windows explorer blokiran...

[ zsn @ 30.01.2008. 11:03 ] @

Odnedavno mi se nakon logovanja na winxpu pojavi prozor win-ovog firewalla koji kaze da mi je windows explorer ili neka njegova funkcija blokirana i pita da li da ga nastavi blokirati lli mu dopusti prostup internetu...zasto je tako i da li je to proizvod nekoj trojanca ili slicno
unaprijed hvala

[ Binary Mind @ 30.01.2008. 13:27 ] @

Cudno. Odblokiraj to i postavi HiJackThis! log. Uradi pretragu za "HiJackThis!" na ovom forumu.

[ zsn @ 11.02.2008. 22:24 ] @

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22:42, on 11.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wnss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Windows Network Security Service (wnss) - Unknown owner - C:\WINDOWS\system32\wnss.exe

--
End of file - 4326 bytes

sorry sto kasnim,...

[ Danijel Krmar @ 11.02.2008. 23:24 ] @

C:\WINDOWS\system32\wnss.exe i
O23 - Service: Windows Network Security Service (wnss) - Unknown owner - C:\WINDOWS\system32\wnss.exe, je izgleda trojanac Backdoor.Win32.Agent.dvq. Proveri jos sa Combofixom, i okaci log.
A izbrisati mozes:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

[ zsn @ 12.02.2008. 10:32 ] @

ComboFix 08-02-12.1 - tino 2008-02-12 11:28:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.571 [GMT 1:00]
Running from: C:\Documents and Settings\tino\Desktop\bafer1\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-11 21:10 . 2008-02-11 21:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 15:50 . 2008-02-07 15:50 <DIR> d-------- C:\Program Files\THQ
2008-02-07 15:49 . 2008-02-07 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-01 17:30 . 2008-02-01 17:30 <DIR> d-------- C:\Program Files\Real
2008-02-01 17:30 . 2008-02-01 17:30 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-01 17:30 . 2008-02-01 17:30 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-20 15:39 . 2008-01-20 15:39 183,416 -r-hs---- C:\WINDOWS\system32\wnss.exe
2008-01-19 14:33 . 2008-01-19 14:33 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-13 17:22 . 2008-01-13 17:22 <DIR> d-------- C:\Documents and Settings\tino\Application Data\IrfanView

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 16:18 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-06 16:17 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-31 18:14 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-01-20 22:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 18:05 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-17 18:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-09 11:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-05 21:49 --------- d-----w C:\Documents and Settings\tino\Application Data\Dev-Cpp
2007-12-14 23:46 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-14 20:04 22,328 ----a-w C:\Documents and Settings\tino\Application Data\PnkBstrK.sys
2007-12-14 19:40 --------- d-----w C:\Program Files\Activision
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-12 17:47 262,884 ----a-w C:\WINDOWS\IPUI_DivXG400.exe
2007-11-12 14:19 558,142 ----a-w C:\WINDOWS\java\Packages\PBFBT33Z.ZIP
2007-11-12 14:19 155,995 ----a-w C:\WINDOWS\java\Packages\GPNPJ5B9.ZIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 09:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ToUcamVProperty"="C:\PROGRA~1\PHILIP~1\VProperty.exe" [2003-04-02 14:56 131072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 15:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STManager]
--------- 2003-05-28 11:37 118784 C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-01 17:30 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Console Norms]

R2 wnss;Windows Network Security Service;C:\WINDOWS\system32\wnss.exe [2008-01-20 15:39]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]
S3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a957912-bee6-11dc-afcc-0008541ab64e}]
\Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a12d3d6-c91c-11dc-b00b-0008541ab64e}]
\Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 11:29:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ToUcamVProperty = C:\PROGRA~1\PHILIP~1\VProperty.exe??~?1?\?V?P?r?o?p?e?r?t?y?.?e?x?e???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-12 11:29:44
.
2007-12-02 01:06:22 --- E O F ---

combofix log...

[ Binary Mind @ 12.02.2008. 11:31 ] @

Skini SDFix:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Kad skines SDFix, pokreni ga duplim klikom i instalirace se na svojoj defaultnoj lokaciji C:\SDFix... Posle toga restartuj racunar, udji u Safe Mode i nadji C:\SDFix. Kad udjes u C:\SDFix pokreni RunThis.bat duplim klikom na isti i upisi Y da bi poceo sa skeniranjem i ciscenjem trojanaca. Kad zavrsi taj deo ciscenja javice "press any key to reboot", nakon cega ces pritisnuti bilo koji taster da bi restartovao racunar. Kad se racunar restaruje pre nego sto se Windows podigne SDFix ce nastaviti sa ciscenjem dok ne zavrsi i obavesti te, nakon cega ces pritisnuti bilo koji taster da bi usao u Windows. Kad udjes u Windows pojavice se SDFix report koji ce biti sacuvan kao Report.txt. Okaci report ovde kad budes sve ovo zavrsio i naravno novi HiJackThis! log.

[ Binary Mind @ 13.02.2008. 01:07 ] @

Kako ide sa SDfix-om?