prokleti trojanci

[vrsac22]

I opet ista stvar, vratili su se posle ciscenja sa ComboFixom i skemiranjem sa Malwarebytes' Anti-Malware, koji je uradio posao kako treba. Sta sam pogresila? Podigla sam i firewall.
evo loga:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:31 PM, on 3/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PrtScr\PrtScr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PrtScr by FireStarter] C:\Program Files\PrtScr\PrtScr.exe /Tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1193944036421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193943987093
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8137 bytes

Ista sad da radim zna li iko ili reinstal.
A kako dodjavola spreciti da se ponovi?

 

[vrsac22]

A da skinula sam ponovo ComboFix i on nece da se pokrene, kao prosli put. Molim da mi ga, ako moze ko, posalje na mail: [email protected] i lekice za ovo ako vredi da opet pokusam.

 

[__zevs__]

?
Gde je u ovom logu trojanac?
Sta se desava? Mozda samo da iskljucis Messenger service
http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx

 

[vrsac22]

Iskljucen je odavno

 

[vrsac22]

Inace ovaj je bio
File C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_UACrbnyihfh_.sys.zip is infected with trojan Win32/Olmarik.FT. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.
Aizgleda daje i sad.
Procitaj moj predhodni post

 

[__zevs__]

Za pocetak promeni antivirus, taj nod je busan ko sito
Probaj da skeniras avirom, besplatna je, mozda uspe nesto da uradi
http://www.free-av.com/en/download/index.html

 

[-Marko-]

Jos jedan glas da nod ode.Najbolje bi bilo da odradis cistu instalaciju sistema.Uzmi neki antivirus koji moze da se pokrene sa diska,iskljuci system restore,precesljaj hard sa spybot-om ili malware antibytes,podigni novi sistem,instaliraj antivirus(avira,jos jedan glas),instaliraj firewall(comodo,moja preporuka),i opet neki anti malware i to je to..

Poz

 

[Preoccupation]

Sada je vreme za reinstall sistema. Pa lepo instaliraj Operu/Firefox i NOD32/Kaspersky i vodi računa koje sajtove posećuješ. Onda neće biti problema.

P.S. Pitanje je da li su i koji .exe fajlovi oštećeni. Zato je reinstall odlična stvar.

 

[drapin]

Odlican thread o vrlo slicnom ili gotovo identicnom porblemu (infekcija Olmarik-om...koji je ince backdoor a ne trojanac BTW) :

http://www.bleepingcomputer.com/forums/index.php?showtopic=199953&st=0&p=1131805&#entry1131805

Narocito obrati paznju na postove #2 (diagnostika i ciscenje), #10 (naknadna kontrola) i #12 (saveti da se infekcija ne ponovi).

U sustini, i pored toga da je ovaj backdoor moguce ocistiti, kao sto i oni tamo kazu, format particije i reinstalacija sistema je vise nego preporucljiva - sistem koji je bio zarazen ovim nikada vise nije stabilan i siguran.

 

[spock1]

File C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_U ACrbnyihfh_.sys.zip is infected with trojan Win32/Olmarik.FT.

Ovaj fajl se nalazi u Quarantine Combofixa. Da li si ti uopste uninstalirala Combofix, posto si koristila taj program.

http://www.benchmark.rs/forum/showthread.php?t=192624

c:\windows\2.exe
[B]c:\windows\system32\drivers\UACrbnyihfh.sys[/B]
c:\windows\system32\UACedhmxltb.dll
c:\windows\system32\UACesrubqho.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkibsiuwj.dll
c:\windows\system32\UACoympchxx.log
c:\windows\system32\UACpxevsbse.dll
c:\windows\system32\UACqowrrjol.log
c:\windows\system32\UACtpcuexqg.log
c:\windows\system32\UACuswvmwtd.dll
c:\windows\system32\UACweaxwpxv.db
c:\windows\system32\UACxhinaeml.dll
c:\windows\ynh.dx

Kao sto mozes videti ovo je tvoj log a to je fajl koji je obrisan, izmedju ostalih.

Klikni start\ run i kucaj 123.exe /u i lupi enter.

 

[vrsac22]

Sad sam sve uradila kako treba, Prosli put nisam deinstalirala CFix, Da li je zato nastao problem?

 

[vrsac22]

OK

Kada si mi dao uputstvo za deinstalaciju ComboFix-a, nisam mogla da ga skinem iz prostog razloga sto sam previdela jedan razmak u komandnoj liniji. He... ga, prvi put to radim. I bila sam u zescoj panici. Sad je sve Ok. Kako to da je ova gamad usla na komp i pored NOD-a i svih ostalih zastita koje imam. Da li sad mogu da racunam na to da sam ih definitivno uklonila?

 

[spock1]

Trebalo bi da je sve u redu, posto u HJT logu nema nista sporno, mada nije to neka garancija. U svakom slucaju prati pa ako primetis nesto javi.

 

[vrsac22]

sad sam na poslu. Provericu kad stignem kuci. I hvala mnogo.

 

[vrsac22]

Sad je sve u redu.