Neka vrsta virusa valjda jeste, ali gadnog

will be deleted when the computer is restarted: Trojan program Trojan.Win32.Agent.amp File: F:\autorun.inf
deleted: Trojan program Backdoor.Win32.PcClient.aai File: F:\RECYCLER\RECYCLER\autorun.exe

Ovo kaze izvjestaj kaspersyja kojim sam sve do sad bio zadovoljan, ipak pronasao se nerjesiv problem i za njega

ov dva fajla kaspersy mi uzaludno pronalazi jer se oni neprekidno obnavljaju. Ne znam sta su ali sam skapirao da se nalaze samo na MP3 i jednom MSticku. Kad sam slucajno pogledao iz Nera Burninga G: uvidio sam da imam ovaj neki autorun.inf fajl koji kao da pulsira jer se obnavlja svakih 5 sekundi sam od sebe i tako u nedogled, to je i razlog zbog kojeg ga kaspersky stalno iznova nalazi
e sad, ima li rijeshenja ovom problemu jer mi prouzrokuje ometano funkcionisanje sticka (prespor download, jos sporiji upload, cesto nece da se ni da se otvore, ako odradim desni klik i open zauzvrat dobijem jedna puls ekrana i kao da nisam dao nikakvu komandu)

pozdrav

Za pocetak skini HiJackThis!, proskeniraj komp sa njim, i okaci HiJackThis! log ovde.

Logfile of HijackThis v1.99.1
Scan saved at 18.10.12, on 22/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\KOfcpfwSvcs.exe
C:\Programmi\01 Programi\unlocker\UnlockerAssistant.exe
C:\Programmi\QuickTime\QTTask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft Encarta\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Siemens ISDN Utilities\calltray.exe
C:\Programmi\01 Programi\exploreri\opera\Opera.exe
C:\Programmi\Winamp\winamp.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Netscape\Navigator 9\navigator.exe
C:\Documents and Settings\gogash085\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/...&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 127.255.255.255 www.getright.com
O1 - Hosts: 127.255.255.255 pro.getright.com
O1 - Hosts: 127.255.255.255 www.headlightinc.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CvgraphObj Object - {12355F3E-90C3-41AA-8705-15969AF7F210} - C:\WINDOWS\vgraph.dll (file missing)
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programmi\Winamp Toolbar\winamptb.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Programmi\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: WSR_IEplug - {4E9CAE1A-545D-48EA-8EEF-4D1DB6695AD3} - C:\Programmi\Sytexis Software\Web Stream Recorder\wsr_ieplug.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Oggetto helper - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programmi\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [KOfcpfwSvcs.exe] C:\WINDOWS\system32\KOfcpfwSvcs.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\01 Programi\unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Programmi\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [E06IXLRD_40345750] "C:\Programmi\Microsoft Encarta\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE" -m
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [VoipStunt] "C:\Programmi\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: CAPI Monitor.lnk = C:\Programmi\Siemens ISDN Utilities\calltray.exe
O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dati applicazioni\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - c:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\Programmi\Internet Cleaner\ICleaner.exe (HKCU)
O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\Programmi\Internet Cleaner\ICleaner.exe (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=Q305&bd=pavilion&pf=laptop
O17 - HKLM\System\CCS\Services\Tcpip\..\{594CFC4B-D724-4093-A4BA-0B4DBEEC3D45}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,,,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Programmi\File comuni\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Programmi\File comuni\LightScribe\LSSrvc.exe

Stikliraj sledece i izbrisi pomocu Fix dugmeta:



Takodje ako imas USB flash memoriju zarazena je crvom W32/VB-CYG... Malo vise informacija o tom crvu ovde:

http://www.sophos.com/security/analyses/w32vbcyg.html

Klikni na Advanced da vidis sta treba da pobrises na flash-u...

Takodje ovo rucno obrisi:

odradio sam sve kako si mi savjetovao

medjutim u tasmng sam opet pronasao aktiviran KOfcpfwSvcs.exe ne znam sta je ali kapiram da je to los zank,
trenutno skidam sophos antivirus pa cu komp da procesljam i sa njim a onda ti javljam da li sam uspio ili ne

za sad se flash memorije i dalje na safety remove komandu ne odazivaju i moram da ih skidam nasilno (mada odradjujem hibernate pa onda skidanje)

svejedno ne znam da li da prijavim i ovo a mislim da je cudno pa ako povezes ok ako ne nema veze provali koliko je svchost.exe-ova aktivno

To je normalno za svchost.exe. I kod mene je aktivan jednak broj istih procesa kao na svakom drugom racunaru na kome je instaliran Windows XP.

Da bi totalno obrisao KOfcpfwSvcs.exe moras ga prvo ubiti u task manager-u, pa ga onda rucno otkloniti iz system 32 foldera. Zar ne? :)... a zaboravio sam da ti ukazem na to da i liniju C:\WINDOWS\system32\KOfcpfwSvcs.exe ubijes u HiJackThis! :) Moj previd.

Takodje ces trebati da editujes AUTORUN.INF u notepad-u i obrises sledece linije koje je upisao ovaj crv:


I ovaj crv poznatiji pod imenom WORM_VB.BUD takodje napada USB flash diskove :)






_{[Ovu poruku je menjao Binary Mind dana 23.10.2007. u 01:07 GMT+1]}

Ovdje se vracamo na poceta teme pa cak i na naslov (''gadan virus'') gdje ja objasnjavam kako se taj zarazeni autorun saoobnavlja svakih dvije tri sekunde! I u medjuvremenu dok ga ja otvorim u notepad-u i dok obrise pa sacuvam on se regenerisao jedno dva tri puta :))) shto ti doje kao da nisam uradio nishta, sto i jeste najveci problem, jer koliko god ja brisao, formatirao, skenirao ... taj fajl se neprekidno obnavlja i usporava rad memorija
imamo li jos koji savjet
p.s. - pokusao sam i sa sophosom ali nije ga obrisao, (a KofcpfwSvcs.exe se ne brise i dalje iako sam pokusao na oba nacina)
ako imas jos neki prijedlog ok, ako ne... shto da se radi. problem mi je veci shto shirim virus pozajmljujuci fleshkicu

Hajmo sad polako :) Udahni duboko. Pokreni HiJackThis! i proskeniraj i stikliraj vec poznatu vrednost ako je jos uvek tu:



...pa fix checked.

Posle toga odes u Task Manager. Ubij proces KOfcpfwSvcs.exe tako sto ces da ga izaberes i pritisnes End Task. Posle toga lepo odes u C:\Windows\system32 nadjes fajl KOfcpfwSvcs.exe i obrises ga rucno. Mora da moze jer sam to vec radio :)

Posle ovoga odes na start/search/all files and folders i upisi fajl: AUTORUN.INF

Kada ga nadjes i otvoris u notepadu isbrises sledece vrednosti:



Posle ovoga iskljuci System Restore (Desni klik na My Computer>properties>System Restore>Turn off System Restore on all drives) i restartuj racunar posle cega mozes ponovo ukljuciti system restore ako ti je potreban.


...

Skoro sam siguran da ces ako budes sledio ovaj redosled resiti problem. Hajde sad probaj.

Evo ti i opisa ovog crva na TrendMicro sajtu. Pogledaj Solution kako rucno da ga odstranis

http://www.trendmicro.com/vinf...VName=WORM_VB.BUD&VSect=Sn

Ima li napretka u ciscenju? :)

ja se izvinjavam na cekanju
Sve je rijesheno. Proshli put nisam slijedio redoslijed jer sam mislio da nije od vazhnosti! Uspio sam da ga otklonim
Obije zarazhene memorije funkcionishu kao nekad!
Josh jednom se zahvaljujem na savijetu i strpljenju

I meni je drago da si uspeo. A sad trk do ljudi koje si inficirao i nastavi sa ciscenjem