trojan recycler

trojan recycler

offline
  • elcom 
  • Novi MyCity građanin
  • Pridružio: 06 Jan 2009
  • Poruke: 3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:52 AM, on 1/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\TR3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = nod32.com/dredirect.php?did=0&eval=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC5B7993-C3B5-4F6C-BEC1-D6A5F401CF22}: NameServer = 87.250.102.170,87.250.98.250
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 4320 bytes
Malwarebytes' Anti-Malware 1.32
Database version: 1623
Windows 5.1.2600 Service Pack 2

1/6/2009 9:11:08 AM
mbam-log-2009-01-06 (09-11-0Cool.txt

Scan type: Quick Scan
Objects scanned: 53209
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com (Trojan.Agent) -> Quarantined and deleted successfully.

Pozz

Malwarebytes pronadje 4 trojanca ali poslije brisanja i restarta u narednom skeniranju ponovo ih detektuje!

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Ne radi vise nista na svoju ruku.

* Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.

---------------------------------

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • elcom 
  • Novi MyCity građanin
  • Pridružio: 06 Jan 2009
  • Poruke: 3

ComboFix 09-01-05.05 - Administrator 2009-01-06 9:39:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.170 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-02 08:05 . 2009-01-02 08:05 512,096 --a------ c:\windows\system32\drivers\amon.sys
2009-01-02 08:05 . 2009-01-02 08:05 299,392 --a------ c:\windows\system32\imon.dll
2009-01-02 08:05 . 2009-01-02 08:05 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys
2009-01-02 08:03 . 2009-01-06 09:27 <DIR> d-------- c:\program files\Eset
2008-12-27 14:37 . 2008-12-27 14:37 <DIR> d--h----- c:\windows\system32\CanonMF Uninstaller Information
2008-12-27 14:37 . 2008-12-27 14:37 <DIR> d--h----- C:\CanonMF
2008-12-27 14:36 . 2008-12-27 14:37 <DIR> d-------- c:\program files\Canon
2008-12-27 14:35 . 2005-06-10 13:39 53,248 --a------ c:\windows\system32\CNAS0MMK.DLL
2008-12-19 14:42 . 2008-12-19 14:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-19 09:04 . 2008-12-19 09:04 <DIR> d-------- c:\documents and settings\korisnik\Application Data\Malwarebytes
2008-12-19 08:16 . 2009-01-06 08:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-19 08:16 . 2008-12-19 08:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-19 08:16 . 2008-12-19 08:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-19 08:16 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-19 08:16 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-10 10:31 . 2008-12-19 09:29 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-10 10:07 . 2008-12-10 10:07 <DIR> d-------- c:\program files\AVG
2008-12-10 08:56 . 2008-12-10 08:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 13:56 --------- d-----w c:\documents and settings\korisnik\Application Data\uTorrent
2008-11-28 16:24 --------- d-----w c:\documents and settings\korisnik\Application Data\Media Player Classic
2008-11-17 12:58 --------- d-----w c:\documents and settings\korisnik\Application Data\Mikrotik
2008-11-17 12:28 --------- d-----w c:\documents and settings\korisnik\Application Data\QuickMessenger
2008-11-17 12:25 --------- d-----w c:\program files\RealVNC
2008-11-17 12:24 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-17 12:24 249,856 ------w c:\windows\Setup1.exe
2008-11-17 12:24 --------- d-----w c:\program files\QuickMessenger
2008-11-17 12:21 --------- d-----w c:\program files\Common Files\Adobe
2008-11-17 12:11 --------- d-----w c:\documents and settings\korisnik\Application Data\Ahead
2008-11-17 12:09 --------- d-----r c:\documents and settings\korisnik\Application Data\Brother
2008-11-17 12:08 --------- d-----w c:\program files\Nero
2008-11-17 12:08 --------- d-----w c:\program files\Common Files\Ahead
2008-11-17 12:03 --------- d-----w c:\program files\K-Lite Codec Pack
2008-11-17 12:00 --------- d-----w c:\documents and settings\korisnik\Application Data\OpenOffice.org
2008-11-17 11:58 --------- d-----w c:\program files\OpenOffice.org 3
2008-11-17 11:58 --------- d-----w c:\program files\JRE
2008-11-17 11:57 --------- d-----w c:\program files\Java
2008-11-17 11:57 --------- d-----w c:\program files\Common Files\Java
2008-11-17 11:44 --------- d-----w c:\program files\S3
2008-11-17 11:29 --------- d-----w c:\program files\ZaraSoft
2008-11-17 11:27 --------- d-----w c:\documents and settings\korisnik\Application Data\Creative
2008-11-17 11:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-17 11:26 --------- d-----w c:\program files\Creative
2008-11-17 11:20 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-17 10:56 --------- d-----w c:\program files\microsoft frontpage
2008-11-17 10:50 --------- d-----w c:\program files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-01-02 950664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59000:TCP"= 59000:TCP:vnc

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-01-02 15424]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.nod32.com/dredirect.php?did=0&eval=2
LSP: c:\windows\system32\imon.dll
TCP: {DC5B7993-C3B5-4F6C-BEC1-D6A5F401CF22} = 87.250.102.170,87.250.98.250
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opa25m9l.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-06 09:40:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(572)
c:\windows\system32\imon.dll
.
Completion time: 2009-01-06 9:41:40
ComboFix-quarantined-files.txt 2009-01-06 08:41:36

Pre-Run: 25,097,134,080 bytes free
Post-Run: 25,794,646,016 bytes free

118

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Log je cist.


Uradi jos ovo:

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore

offline
  • elcom 
  • Novi MyCity građanin
  • Pridružio: 06 Jan 2009
  • Poruke: 3

hvala pozdrav

Ko je trenutno na forumu
 

Ukupno su 661 korisnika na forumu :: 38 registrovanih, 7 sakrivenih i 616 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Areal84, BSD, Ctrl x, danilopu, DARKMEN22, flash12, FOX, Georgius, goran.vvv, h8propaganda, havoc995, Konda, kovinacc, manda87, mercedesamg, Mercury, Milan A. Nikolic, Milos ZA, Misirac, moldway, naki011, nemkea71, nikoladim, pein, royst33, S2M, Sale.S, Simon simonović, sokars, Srki94, theNedjeljko, Toni, Vlada1389, vlvl, W123, willie, xJeremijAx