Zarazen kompjuter

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 52034 PM, on 11/10/2008
Platform Windows XP SP2 (WinNT 5.01.2600)
MSIE Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode Normal

Running processes
C\WINDOWS\System32\smss.exe
C\WINDOWS\system32\winlogon.exe
C\WINDOWS\system32\services.exe
C\WINDOWS\system32\lsass.exe
C\WINDOWS\system32\Ati2evxx.exe
C\WINDOWS\system32\svchost.exe
C\WINDOWS\System32\svchost.exe
C\WINDOWS\system32\Ati2evxx.exe
C\WINDOWS\system32\spoolsv.exe
C\WINDOWS\Explorer.EXE
C\WINDOWS\RTHDCPL.EXE
C\Program Files\Winamp\winampa.exe
C\Program Files\Eset\nod32kui.exe
C\Program Files\Messenger\msmsgs.exe
C\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C\WINDOWS\system32\ctfmon.exe
C\Program Files\Ares\Ares.exe
C\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C\Program Files\Eset\nod32krn.exe
C\Program Files\CyberLink\Shared files\RichVideo.exe
C\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C\Program Files\Mozilla Firefox\firefox.exe
C\Documents and Settings\korisnik\Desktop\septembar\TR.3exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = aboutblank
O2 - BHO AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run [StartCCC] "C\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run [WinampAgent] C\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run [NeroFilterCheck] C\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run [nod32kui] "C\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run [MSMSGS] "C\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run [ctfmon.exe] C\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run [ares] "C\Program Files\Ares\Ares.exe" -h
O4 - Global Startup Adobe Reader Speed Launch.lnk = C\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item E&xport to Microsoft Excel - res//C\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C\Program Files\Messenger\msmsgs.exe
O23 - Service Ares Chatroom server (AresChatServer) - Ares Development Group - C\Program Files\Ares\chatServer.exe
O23 - Service Ati HotKey Poller - ATI Technologies Inc. - C\WINDOWS\system32\Ati2evxx.exe
O23 - Service GEST Service for program management. (GEST Service) - Unknown owner - C\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service Google Updater Service (gusvc) - Google - C\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service NOD32 Kernel Service (NOD32krn) - Eset - C\Program Files\Eset\nod32krn.exe
O23 - Service Visibroker Activation Daemon (oad) - Unknown owner - C\PROGRA~1\Borland\vbroker\bin\oad.exe
O23 - Service VisiBroker Smart Agent (osagent) - Unknown owner - C\PROGRA~1\Borland\vbroker\bin\osagent.exe
O23 - Service Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3853 bytes

Dopuna: 10 Nov 2008 17:28

Skeniranje je pokazalo da su pronadjena 4 slucaja, od kojih su 2 neutralisana. Sta sad?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...


Postavljeni log je čist.

Čime je vršeno skeniranje i šta je to što nije uklonjeno (zanimaju me nazivi file-ova koji su detektovani)?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

NOD 32 - Scanner Logs, Infected 4, clean 2

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nadah se da će biti malo preciznije, al' dobro...

Hajde da vidimo šta se tu događa.


* Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.


-------------------------------------------------------------------------------------


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nemam druge informacije, mozda sam izbrisala

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Sasvim ok... Samo isprati gore dato uputstvo.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-11-09.04 - korisnik 2008-11-10 18:42:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.574 [GMT 1:00]
Running from: c:\documents and settings\korisnik\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\korisnik\LOCALS~1\Temp\install_flash_player.exe
c:\windows\system32\Cfx32.lic
c:\windows\system32\cfx32.ocx

.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-05 16:14 . 2008-11-05 16:14 <DIR> d-------- c:\program files\MSXML 6.0
2008-11-05 13:47 . 2008-11-05 13:47 <DIR> d-------- c:\documents and settings\korisnik\Application Data\Malwarebytes
2008-11-05 13:47 . 2008-11-05 13:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-05 13:36 . 2008-06-13 14:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-05 13:36 . 2008-06-13 14:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-05 13:35 . 2008-08-14 11:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-05 13:35 . 2008-08-14 10:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-05 13:35 . 2008-08-14 10:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-05 13:35 . 2008-08-14 10:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-05 00:16 . 2008-11-05 16:14 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-12 15:06 . 2008-10-12 15:10 <DIR> d-------- c:\program files\AIMP2
2008-10-12 12:47 . 2008-10-12 15:10 <DIR> d-------- c:\program files\YouTube Downloader
2008-10-12 10:23 . 2008-10-12 12:41 <DIR> d-------- c:\program files\weblin
2008-10-12 10:21 . 2008-10-12 12:41 <DIR> d-------- c:\documents and settings\korisnik\Application Data\zweitgeist

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 16:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 21:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-10-17 19:25 --------- d-----w c:\program files\Winamp
2008-10-06 18:34 --------- d-----w c:\program files\Google
2008-10-03 19:14 --------- d-----w c:\documents and settings\korisnik\Application Data\AdobeUM
2008-09-24 12:19 --------- d-----w c:\program files\Microsoft SQL Server
2008-09-24 12:18 --------- d-----w c:\program files\Microsoft.NET
2008-09-24 12:16 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-09-24 12:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-09-24 11:36 --------- d-----w c:\program files\Borland
2008-09-23 16:28 --------- d-----w c:\program files\ESET
2008-09-23 13:05 --------- d-----w c:\program files\Common Files\Borland Shared
2008-09-23 12:52 --------- d-----w c:\program files\Rockstar Games
2008-09-21 19:41 --------- d-----w c:\program files\City Interactive
2008-09-21 19:35 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-16 19:33 --------- d-----w c:\documents and settings\korisnik\Application Data\Media Player Classic
2008-09-16 18:49 --------- d-----w c:\documents and settings\korisnik\Application Data\CyberLink
2008-09-16 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-12 14:50 16,608 ----a-w c:\windows\gdrv.sys
2008-09-12 14:49 512,096 ----a-w c:\windows\system32\drivers\amon.sys
2008-09-12 14:49 298,104 ----a-w c:\windows\system32\imon.dll
2008-09-12 14:49 15,424 ----a-w c:\windows\system32\drivers\nod32drv.sys
2008-09-12 14:48 --------- d-----w c:\program files\Microsoft ActiveSync
2008-09-12 14:48 --------- d-----w c:\program files\Common Files\L&H
2008-09-12 14:47 --------- d-----w c:\program files\Microsoft Works
2008-09-12 14:45 --------- d-----w c:\program files\totalcmd
2008-09-12 14:45 --------- d-----w c:\program files\Common Files\Ahead
2008-09-12 14:45 --------- d-----w c:\program files\Ahead
2008-09-12 14:44 --------- d-----w c:\program files\ACD
2008-09-12 14:43 --------- d-----w c:\program files\Common Files\Adobe
2008-09-12 14:42 --------- d-----w c:\program files\Webteh
2008-09-12 14:42 --------- d-----w c:\program files\Opera
2008-09-12 14:42 --------- d-----w c:\program files\FLV Player
2008-09-12 14:41 --------- d-----w c:\program files\CyberLink
2008-09-12 14:40 --------- d-----w c:\program files\K-Lite Codec Pack
2008-09-12 14:39 --------- d-----w c:\documents and settings\korisnik\Application Data\ATI
2008-09-12 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-09-12 14:23 --------- d-----w c:\program files\My Company Name
2008-09-12 14:23 --------- d-----w c:\program files\ATI Technologies
2008-09-12 14:21 --------- d-----w c:\program files\Common Files\ATI Technologies
2008-09-12 14:18 --------- d-----w c:\program files\Common Files\InstallShield
2008-09-12 14:15 --------- d-----w c:\program files\Realtek
2008-09-12 14:15 --------- d-----w c:\documents and settings\korisnik\Application Data\InstallShield
2008-09-12 14:13 315,392 ----a-w c:\windows\HideWin.exe
2008-09-12 14:11 --------- d-----w c:\program files\Intel
2008-09-12 14:11 --------- d-----w c:\program files\GIGABYTE
2008-09-12 14:04 --------- d-----w c:\program files\microsoft frontpage
2008-08-20 05:38 659,456 ----a-w c:\windows\system32\wininet.dll
2008-08-14 09:58 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:22 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-02-23 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-09-12 949376]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [2007-12-14 47624]
S3 oad;Visibroker Activation Daemon;c:\progra~1\Borland\vbroker\bin\oad.exe [1998-03-12 1781248]
S3 osagent;VisiBroker Smart Agent;c:\progra~1\Borland\vbroker\bin\osagent.exe [1998-03-12 193536]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares - c:\program files\Ares\Ares.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\korisnik\Application Data\Mozilla\Firefox\Profiles\3yngy0s6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about blank
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 18:43:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-10 18:43:59
ComboFix-quarantined-files.txt 2008-11-10 17:43:46

Pre-Run: 65,031,966,720 bytes free
Post-Run: 65,098,850,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

140

Dopuna: 10 Nov 2008 18:49

Ukljucila sam AMON sada

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ovo izgleda čisto.

Odradi ponovo skeniranje NOD-om - ukoliko bilo šta detektuje a da to ne može da ukloni, napiši ovde šta je u pitanju (nazivi file-ova su potrebni).

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

File C:\System Volume Information\_restore{919908B6-37D6-4AB5-B0A5-50EFC557E647}\RP42\A0023951.exe is infected with a variant of Win32/Adware.XPAntivirus.AD application. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed

Dopuna: 10 Nov 2008 19:17

Sta da pritisnem ima tamo neke opcije?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ako postoji opcija Delete, izaberi je.


Anyway... U pitanju su file-ovi u System Restore-u i oni će biti obrisani sledećim postupkom:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore



Nakon ovoga više ne bi trebalo biti tih detekcija.