Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

Virus, prilazem i HijackThis

[es] :: Zaštita :: Virus, prilazem i HijackThis

[ Pregleda: 1657 | Odgovora: 6 ] > FB > Twit

Postavi temu Odgovori

Autor

Pretraga teme: Traži
Markiranje Štampanje RSS

Fitiljce

Član broj: 147121
Poruke: 87
*.my-trion.net.



+1 Profil

icon Virus, prilazem i HijackThis23.09.2009. u 02:53 - pre 176 meseci
Ovo je neki virus koji mi s vremena na vrijeme sam otvori novi tab i neku porno stranicu.
Probala sam HijackThis analizirati preko interneta ali meni tu nista ne pokazuje da nije dobro. Ili se ja ipak nikako ne razumijem u to. :D
Skenirala sam sa Nod32 koji je pronasao neki virus ali izgleda da to nije taj.
Nadam se da ce mi neko pomoci.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:04, on 23.9.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live pomagac za prijavljivanje - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O5 "LPT1:" /M "Stylus D88"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Objavi ovo u blogu - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Objavi ovo u blogu u okviru usluge Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7314 bytes
 
Odgovor na temu

Dashkes

Član broj: 90973
Poruke: 845



+27 Profil

icon Re: Virus, prilazem i HijackThis23.09.2009. u 07:49 - pre 176 meseci
Ako moze log RootRepeal-a
1. Skinite sa http://rootrepeal.googlepages.com/RootRepeal.rar
2. Odradite sve kao na slici prateci postupke po broju
 
Odgovor na temu

Fitiljce

Član broj: 147121
Poruke: 87
*.my-trion.net.



+1 Profil

icon Re: Virus, prilazem i HijackThis23.09.2009. u 12:47 - pre 176 meseci
Hvala Dashkes. :) Uradicu i to.

Nego Nod mi je sada pronasao i ovo C:\System Volume Information\_restore{DCA7DF3A-F010-45F1-A76D-5679BA0F35D0}\RP517\A0209913.exe - Win32/Peerfrag.DW worm
Za ovih sat vremena koliko sam na netu jos mi nije otvarao te stranice, pa cemo vidjeti kako ce biti u narednom periodu.

Evo ga i RootRepeal

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/23 13:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF8C53000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3686000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF8340000 Size: 81920 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf843d514

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf842c282

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf842c474

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf843dd00

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf843dfb8

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf843c3fa

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf843e422

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf843d7d8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf842bf32

==EOF==

[Ovu poruku je menjao Fitiljce dana 23.09.2009. u 14:14 GMT+1]
 
Odgovor na temu

magna86
Anti Malware Fighter

Član broj: 189287
Poruke: 557

Sajt: www.mycity.rs/Ambulanta


+16 Profil

icon Re: Virus, prilazem i HijackThis23.09.2009. u 22:49 - pre 176 meseci
Skini Gmer saovog linka na Desktop

http://www2.gmer.net/download.php

pokreni Gmer,sacekaj da se zavrsi uvodno skeniranje (ako se pojavi nekakva poruka idi na No)
idi na Scan i sacekaj da skeniranje bude zavrseno...klikni Save ...sacuvaj to kao GmerLog1

Klikni desnim tasterom na prozor programa Gmer i odaberi Options >> Only non MS files i klikni Scan
..napravice se novi log...taj log sacuvaj kao GmerLog2

Klikni taster >>> i izaberi Autostart karticu.
po zavrsetku skeniranja izaberi Copy,otvori novi notepad,izaberi Paste i taj log sacuvaj kao GmerLog3.


prikaci sva ta tri loga uz poruku kao attachment
 
Odgovor na temu

Dashkes

Član broj: 90973
Poruke: 845



+27 Profil

icon Re: Virus, prilazem i HijackThis23.09.2009. u 23:18 - pre 176 meseci
Ako mozete fajl
C:\WINDOWS\system32\Drivers\mchInjDrv.sys
da zapakujete u ".rar"/".zip" sa password-om "virus", upload-ujete na Rapidshare i posaljete mi link preko PP.
Rekao bih da je rootkit. U RootRepeal-u (Tools > Wipe, Copy and Delete > C:\WINDOWS\system32\Drivers\mchInjDrv.sys) ga iskopirajte na Desktop.
Ako ste sigurni da je rootkit, izbrisite ga uz pomoc opcije Delete.
 
Odgovor na temu

Fitiljce

Član broj: 147121
Poruke: 87
*.my-trion.net.



+1 Profil

icon Re: Virus, prilazem i HijackThis24.09.2009. u 12:41 - pre 176 meseci
Prije nego sto uradim nesto od ovoga molim vas da pogledate i ovo. Svaki put kada skeniram sa Malware pojavi mi se ovaj Trojan.Agent za koji pise da je uspjesno obrisan ali sa svakim novim skeniranjem on je ponovo tu.

http://img8.imageshack.us/i/malware1.jpg/
 
Odgovor na temu

Dashkes

Član broj: 90973
Poruke: 845



+27 Profil

icon Re: Virus, prilazem i HijackThis24.09.2009. u 20:11 - pre 176 meseci
Ako mozete da mi posaljete C:\WINDOWS\system32\Drivers\mchInjDrv.sys pa cemo videti sta dalje da se radi. :)
 
Odgovor na temu

[es] :: Zaštita :: Virus, prilazem i HijackThis

[ Pregleda: 1657 | Odgovora: 6 ] > FB > Twit

Postavi temu Odgovori

Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.