Trojanci

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav!

Potrebna mi je pomoc jer mi je racunar pun trojanaca (Troyan Horse Generic, Back door, ...), AVG ne uspeva da ih ukloni, a sve radi krajnje usporeno, Mozilla puca, ...

Unapred hvala.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:02:30, on 08-Nov-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divna\Desktop\Downloads\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.mini20.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 8080:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [WeatherClock] C:\Program Files\Weather Clock\WeatherClock.exe
O8 - Extra context menu item: Iz&vezi u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 4540 bytes

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...



* Klikni desnim tasterom miša na AVG ikonicu ( ) u donjem, desnom uglu ekrana.
* Kada se pokrene AVG Control Center, dvoklikni na AVG Resident Shield komponentu.
* U prozoru koji se otvori, deštikliraj opciju Turn on AVG Resident Shield i klikni OK.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.


-------------------------------------------------------------------------------------


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Evo loga:

ComboFix 08-11-07.01 - Divna 2008-11-09 1:02:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.124 [GMT 1:00]
Running from: c:\documents and settings\Divna\Desktop\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.mp3codecinstall.net
.
((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-07 20:58 . 2008-11-07 21:05 <DIR> d-------- c:\program files\Opera
2008-10-26 22:25 . 2008-10-26 22:25 <DIR> d-------- c:\program files\Adobe Media Player
2008-10-26 22:20 . 2008-10-26 22:20 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-10-26 22:12 . 2008-10-26 22:12 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-10-25 22:20 . 2008-10-25 22:20 <DIR> d-------- c:\documents and settings\Divna\Application Data\Autodesk
2008-10-25 21:30 . 2008-10-25 21:30 <DIR> d-------- c:\program files\Autodesk
2008-10-25 20:05 . 2007-10-12 14:14 3,734,536 --a------ c:\windows\system32\d3dx9_36.dll
2008-10-21 21:21 . 2008-10-21 21:31 167 --a------ c:\windows\ConverterCore.INI
2008-10-21 21:02 . 2008-10-21 21:32 <DIR> d-------- c:\documents and settings\Divna\Application Data\SolidDocuments
2008-10-21 21:01 . 2008-10-21 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SolidDocuments
2008-10-20 22:28 . 2008-10-20 22:28 353 --a------ c:\windows\pdf2word.INI
2008-10-19 22:00 . 2008-10-19 22:00 <DIR> d-------- c:\documents and settings\Divna\Application Data\Weather Clock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 21:47 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-11-08 21:07 --------- d-----w c:\program files\Cambridge Practice
2008-11-08 00:31 --------- d-----w c:\documents and settings\Divna\Application Data\Skype
2008-11-07 23:30 --------- d-----w c:\documents and settings\Divna\Application Data\skypePM
2008-10-26 21:27 --------- d-----w c:\program files\Common Files\Adobe
2008-10-26 20:05 --------- d-----w c:\program files\Canon
2008-10-25 21:28 --------- d-----w c:\program files\Babylon
2008-10-25 09:26 --------- d-----w c:\documents and settings\Divna\Application Data\ATI MMC
2008-10-20 21:38 --------- d-----w c:\documents and settings\Divna\Application Data\BitTorrent
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-12 18:04 --------- d-----w c:\program files\BitTorrent
2008-10-06 22:38 --------- d-----w c:\documents and settings\Divna\Application Data\ZoomBrowser EX
2008-10-06 22:30 --------- d-----w c:\program files\Common Files\Canon
2008-09-27 23:10 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC
2008-09-27 22:02 --------- d-----w c:\program files\PlayFLV
2008-09-27 16:00 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-27 12:33 --------- d-----w c:\program files\eMule
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-10 16:17 --------- d-----w c:\documents and settings\Divna\Application Data\AVGTOOLBAR
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-11 13:47 49,152 ----a-w c:\windows\IgorDRV.dll
2008-03-24 21:56 88 --sh--r c:\documents and settings\All Users\Application Data\2FFE680343.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2007-12-19 486856]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2005-03-18 102400]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-03-18 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.UYVY"= c:\windows\system32\msyuv.dll
"VIDC.RSY2"= ATIVYUY.DLL
"msacm.divxa32"= msaud32_divx.acm
"VIDC.RS12"= ATIYUV12.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Divna^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Divna\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2005-08-12 14:43 45056 c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Promixis\\Girder\\girder.exe"=
"c:\\Program Files\\Promixis\\Girder\\grunt.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1234:TCP"= 1234:TCP:vlc
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\DRIVERS\SI3112r.sys [2008-02-22 97408]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 adfs;adfs;c:\windows\system32\drivers\adfs.sys [2008-08-14 74720]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 PSI_SVC_2;Protexis Licensing V2;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
R3 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\DRIVERS\ATINTTXX.sys [2004-08-04 13824]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WeatherClock - c:\program files\Weather Clock\WeatherClock.exe
MSConfigStartUp-Babylon Client - c:\program files\Babylon\Babylon.exe
MSConfigStartUp-RSD_HDDThermo - d:\programi\HDD Thermometer\HDD Thermometer.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Divna\Application Data\Mozilla\Firefox\Profiles\0jth8ttk.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1460988&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.rs/
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-09 01:03:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 1:05:08
ComboFix-quarantined-files.txt 2008-11-09 00:04:23

Pre-Run: 17,235,648,512 bytes free
Post-Run: 17,363,783,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

153 --- E O F --- 2008-10-24 12:51:31

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Šta ti tačno AVG detektuje?



Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.

Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

AVG detektuje sledece: Trojan horse generic10.thy, Trojan horse generic11.FZD, Trojan horse Sheur.CFQB, Trojan horse startpage.CZA, Win32/Puce.C, Trojan horse BackDoor.Genaric10.KJH, Trojan horse PSW.Generic5.AFKE

mycity.rs/must-login.png

mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Zanimaju me nazivi detektovanih file-ova (znači, kompletne putanje do njih).

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

C:\System volume information\_restore ... \A0045035.exe
C:\System volume information\_restore ... \A0075991.exe
D:\System .... \A0076144.exe
C:\System .... \A0131803.exe
C:\System .... \A0131804.exe
D:\System .... \A0132957.exe
D:\System .... \A0132958.exe
D:\System .... \A0132959.exe
C:\Documents and settings\Divna\Local settings\Temp\utt1.tmp.exe
C:\Program files\DNA\btdna.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

C:\Documents and settings\Divna\Local settings\Temp\utt1.tmp.exe - ovaj file možeš obrisati.


C:\Program files\DNA\btdna.exe - ovo je legitiman program.


Sve ostalo se nalazi u System Restore-u i to će biti obrisano prilikom deinstalacije ComboFix-a:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore


Na tvom kompjuteru ne bi više trebalo biti malware-a.

Ukoliko ti antivirus nešto bude prijavljivao a ne bude u mogućnosti to da obriše, javi se u temi pa ćemo videti o čemu se radi.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Hvala puno, sad ostaje samo da sve isproveravam.

Thanks!