Trojan Horse Injector ise32.exe

1

Trojan Horse Injector ise32.exe

offline
  • Pridružio: 04 Avg 2008
  • Poruke: 37

Dobro vece,
Pre izvesnog vremena ste mi pomogli, ali sada se javio problem koji je detektovao AVG 8.0. Evo loga:

Logfile of HijackThis v1.99.1
Scan saved at 8:05:36 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Media\Desktop\Ekskurzija\Slike.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = comodo.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {803E93C8-A79D-42E7-BE52-20DE96B6744A} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

Virus je usao tako sto sam pozajmila fles od prijateljice da prebacim neke slike. Taj fles je i dalje kod mene, ukoliko je potrebno da se ubaci. Raspolazem konekcijom: 1024/128.
Hvala unapred!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...


Kada je došlo do detekcije? Pri pokušaju otvaranja flash drive-a?

Šta je AVG uradio sa tim što je detektovao?

offline
  • Pridružio: 04 Avg 2008
  • Poruke: 37

Do detekcije je doslo sinoc oko 22:00 h odmah po ubacivanju flash-a. AVG ga je prebacio u kovceg.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Onda je sve pod kontrolom (AV je prosto odradio svoj posao - problem bi bio da nije uspeo da ukloni to što je detektovao).


Što se tiče tog flash drive-a...



Skini sledeci program - http://amf.mycity.rs/personal/bobby/USB_blocker/usb_blocker.exe
- startuj ga i odaberi opciju Auto block
- ubaci USB stick u komp i sacekaj koji sekund (recimo 5-10 sekundi)
- program je sada uradio analizu sticka (vidi se u donjem delu programa, u logu)
- gore levo klikni duplo na slovo koje oznacava particiju, tj. tvoj USB stick
- dole kraj sata ce se pojaviti poruka da smes da izvadis USB stick iz kompa


Kada to zavrsis, log u donjem delu programa ce sadrzati određene podatke.
Klikni desnim dugmetom misa na log/izvestaj i odaberi Save log.
Automatski ce se otvoriti Notepad i u njemu izvestaj.
Iskopiraj mi taj izvestaj ovde na forum.

offline
  • Pridružio: 04 Avg 2008
  • Poruke: 37

Evo loga:

USB_blocker by bobby

Started at 9/8/2008 8:49:30 PM

Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
D: c8c5725f-89f5-11db-b964-806d6172696f
C: c8c57261-89f5-11db-b964-806d6172696f
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================



New device connected at 9/8/2008 8:50:16 PM

Scanning for connected USB Mass storage...
========================================
G: 063d53cc-5c7b-11dc-986a-001485dee0db
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================

autorun.inf found on G:
File G:\autorun.inf renamed successfully

desktop.ini found on G:
Sanitizing Shell Menu...
Sanitized 063d53cc-5c7b-11dc-986a-001485dee0db
========================================

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ponovo pokreni USB_Blocker.


1. na kartici Monitor ukljuci opciju Auto block
2. prebaci se na karticu Scan removable drives
3. ubaci USB uredjaj
4. u gornjem levom delu programa klikni samo jednom na slovo koje oznacava tvoj USB uredjaj
5. klikni na Scan
6. kada se skeniranje zavrsi, gore levo klikni duplo na slovo koje oznacava tvoj USB uredjaj
7. dole kraj sata ce se pojaviti poruka da smes da izvadis USB stick iz kompa.


Kada to zavrsis, log u donjem delu programa ce sadrzati određene podatke.
Klikni desnim dugmetom misa na log/izvestaj i odaberi Save log.
Automatski ce se otvoriti Notepad i u njemu izvestaj.
Iskopiraj mi taj izvestaj ovde na forum.

offline
  • Pridružio: 04 Avg 2008
  • Poruke: 37

Evo i sledeceg loga:

USB_blocker by bobby

Started at 9/8/2008 9:12:32 PM

Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
D: c8c5725f-89f5-11db-b964-806d6172696f
C: c8c57261-89f5-11db-b964-806d6172696f
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================



New device connected at 9/8/2008 9:13:25 PM

Scanning for connected USB Mass storage...
========================================
G: 063d53cc-5c7b-11dc-986a-001485dee0db
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================

desktop.ini found on G:
Sanitizing Shell Menu...
No key for GUID: 063d53cc-5c7b-11dc-986a-001485dee0db
========================================

Manual scan of drive G: at 9/8/2008 9:13:37 PM
Scan for autorun.inf: True
Scan for desktop.ini: True
Make list of all files: False
Action: Report only

Content of G:\autorun.inf.blocked
====================
[autorun]
open=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
shell\open\default=1
====================
========================================
Scan finished at 9/8/2008 9:13:38 PM


Ne znam da li treba da napomenem, ali prilikom ubacivanja flash-a, izasla mi je poruka da pokrenem check disc utility. To nisam uradila, vec samo ono sto mi je receno.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Aktiviraj prikaz skrivenih file-ova:

http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-videti-skrivene-fajlove.html


Ponovo priključi taj flash drive, otvori ga (pomoću Win. Explorera) i obriši sledeće sa njega:

autorun.inf.blocked <--- taj file

RECYCLER <--- taj folder


Javi da li si to uspela da odradiš.

offline
  • Pridružio: 04 Avg 2008
  • Poruke: 37

Brisanje uspelo. Prilikom pristupanja flash-u, pojavio se novi AVG alert Trojan Horse BackDoor Start.exe, koji je prebacen u kovceg.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Sada bi trebalo da možeš normalno koristiti flash drive.

Ukoliko bude nekih problema (ako AVG bude stalno iznova detektovao nešto), javi se u temi pa ćemo videti o čemu se radi.

Ko je trenutno na forumu
 

Ukupno su 663 korisnika na forumu :: 25 registrovanih, 5 sakrivenih i 633 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Aleksandar Tomić, BlaCkMilK, Bobrock1, branko7, burevesnik, CrazySerb_MLD, Dorcolac, Drug pukovnik, FileFinder, Georgius, ikan, indja, jaeger, kaptain, ladro, loon123, maCvele, mgolub, Nemanja.M, novator, pacika, Plava bluza, stagezin, Van, W123