[bobby]Brontok virus i trojanci

1

[bobby]Brontok virus i trojanci

offline
  • Pridružio: 01 Apr 2008
  • Poruke: 123

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:42:57, on 25/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\AdobeR.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\VVSN\VVSN.exe
C:\WINDOWS\Knight.exe
C:\WINDOWS\TEMP\WUUR1.exe
C:\WINDOWS\Windows Explorer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\New Folder.exe
C:\Documents and Settings\MiliMare\Start Menu\Programs\Startup\New Folder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Documents and Settings\MiliMare\Application Data\explorer.exe
C:\Documents and Settings\MiliMare\Application Data\explorer.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\services.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
D:\Documents and Settings\detektiv.exe
C:\WINDOWS\system32\logonui.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe"
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\AdobeR.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Disk Knight] C:\WINDOWS\Knight.exe
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\TEMP\WUUR1.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\Windows Explorer.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Tok-Cirrhatus-2883] "C:\Documents and Settings\MiliMare\Local Settings\Application Data\br6789on.exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: New Folder.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Startup.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: windows.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - .DEFAULT Startup: New Folder.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT Startup: Startup.exe (User 'Default user')
O4 - .DEFAULT Startup: windows.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Startup: New Folder.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Startup.exe
O4 - Startup: windows.pif = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Empty.pif = ?
O4 - Global Startup: New Folder.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

--
End of file - 8611 bytes
Evo izvestaja skeniranja.Naime virus brontok prilikom podizanja sistema otvara tri My documents foldera automatski,restartuje racunar odjednom ,ponekad otvori u IE stranicu gde pise brontok sa zelenom pozadinom,kada sam poceo da skeniram sa programom Hijack odmah restartuje racunar tako da ne znam da li je skeniranje kompletno.Inace racunar nema internet konekciju,nema nikakvu zastitu jer danas nisam mogao da instaliram besplatni AVG jer je prijavljivao gresku.
Trazim pomoc za dalje korake .Hvala

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 01 Apr 2008
  • Poruke: 123

Odmah da odgovorim log cu dati tek sutra jer je to kompjuter mladjeg brata i nalazi se na 1km od mene a nema internet .

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Sto se mene tice nije problem, ali nece biti lako jer verujem da necemo moci iz jednog pokusaja da ocistimo komp. Mozda ces morati vise puta da ides do njega Sad

offline
  • Pridružio: 01 Apr 2008
  • Poruke: 123

Moracu da budem uporan a vi sto pomazete nadam se strpljivi.Ne znam jedino da sutra ujutro prebacim njegov komp kod mene mada su mi dovoljna i ova dva koja imam u stanu ali bez brige gledacemo da sutra ne gubimo vreme u cekanju.Pozdrav

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Sto se nas tice - mi smo tu Smile
Ja sam za kompom svako vece od ~17:30 pa do ~22:00

offline
  • Pridružio: 01 Apr 2008
  • Poruke: 123

Na zalost nekoliko puta sam pokrenuo program ali se racunar restartuje i ne uspeva da napravi log (C:\ComboFix.txt).

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

To je lose...

Jel taj komp sada kod tebe, ili moras ponovo da ides do brata za sledeci korak?
Pitam, da bih znao sta i kako da isplaniram.

offline
  • Pridružio: 01 Apr 2008
  • Poruke: 123

nije ali ako mislis da je puno bolje da jeste donecemo ga .
S druge strane ako znas da ce biti "cupavo" mozda je bolje da rusimo sistem jer gotovo da nema nikakvih znacajnih podataka i programa na njemu

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Ja sam uvek protiv toga da se reinstalira sistem, ali sada, ja ne mogu da uticem na vase odluke.

Kazi mi, kada se to ComboFix restartovao? On u jednom momentu i treba da se restartuje, i da posle restarta nastavi svoj rad.

Je li ne mozes nikako da nadjes njegove logove?
Pogledaj u c:\qoobox i c:\combofix folderima da li ima necega. Ima li kojih text (txt) fajlova?

Ako nema nista od toga, onda pokreni ponovo HijackThis i stikliraj polja ispred sledecih linija:

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe"
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\AdobeR.exe
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Disk Knight] C:\WINDOWS\Knight.exe
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\TEMP\WUUR1.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\Windows Explorer.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus-2883] "C:\Documents and Settings\MiliMare\Local Settings\Application Data\br6789on.exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: New Folder.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Startup.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: windows.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - .DEFAULT Startup: New Folder.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT Startup: Startup.exe (User 'Default user')
O4 - .DEFAULT Startup: windows.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Startup: New Folder.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Startup.exe
O4 - Startup: windows.pif = ?
O4 - Global Startup: Empty.pif = ?
O4 - Global Startup: New Folder.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Klikni na Fix checked

Nakon toga odmah restartuj komp u SafeMode prema sledecem uputstvu:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-uci-u-SAFE-MODE.html

Kada budes u SafeMode, obrisi sledece fajlove:

C:\WINDOWS\svchost.exe
C:\WINDOWS\AdobeR.exe
C:\Program Files\VVSN\VVSN.exe
C:\WINDOWS\Knight.exe
C:\WINDOWS\TEMP\WUUR1.exe
C:\WINDOWS\Windows Explorer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\New Folder.exe
C:\Documents and Settings\MiliMare\Start Menu\Programs\Startup\New Folder.exe
C:\Documents and Settings\MiliMare\Application Data\explorer.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\services.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\WINDOWS\Knight.exe
C:\WINDOWS\ShellNew\RakyatKelaparan.exe
C:\WINDOWS\KesenjanganSosial.exe
C:\WINDOWS\TEMP\WUUR1.exe
C:\WINDOWS\Windows Explorer.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\br6789on.exe
C:\WINDOWS\system32\amvo.exe

Nakon toga ponovo restartuj kompjuter i pokusaj da pokrenes ComboFix.
Ne bi bilo lose da ovo uputstvo odstampas, posto ima jako puno stavki.

Dopuna: 26 Nov 2008 18:08

E da, ukoliko neki od tih fajlova ne bude vidljiv, probaj onda da ukljucis prikaz nevidljivih fajlova prema sledecem uputstvu:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-videti-skrivene-fajlove.html

Ovo vazi za prikaz skrivenih fajlova u Windows Exploreru. Ukoliko koristis neki drugi program, onda potrazi opciju tipa Show hidden files i ukljuci je.

Ko je trenutno na forumu
 

Ukupno su 532 korisnika na forumu :: 22 registrovanih, 4 sakrivenih i 506 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: aleksandarbl, Ben Roj, cenejac111, CikaKURE, comi_pfc, esx66, ikan, jackreacher011011, janbo, marko65, mean_machine, mikrimaus, Milometer, Mixelotti, MrNo, S2M, ser.hill, t84dar, Trpe Grozni, vathra, vladulns, Žoržo