Backdoor.IRCBot

[rocknrolla]

Ne pomaze malwarebytes, ova gamad se sve vise i vise razmnozavaju...poslije svakog skeniranja broj im se udvostruci ! OS je XP sp3 !

evo logovi ako ko moze pomoci:


Memory Processes Infected:
c:\WINDOWS\aadrive32.exe (Backdoor.IRCBot) -> 940 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Microsoft Driver Setup (Backdoor.IRCBot) -> Value: Microsoft Driver Setup -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\Run\Microsoft Driver Setup (Backdoor.IRCBot) -> Value: Microsoft Driver Setup -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Worm.AutoRun) -> Value: Shell -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Tnaww (Worm.AutoRun.Gen) -> Value: Tnaww -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\12CFG214-K641-12SF-N85P (Trojan.SpyEyes) -> Value: 12CFG214-K641-12SF-N85P -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Trojan.Agent) -> Value: Taskman -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Adware.Agent) -> Bad: (c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe) Good: () -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413 (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) -> Delete on reboot.

Files Infected:
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe (Adware.Agent) -> Delete on reboot.
c:\documents and settings\administrator\application data\dbnonr.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\61KVYZE1\d[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\Q12NCPUP\d[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\U9KFQRKD\d[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\06.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\22.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\25.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\42.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\56.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\62.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\70.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\73.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\78.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\aadrive32.exe (Backdoor.IRCBot) -> Delete on reboot.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\Desktop.ini (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.

[NIx Car]

Pozdrav!
Preuzmi sUBSov DDS sa sledece adrese
http://www.techsupportforum.com/sectools/sUBs/dds
pokreni ga. Zatim idi na www.pastebin.com i na njega nalepi DDS.txt log. Zati mi taj link okaci ovde na forum.

[Aleksandar1]

Kad sve to ocistis sta ce da ti ostane od sistema?
Moja preporuka format all particije i instalacija novog windows-a.

[Sass Drake]

^ Oataće sistem u normalnom stanju. Format C: nije potreban uopšte.

[rocknrolla]

Problem je sto se ne moze izbrisati, *ebena neka gamad....

[Sass Drake]

Mislim da su ti i USB diskovi zaraženi pa se suzdrži od ubacivanja istih u komp.

[NIx Car]

izvini pogresan link
http://download.bleepingcomputer.com/sUBs/dds.scr
ovo preuzmi i okaci mi na pastebin.
I nemoj da prikljucujes USB uredjaje dok te ne ocistimo

[rocknrolla]

odmah cu...

[rocknrolla]

http://pastebin.com/sabB9K4a

[NIx Car]

Vidim da nemas instaliran anti virusni softver no..

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
tokom pokretanja na svaki odgovor odgovori sa yes ili I agree
Posle zavrsetka Combofix ce ti izbaciti izvestaj koji mi o5 kopiraj na www.pastebin.com i taj pastebinov link mi nalepi ovde.

[rocknrolla]

Pokusao sa ComboFix-om i nakon skeniranja se restartovao i izbacio mi plavi ekran smrti !!!
I opet nista

[rocknrolla]

Uspio iz drugog puta ali ne pomaze... i dalje je pun *ranja, evo log:
http://pastebin.com/9QZ2NzGM

[rocknrolla]

Sad je cist...Poslije ComboFix-a, Malwarebytes je uspjesno odradio posao, hvala velika

[NIx Car]

Ako vec mislis da ti je racunar cist onda uradi sledece:Potrebno je izbrisati combofix. Idi na Start-run i kucaj sledece:
Combofix /Uninstall (razmak izmedju combofix i /uninstall postoji!)
Sacekaj da se proces deinstalacije zavrsi.

[rocknrolla]

Uradjeno... Thanks

[acafacaa]

Citat:

rocknrolla kaže:

Sad je cist...Poslije ComboFix-a, Malwarebytes je uspjesno odradio posao, hvala velika

Ja bih ipak na tvom mestu izvrsio dodatne provere sledecim programima:
HitmanPro:
http://hitman-pro.en.softonic.com/download

SUPERantispyware free:
http://www.superantispyware.com/down...NTISPYWAREFREE

Da budes 99% siguran da si "cist"

[rocknrolla]

Citat:

acafacaa kaže:

Ja bih ipak na tvom mestu izvrsio dodatne provere sledecim programima:
HitmanPro:
http://hitman-pro.en.softonic.com/download

SUPERantispyware free:
http://www.superantispyware.com/down...NTISPYWAREFREE

Da budes 99% siguran da si "cist"

SuperAntiSpayware sam koristio poslije malwraebytesa i on je nasao ponesto, A ovog hitman-a cu sad
Hvala na predlogu...

[magna86]

Nema potrebe za dodatnim skenerima.
Posto je NIx Car dao deisntalaciju znaci da aktivne infekcije nema,a nema je.
Ovi programi jedino sto mogu naci jeste neki junk file ili da detektuju neki FP

Naravno,dodatni skeneri ne mogu da skode,cak naprotiv...

[rocknrolla]

Opet su se vratili a nista nisam radio, nisam prikopcavao USB, nisam krstario net-om...

pogledajte log:

http://pastebin.com/geN3jqs6

[magna86]

>> Napravi novu sistem restore tacku:
http://bertk.mvps.org/html/createrp.html

>> MCShied mora biti aktivan.

>> Preuzmi OTM sa ovog linka na Desktop
http://oldtimer.geekstogo.com/OTM.exe

U levi prozor programa ispod Paste Instructions for Items to be Moved kopiraj ovo.

Kod:

:processes
killallprocesses 

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Dbnonr"=-
"Spooler SubSystem App"=-

:files
c:\documents and settings\administrator\application data\Dbnonr.exe
c:\documents and settings\administrator\application data\spoolsv.exe

:Commands
[purity]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

klikni Move It!