MyCity » Ambulanta -> Arhiva Ambulante » trojan recycler

trojan recycler

Napisano na dan: 6.1.2009

trojan recycler
Sledeća strana Pagination

Idi na vrh

Poslao: 06 Jan 2009 09:18
Idi na vrh
offline
  • elcom 
  • Novi MyCity građanin
  • Pridružio: 06 Jan 2009
  • Poruke: 3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:52 AM, on 1/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\TR3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = nod32.com/dredirect.php?did=0&eval=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC5B7993-C3B5-4F6C-BEC1-D6A5F401CF22}: NameServer = 87.250.102.170,87.250.98.250
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 4320 bytes
Malwarebytes' Anti-Malware 1.32
Database version: 1623
Windows 5.1.2600 Service Pack 2

1/6/2009 9:11:08 AM
mbam-log-2009-01-06 (09-11-0Cool.txt

Scan type: Quick Scan
Objects scanned: 53209
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com (Trojan.Agent) -> Quarantined and deleted successfully.

Pozz

Malwarebytes pronadje 4 trojanca ali poslije brisanja i restarta u narednom skeniranju ponovo ih detektuje!

Poslao: 06 Jan 2009 09:21
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Ne radi vise nista na svoju ruku.

* Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.

---------------------------------

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Poslao: 06 Jan 2009 09:49
Idi na vrh
offline
  • elcom 
  • Novi MyCity građanin
  • Pridružio: 06 Jan 2009
  • Poruke: 3

ComboFix 09-01-05.05 - Administrator 2009-01-06 9:39:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.170 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-02 08:05 . 2009-01-02 08:05 512,096 --a------ c:\windows\system32\drivers\amon.sys
2009-01-02 08:05 . 2009-01-02 08:05 299,392 --a------ c:\windows\system32\imon.dll
2009-01-02 08:05 . 2009-01-02 08:05 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys
2009-01-02 08:03 . 2009-01-06 09:27 <DIR> d-------- c:\program files\Eset
2008-12-27 14:37 . 2008-12-27 14:37 <DIR> d--h----- c:\windows\system32\CanonMF Uninstaller Information
2008-12-27 14:37 . 2008-12-27 14:37 <DIR> d--h----- C:\CanonMF
2008-12-27 14:36 . 2008-12-27 14:37 <DIR> d-------- c:\program files\Canon
2008-12-27 14:35 . 2005-06-10 13:39 53,248 --a------ c:\windows\system32\CNAS0MMK.DLL
2008-12-19 14:42 . 2008-12-19 14:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-19 09:04 . 2008-12-19 09:04 <DIR> d-------- c:\documents and settings\korisnik\Application Data\Malwarebytes
2008-12-19 08:16 . 2009-01-06 08:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-19 08:16 . 2008-12-19 08:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-19 08:16 . 2008-12-19 08:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-19 08:16 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-19 08:16 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-10 10:31 . 2008-12-19 09:29 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-10 10:07 . 2008-12-10 10:07 <DIR> d-------- c:\program files\AVG
2008-12-10 08:56 . 2008-12-10 08:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 13:56 --------- d-----w c:\documents and settings\korisnik\Application Data\uTorrent
2008-11-28 16:24 --------- d-----w c:\documents and settings\korisnik\Application Data\Media Player Classic
2008-11-17 12:58 --------- d-----w c:\documents and settings\korisnik\Application Data\Mikrotik
2008-11-17 12:28 --------- d-----w c:\documents and settings\korisnik\Application Data\QuickMessenger
2008-11-17 12:25 --------- d-----w c:\program files\RealVNC
2008-11-17 12:24 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-17 12:24 249,856 ------w c:\windows\Setup1.exe
2008-11-17 12:24 --------- d-----w c:\program files\QuickMessenger
2008-11-17 12:21 --------- d-----w c:\program files\Common Files\Adobe
2008-11-17 12:11 --------- d-----w c:\documents and settings\korisnik\Application Data\Ahead
2008-11-17 12:09 --------- d-----r c:\documents and settings\korisnik\Application Data\Brother
2008-11-17 12:08 --------- d-----w c:\program files\Nero
2008-11-17 12:08 --------- d-----w c:\program files\Common Files\Ahead
2008-11-17 12:03 --------- d-----w c:\program files\K-Lite Codec Pack
2008-11-17 12:00 --------- d-----w c:\documents and settings\korisnik\Application Data\OpenOffice.org
2008-11-17 11:58 --------- d-----w c:\program files\OpenOffice.org 3
2008-11-17 11:58 --------- d-----w c:\program files\JRE
2008-11-17 11:57 --------- d-----w c:\program files\Java
2008-11-17 11:57 --------- d-----w c:\program files\Common Files\Java
2008-11-17 11:44 --------- d-----w c:\program files\S3
2008-11-17 11:29 --------- d-----w c:\program files\ZaraSoft
2008-11-17 11:27 --------- d-----w c:\documents and settings\korisnik\Application Data\Creative
2008-11-17 11:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-17 11:26 --------- d-----w c:\program files\Creative
2008-11-17 11:20 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-17 10:56 --------- d-----w c:\program files\microsoft frontpage
2008-11-17 10:50 --------- d-----w c:\program files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-01-02 950664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59000:TCP"= 59000:TCP:vnc

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-01-02 15424]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.nod32.com/dredirect.php?did=0&eval=2
LSP: c:\windows\system32\imon.dll
TCP: {DC5B7993-C3B5-4F6C-BEC1-D6A5F401CF22} = 87.250.102.170,87.250.98.250
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opa25m9l.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-06 09:40:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(572)
c:\windows\system32\imon.dll
.
Completion time: 2009-01-06 9:41:40
ComboFix-quarantined-files.txt 2009-01-06 08:41:36

Pre-Run: 25,097,134,080 bytes free
Post-Run: 25,794,646,016 bytes free

118

Poslao: 06 Jan 2009 10:07
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Log je cist.


Uradi jos ovo:

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore

Poslao: 06 Jan 2009 10:09
Idi na vrh
offline
  • elcom 
  • Novi MyCity građanin
  • Pridružio: 06 Jan 2009
  • Poruke: 3

hvala pozdrav

MyCity » Ambulanta -> Arhiva Ambulante » trojan recycler

Ko je trenutno na forumu
 

Ukupno su 1132 korisnika na forumu :: 40 registrovanih, 7 sakrivenih i 1085 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: babaroga, Boris Bosiljčić, cavatina, djboj, draganl, dulleo, flash12, FOX, goxin, Karla, krkalon, Kubovac, ladro, laurusri, Lieutenant, Milos ZA, milutin134, Oscar, ozzy, pein, Pohovani_00, raptorsi, rasok, Ripanjac, RJ, Romibrat, royst33, ruma, S1Mk3, saputnik plavetnila, sasa87, Shinobi, Simon simonović, Srle993, Trpe Grozni, tubular, vaso1, Webb, YU-UKI, šumar bk2