Poslao: 25 Nov 2008 18:55
|
offline
- Pridružio: 01 Apr 2008
- Poruke: 123
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:42:57, on 25/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\AdobeR.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\VVSN\VVSN.exe
C:\WINDOWS\Knight.exe
C:\WINDOWS\TEMP\WUUR1.exe
C:\WINDOWS\Windows Explorer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\New Folder.exe
C:\Documents and Settings\MiliMare\Start Menu\Programs\Startup\New Folder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Documents and Settings\MiliMare\Application Data\explorer.exe
C:\Documents and Settings\MiliMare\Application Data\explorer.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\services.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
D:\Documents and Settings\detektiv.exe
C:\WINDOWS\system32\logonui.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe"
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\AdobeR.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Disk Knight] C:\WINDOWS\Knight.exe
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\TEMP\WUUR1.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\Windows Explorer.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Tok-Cirrhatus-2883] "C:\Documents and Settings\MiliMare\Local Settings\Application Data\br6789on.exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: New Folder.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Startup.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: windows.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - .DEFAULT Startup: New Folder.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT Startup: Startup.exe (User 'Default user')
O4 - .DEFAULT Startup: windows.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Startup: New Folder.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Startup.exe
O4 - Startup: windows.pif = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Empty.pif = ?
O4 - Global Startup: New Folder.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
--
End of file - 8611 bytes
Evo izvestaja skeniranja.Naime virus brontok prilikom podizanja sistema otvara tri My documents foldera automatski,restartuje racunar odjednom ,ponekad otvori u IE stranicu gde pise brontok sa zelenom pozadinom,kada sam poceo da skeniram sa programom Hijack odmah restartuje racunar tako da ne znam da li je skeniranje kompletno.Inace racunar nema internet konekciju,nema nikakvu zastitu jer danas nisam mogao da instaliram besplatni AVG jer je prijavljivao gresku.
Trazim pomoc za dalje korake .Hvala
|
|
|
|
|
Poslao: 25 Nov 2008 19:39
|
offline
- Pridružio: 01 Apr 2008
- Poruke: 123
|
Odmah da odgovorim log cu dati tek sutra jer je to kompjuter mladjeg brata i nalazi se na 1km od mene a nema internet .
|
|
|
|
|
Poslao: 25 Nov 2008 19:57
|
offline
- Pridružio: 01 Apr 2008
- Poruke: 123
|
Moracu da budem uporan a vi sto pomazete nadam se strpljivi.Ne znam jedino da sutra ujutro prebacim njegov komp kod mene mada su mi dovoljna i ova dva koja imam u stanu ali bez brige gledacemo da sutra ne gubimo vreme u cekanju.Pozdrav
|
|
|
|
|
Poslao: 26 Nov 2008 16:41
|
offline
- Pridružio: 01 Apr 2008
- Poruke: 123
|
Na zalost nekoliko puta sam pokrenuo program ali se racunar restartuje i ne uspeva da napravi log (C:\ComboFix.txt).
|
|
|
|
Poslao: 26 Nov 2008 16:44
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
To je lose...
Jel taj komp sada kod tebe, ili moras ponovo da ides do brata za sledeci korak?
Pitam, da bih znao sta i kako da isplaniram.
|
|
|
|
Poslao: 26 Nov 2008 16:51
|
offline
- Pridružio: 01 Apr 2008
- Poruke: 123
|
nije ali ako mislis da je puno bolje da jeste donecemo ga .
S druge strane ako znas da ce biti "cupavo" mozda je bolje da rusimo sistem jer gotovo da nema nikakvih znacajnih podataka i programa na njemu
|
|
|
|
Poslao: 26 Nov 2008 18:08
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Ja sam uvek protiv toga da se reinstalira sistem, ali sada, ja ne mogu da uticem na vase odluke.
Kazi mi, kada se to ComboFix restartovao? On u jednom momentu i treba da se restartuje, i da posle restarta nastavi svoj rad.
Je li ne mozes nikako da nadjes njegove logove?
Pogledaj u c:\qoobox i c:\combofix folderima da li ima necega. Ima li kojih text (txt) fajlova?
Ako nema nista od toga, onda pokreni ponovo HijackThis i stikliraj polja ispred sledecih linija:
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe"
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\AdobeR.exe
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Disk Knight] C:\WINDOWS\Knight.exe
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\RakyatKelaparan.exe"
O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\TEMP\WUUR1.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\Windows Explorer.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus-2883] "C:\Documents and Settings\MiliMare\Local Settings\Application Data\br6789on.exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - S-1-5-20 Startup: Empty.pif = ? (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Empty.pif = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: New Folder.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Startup.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: windows.pif = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Empty.pif = ? (User 'Default user')
O4 - .DEFAULT Startup: New Folder.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT Startup: Startup.exe (User 'Default user')
O4 - .DEFAULT Startup: windows.pif = ? (User 'Default user')
O4 - Startup: Empty.pif = ?
O4 - Startup: New Folder.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Startup.exe
O4 - Startup: windows.pif = ?
O4 - Global Startup: Empty.pif = ?
O4 - Global Startup: New Folder.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Klikni na Fix checked
Nakon toga odmah restartuj komp u SafeMode prema sledecem uputstvu:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-uci-u-SAFE-MODE.html
Kada budes u SafeMode, obrisi sledece fajlove:
C:\WINDOWS\svchost.exe
C:\WINDOWS\AdobeR.exe
C:\Program Files\VVSN\VVSN.exe
C:\WINDOWS\Knight.exe
C:\WINDOWS\TEMP\WUUR1.exe
C:\WINDOWS\Windows Explorer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\New Folder.exe
C:\Documents and Settings\MiliMare\Start Menu\Programs\Startup\New Folder.exe
C:\Documents and Settings\MiliMare\Application Data\explorer.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\services.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\lsass.exe
C:\WINDOWS\Knight.exe
C:\WINDOWS\ShellNew\RakyatKelaparan.exe
C:\WINDOWS\KesenjanganSosial.exe
C:\WINDOWS\TEMP\WUUR1.exe
C:\WINDOWS\Windows Explorer.exe
C:\Documents and Settings\MiliMare\Local Settings\Application Data\br6789on.exe
C:\WINDOWS\system32\amvo.exe
Nakon toga ponovo restartuj kompjuter i pokusaj da pokrenes ComboFix.
Ne bi bilo lose da ovo uputstvo odstampas, posto ima jako puno stavki.
Dopuna: 26 Nov 2008 18:08
E da, ukoliko neki od tih fajlova ne bude vidljiv, probaj onda da ukljucis prikaz nevidljivih fajlova prema sledecem uputstvu:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-videti-skrivene-fajlove.html
Ovo vazi za prikaz skrivenih fajlova u Windows Exploreru. Ukoliko koristis neki drugi program, onda potrazi opciju tipa Show hidden files i ukljuci je.
|
|
|
|