= 16926:TCP:NortonAV
"12146:TCP"= 12146:TCP:NortonAV
"13985:TCP"= 13985:TCP:NortonAV
"15741:TCP"= 15741:TCP:NortonAV
"13931:TCP"= 13931:TCP:NortonAV
"14787:TCP"= 14787:TCP:NortonAV
"14468:TCP"= 14468:TCP:NortonAV
"15177:TCP"= 15177:TCP:NortonAV

R4 MTC0007_STDSB;Scroll Bar Driver;c:\windows\system32\drivers\STDSB.sys [2008-03-22 11279]
S4 STDSB;STDSB;c:\windows\system32\drivers\STDSB.sys [2008-03-22 11279]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13773185-fdbb-11dc-94fa-0011f592c8ec}]
\Shell\auto\command - F:\Knight.exe open
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - F:\Knight.exe open
\Shell\find\command - F:\Knight.exe open
\Shell\install\command - F:\Knight.exe open
\Shell\open\command - F:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1902702a-f823-11dc-94f5-0011f592c8ec}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7f446a5-a6bd-11dd-954c-0011f592c8ec}]
\Shell\auto\command - E:\Knight.exe open
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - E:\Knight.exe open
\Shell\find\command - E:\Knight.exe open
\Shell\install\command - E:\Knight.exe open
\Shell\open\command - E:\Knight.exe open
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\At1.job
- c:\documents and settings\TINA\Templates\Brengkolang.com [2009-01-17 08:09]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.cyberlink.com.tw/registration/registration1.asp?SoftWare=POWERDVD&Version_Num=2.55&Cd_Key=DV3734599EF37520&Company=t&FName=TINA&Lang=Enu
uInternet Settings,ProxyOverride = *.local
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-24 17:45:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\cscui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\slmdmsr.exe
c:\program files\iPod\bin\iPodService.exe
c:\qoobox\Quarantine\C\Documents and Settings\TINA\Local Settings\Application Data\winlogon.exe.vir.lnk
c:\qoobox\Quarantine\C\Documents and Settings\TINA\Local Settings\Application Data\services.exe.virbf-11d0-94f2-00a0c91efb8b}
c:\qoobox\Quarantine\C\Documents and Settings\TINA\Local Settings\Application Data\lsass.exe.virFiles\Content.IE5\desktop.ini
.
**************************************************************************
.
Completion time: 2009-01-24 17:48:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-24 16:48:47

Pre-Run: 32.603.955.200 bytes free
Post-Run: 32,609,165,312 bytes free

213

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Uh, uh, uh.

Trebace mi 5-10 minuta da ti pripremim skriptu za ComboFix.
Ovaj racunar je zarazen bas preko USB stickova.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini i pokreni sledeci program:
http://amf.mycity.rs/personal/dr_Bora/Win32.Rjump_Port_Exception_Cleaner.exe

=================================

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\TINA's Setting.scr
c:\windows\system32\System's Setting.scr
C:\Brengkolang.com
c:\documents and settings\TINA\Local Settings\Application Data\smss.exe
c:\windows\ShellNew\sempalong.exe
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\Empty.pif
c:\documents and settings\TINA\Start Menu\Programs\Startup\Empty.pif
c:\windows\eksplorasi.exe
c:\windows\Tasks\At1.job
c:\documents and settings\TINA\Templates\Brengkolang.com

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 0
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe"



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

================================

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

offline
  • Pridružio: 10 Okt 2008
  • Poruke: 38
  • Gde živiš: Rijeka

Uh... Ne možemo ni pokrenuti prvi program. Izbacuje nam se prozor da je onemogućeno mijenjanje bilo čega u registriju.
Sa CFScriptom smo napravili što piše, ali se nije pojavio log- Je li to u redu?
Kako da postavimo "uređivanje, popravljanje" registrija na "Enable"?

HVALA VAM PUNO!

Dopuna: 24 Jan 2009 19:24

U stvari, više ne pokreće ni Combofix. Zato nema loga... I zato nema promjena.
Što sad?

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini ComboFix odavde:
http://amf.mycity.rs/programs/mirrored/C-F.exe

Onda odradi ono kao sto sam opisao u prethodnoj poruci.

Ko je trenutno na forumu
 

Ukupno su 513 korisnika na forumu :: 7 registrovanih, 2 sakrivenih i 504 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: BlekMen, Drug pukovnik, Gama, Georgius, ladro, stalker, zlaya011