Trojan downloader agent - kako da ga uklonim?

Aj sad lepo, iz pocetka...

- Isključiti System Restore (System Properties > System restore > štiklirati Turn off System Restore on all drives )
- Isprazniti Recycle Bin
- Obrisati sadržaj foldera C:\Windows\Temp
- Isprazniti Temporary Internet Files

Onda sva ostala prica...

Mozda da pokusas sa spybot s&d scan iz safe mod-a.

---

ma sve sam to vec radio nego evo ga combofix log



ComboFix 08-10-09.06 - home 2008-10-10 10:12:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.640 [GMT 2:00]
Running from: C:\Documents and Settings\home\Desktop\ComboFix.exe
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2008-10-09 21:24 . 2008-10-09 21:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-09 08:42 . 2008-10-09 14:46 250 --a------ C:\WINDOWS\gmer.ini
2008-10-08 20:23 . 2008-10-08 20:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-08 18:28 . 2008-10-08 18:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-08 18:28 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-08 18:28 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-08 12:29 . 2008-10-09 11:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-04 21:18 . 2008-10-04 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-10-03 10:06 . 2008-10-03 10:06 <DIR> d-------- C:\WINDOWS\Logs
2008-10-03 08:59 . 2008-10-03 08:59 <DIR> d-------- C:\Program Files\KONAMI
2008-10-02 18:07 . 2008-10-02 18:07 <DIR> d-------- C:\Documents and Settings\home\Application Data\Malwarebytes
2008-10-02 18:07 . 2008-10-02 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-27 14:25 . 2008-10-10 09:49 24,414 ---hs---- C:\WINDOWS\system32\disk.ico
2008-09-23 22:09 . 2008-10-01 15:01 <DIR> d-------- C:\Program Files\DC++
2008-09-18 18:32 . 2008-09-18 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 16:01 68,768 ----a-w C:\WINDOWS\system32\mmsystem.dll
2008-10-04 19:27 --------- d-----w C:\Program Files\GameHouse Games Collection
2008-10-04 16:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-27 12:37 --------- d-----w C:\Documents and Settings\home\Application Data\Winamp
2008-09-23 20:55 --------- d-----w C:\Program Files\LimeWire
2008-09-20 21:38 --------- d-----w C:\Documents and Settings\home\Application Data\Wildfire
2008-09-01 21:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 20:30 --------- d-----w C:\Documents and Settings\home\Application Data\Mount&Blade
2008-08-17 14:21 --------- d-----w C:\Program Files\Pro Evolution Soccer 2008
2008-08-16 18:55 --------- d-----w C:\Program Files\Samsung
2008-08-16 18:30 --------- d-----w C:\Program Files\Analog Devices
2008-07-31 08:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 08:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 08:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-12 06:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 06:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 06:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2007-06-26 15:18 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-09-27 12:28 163,840 --sh--w C:\WINDOWS\system32\notepod.exe
2005-10-10 07:49 163,840 --sh--w C:\WINDOWS\system32\rsvp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 57344]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 165784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 61440]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2004-09-05 847872]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-30 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-07 282624]
"Device Detector"="C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" [2003-09-17 212992]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-29 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-07-09 36352]
"flockbox"="C:\Program Files\My Lockbox\flockbox.exe" [2007-12-14 1071472]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 C:\WINDOWS\system32\HdAShCut.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 61440]
Media Key.lnk - C:\Program Files\Media Key\MagicKey.exe [2006-08-07 159744]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]
Remote Control.lnk - C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe [2006-08-07 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\Bf2_w32ded.exe"=
"C:\\Program Files\\valve\\hl.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\\Program Files\\valve\\hltv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-12-13 17264]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 12856]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 8576]
R3 Cap713x;Philips Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2005-05-04 686080]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 SUSCOM;Susteen Serial port driver;C:\WINDOWS\system32\DRIVERS\SUSCOM.SYS [2002-10-22 40448]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abeb5c28-f79a-11dc-91b8-000e5c3a2bcd}]
\Shell\Auto\command - G:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\sv7f5quf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 10:24:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\imon.dll
.
Completion time: 2008-10-10 10:27:40
ComboFix-quarantined-files.txt 2008-10-10 08:27:24

Pre-Run: 79.733.923.840 bytes free
Post-Run: 79,720,222,720 bytes free

139 --- E O F --- 2008-09-10 10:04:51

Ok prekopiraj ovo u notepad i snimi ga kao CFScript na desktop



prevuci ga levim klikom u Combofix
kad zavrsi proces klikni na start\ run , ukucaj Combofix /u pa ok. Sacekaj da se deinstalira combofix (on ce automatski i da resetuje system restore)

jos jedno pitanje ,a ovaj rsvp.exe sto prijavljuje s njim?

To je neki proces za audio i video streaming, nije toliko bitan ali ne mora da se uklanja nije parazit. Da li imas sad nekih problema, e da zaboravih, ne bi bilo lose da deinstaliras tu Javu i da instaliras novu verziju. skini Program JavaRa odavde http://sourceforge.net/project...JavaRa.zip&use_mirror=osdn
klikni na Remove older versions, kad izbaci log onda klikni na Search for updates, pa odaberi donju opciju i klikni na Search. To ce te odvesti na sajt sa koga ces skinuti najnoviju Javu.
Skini Wise registry cleaner i Wise disc cleaner, oba programcica su free i sredi malo registry i disk, bolje ce da ti radi komp.

problen resen,combofix je ocigledno odradio posao,posto vise nema tih fajlova pri startu i otvaranju notepada i nod kaze da je sve cisto ,hvala ti puno ,i ostalima sto su se potrudili da pomognu, JAVU sam cini mi se skoro apdejtovo ali nisam siguran, uradicu to u svakom slucaju, verovatno cu promeniti i AV.

hvala jos jednom

Rekoh ja, Combofix je zakon..
Mada je Kristi odradio lavovski deo posla...

---

Jeste, zakon je, on je automatski pocistio one druge fajlove, ali je ostao samo notepod.exe, koji se nije video u HJT logu, tako da sam znao da ce CF ili da ga pocisti odmah, ili ce da ga razotkrije da bi mogli da ga uklonimo

Ja sam ga izgleda isto zakacio jel imas kakvo resenje?


Uocio sam samo haozs0.dll i kao sto vidim nan netu to je neki rootkit ili tako nekako, ajde ako si resio pomagaj.....?

otvori novu temu i okaci HjT log ;)

Skini HiJackThis program:


Stavi ga u zaseban Folder na Desktop
Promeni naziv Foldera u ES2 i Programa u ES2.exe

* Pokreni HijackThis
* Izaberi opciju "Do a system scan and save the logfile"
* Na kraju skeniranja program ce izbaciti tekstualni log.
* taj log kopiraj ovde ( opcije copy / paste)

---

A zašto je bitno da system restore bude isključen?

Suočavam se sa jednim problemom (virusom). Naime na svakoj particiji ili bilo kom nosaču memorije (USB flash ili MP3 player) mi se nakon što ih ubacim (za USB i MP3) dobijem skrivene foldere RECYCLER i System Volume Information. Nakon što ih skeniram Avast mi nadje virus. Obrišem i foldere i viruse sa svih particija i svih mem uređaja i opet mi se stvore!

Ne znam da li je ovaj sledeći problem uzrokovan ovim gore ali dešava mi se i sledeće. Dakle radim normalno i odjednom mi se isključi svchost.exe proces i pojavi prozor od visual studija 2008 koji nudi debug i close opcije. Sve dok ne kliknem na close internet i muzika mi rade. Ako kliknem na close, linija ova dole gde je start dugme izgubi na kratko skin XP i dobije onaj obični i kao da se restartuje proces explorer.exe. Nakon toga ne mogu na internet (dial up je u pitanju) niti mogu da pustim muziku jer mi prijavljuje da nema drajvere. Šta da radim?

Imam još jedan problem. U firmi u kojoj sam na nekoj kao praksi ima 15-tak računara i stalno mi se javljaju isti virusi koje pronalazi avast a nalazi ih negde u documents and settings/system information/xcxswrz.jpg OVAKO NEŠTO SLIČNO. I često po neki računar ne može da se isključi već stane zamrzne se, a ne može ni da se uključi jer ima neki virus koga mogu da obrišem tek kroz safe mode i sa avastom. Ali avast ih stalno briše i oni se nakon nekog vremena opet pojavljuju isti ti virusi.

Lepo su ti objasnili i kristi i magna, znaci sistem restore moras da iskljucis jer odatle program vraca sve sto mu fali...znaci postupi po naredjenju i odradi kao sto su ti momci rekli.... a nakon toga ako mozes da azuriras antivirus (sto kod mene nije bio slucaj , procitaj zasebno temu '...nesto jeste a ne znam sta je') uradi full scan i sve ce biti gotovo (pored obrisanih izvrsnih fajlova obrisace i biblioteke *.dll naravno one koje virus koristi, pa ces restartovati racunar verovatno da bi on ponovo skenirao pre podizanja samog Windowsa (ja sam koristio NAV 2009) i u najboljem slucaju ce ti napisati sta je u registru promenjeno e to ces morati rucno da menjas (tipa kod mene je promenio folder settings na hiden i nisam mogao da ga kroz windows vratim) ). I jos nesto obavezno stavi poslednje zakrpe za windows!!!!

Eh da ovo sam zaboravio da napomenem: skini Tweak Ui Powertoy (microsoftov alat) gde ces da skines Autorun opcije (jer tako se najvise zarazis) sa svih uredjaja cak i sa HD-ova.