Poslao: 26 Mar 2007 22:45
|
offline
- Pridružio: 25 Mar 2007
- Poruke: 32
|
GMER 1.0.12.12086 - gmer.net
Rootkit scan 2007-03-26 22:41:52
Windows 5.1.2600 Service Pack 1
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
? frxcpncg.sys The system cannot find the file specified.
.text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 720342D8
.text ntdll.dll!NtEnumerateKey 77F75B5C 4 Bytes JMP 3AF81693
.text ntdll.dll!NtEnumerateKey + 5 77F75B61 1 Byte [ C3 ]
.text ntdll.dll!NtEnumerateValueKey 77F75B7A 4 Bytes [ 68, ED, 34, BB ]
.text ntdll.dll!NtEnumerateValueKey + 5 77F75B7F 1 Byte [ C3 ]
.text ntdll.dll!NtQuerySystemInformation 77F76152 4 Bytes [ 68, 50, 36, BB ]
.text ntdll.dll!NtQuerySystemInformation + 5 77F76157 1 Byte [ C3 ]
---- User code sections - GMER 1.0.12 ----
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtEnumerateKey 77F75B5C 4 Bytes JMP 3AF81693
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtEnumerateKey + 5 77F75B61 1 Byte [ C3 ]
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtEnumerateValueKey 77F75B7A 4 Bytes [ 68, ED, 34, BB ]
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtEnumerateValueKey + 5 77F75B7F 1 Byte [ C3 ]
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtQuerySystemInformation 77F76152 4 Bytes [ 68, 50, 36, BB ]
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtQuerySystemInformation + 5 77F76157 1 Byte [ C3 ]
.text C:\WINDOWS\explorer.exe[1460] ntdll.dll!NtEnumerateKey 77F75B5C 6 Bytes JMP 3AF8C993
.text C:\WINDOWS\explorer.exe[1460] ntdll.dll!NtEnumerateValueKey 77F75B7A 6 Bytes PUSH 016E34ED; RET
.text C:\WINDOWS\explorer.exe[1460] ntdll.dll!NtQuerySystemInformation 77F76152 6 Bytes PUSH 016E3650; RET
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtEnumerateKey 77F75B5C 4 Bytes JMP 3AF7EA93
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtEnumerateKey + 5 77F75B61 1 Byte [ C3 ]
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtEnumerateValueKey 77F75B7A 4 Bytes [ 68, ED, 34, 8F ]
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtEnumerateValueKey + 5 77F75B7F 1 Byte [ C3 ]
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtQuerySystemInformation 77F76152 4 Bytes [ 68, 50, 36, 8F ]
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtQuerySystemInformation + 5 77F76157 1 Byte [ C3 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtEnumerateKey 77F75B5C 4 Bytes JMP 3AF81B93
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtEnumerateKey + 5 77F75B61 1 Byte [ C3 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtEnumerateValueKey 77F75B7A 4 Bytes [ 68, ED, 34, C0 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtEnumerateValueKey + 5 77F75B7F 1 Byte [ C3 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtQuerySystemInformation 77F76152 4 Bytes [ 68, 50, 36, C0 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtQuerySystemInformation + 5 77F76157 1 Byte [ C3 ]
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN F68257CB
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP F68223DF
Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible F6825733
---- Processes - GMER 1.0.12 ----
Process C:\WINDOWS\systpro32.exe (*** hidden *** ) 1964
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\4T78D2V25K
Reg \Registry\MACHINE\SOFTWARE\4T78D2V25K@4T78D2V25K 0x41 0xE8 0x7B 0xAF ...
Reg \Registry\MACHINE\SOFTWARE\4T78D2V25K@4T78D2V25K 0x41 0xE8 0x7B 0xAF ...
---- EOF - GMER 1.0.12 ----
systpro32.exe nemogu naci jer je hiden evo ga u logu u prilogu
|
|
|
|
Poslao: 26 Mar 2007 23:06
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Daj mi jos koji minut da smislim taktiku i da skontam o cemu se tacno radi.
Izgleda da imas vise infekcija na racunaru.
Dopuna: 26 Mar 2007 23:06
Pogledaj sledecu sliku:
http://gmer.net/faq.php
Kazi mi koja opcija je kod tebe omogucena kada klines desno dugme na ime tog skrivenog fajla?
Neke funkcije nece biti dostupne, ali barem jedna mora biti dostupna. Napisi mi ovde koja ti je dostupna.
|
|
|
|
|
Poslao: 26 Mar 2007 23:40
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Skini program Avenger sa sledeceg linka:
http://swandog46.geekstogo.com/avenger.zip
Na prvom ekranu selektuj Input script manually pa klikni na ikonicu lupe.
U prozoru koji ce se pojavi unesi sledeci tekst:
Files to Delete:
C:\WINDOWS\systpro32.exe
Klikni na dugme Done.
Vratice te na prvi ekran gde je sada potrebno kliknuti na ikonicu semafora.
Ukoliko ti program sam ne zatrazi restart, onda ti sam restartuj racunar.
Nakon restartovanja bi folder trebao da bude obrisan, i backup napravljen u folderu c:\avenger.
Kada to bude obavljeno, postavi novi GMER log, kao i HijackThis log.
|
|
|
|
Poslao: 27 Mar 2007 00:15
|
offline
- Pridružio: 25 Mar 2007
- Poruke: 32
|
Logfile of HijackThis v1.99.1
Scan saved at 0:11:52 AM, on 3/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Spider\Desktop\lola.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.240.111.196:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gvcotfvb
*******************
Script file located at: \??\C:\tpcywosc.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\systpro32.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
gmer sam uradio ali nesto zaglavilo pa cu ponovo saljem za deset minuta dok uradi ponovo skan ali vec sada je izvesno da je druga prica drukcije podize sistem i nod vise ne prijavljuje nista ali videcemo tu sam
|
|
|
|
Poslao: 27 Mar 2007 00:23
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Konacno sam uspeo da nadjem jos neke informacije.
Skeniraj HijackThis-om i stikliraj polje ispred sledece linije:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.240.111.196:8080
klikni Fix Checked
Taj proxy server je negde u Kini, i treba srediti tu liniju osim ukoliko namerno nisi ti postavio da ti veza sa netom ide preko tog servera.
|
|
|
|
Poslao: 27 Mar 2007 00:35
|
offline
- Pridružio: 25 Mar 2007
- Poruke: 32
|
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gvcotfvb
*******************
Script file located at: \??\C:\tpcywosc.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\systpro32.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
GMER 1.0.12.12086 - gmer.net
Rootkit scan 2007-03-27 00:29:55
Windows 5.1.2600 Service Pack 1
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
? potvekma.sys The system cannot find the file specified.
.text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 720342D8
---- EOF - GMER 1.0.12 ----
samo je ovo napravio posle brisanja onog fajla mozda trebam ponovo da skinem instalaciju
Dopuna: 27 Mar 2007 0:35
Logfile of HijackThis v1.99.1
Scan saved at 0:34:51 AM, on 3/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Spider\Desktop\mara.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
evo ga posle cekiranja fix
|
|
|
|
Poslao: 27 Mar 2007 00:50
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Meni ovo na oko izgleda OK.
Ja cu temu da ostavim par dana otkljucanom, pa ako se infekcija ponovo javi ti se javi ponovo nama.
Videces da na C:\ imas folder pod imenom Avenger.
Ja bih te zamolio da taj folder spakujes u ZIP i da nam ga posaljes preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php
Ovo nije obavezno, ali ako nam posaljes sadrzaj tog foldera, mi cemo ga dalje poslati u anti-virus laboratorije na analizu. Time pomazemo da se usavrse anti-virus programi.
Taj folder obrisi nakon par dana ukoliko ti komp radi kako treba.
Na samom kraju bih ti savetovao da instaliras Service Pack 2 za Windows, posto ti je sistem jako ranjiv bez SP2.
Najmanje sto mozes da ucinis je da instaliras neki firewall da bi se zastitio koliko-toliko od botova i crva.
Takodje, ukoliko ne instaliras Service Pack 2 za Windows, mozes skinuti FireFox browser i koristiti ga umesto Internet Explorera, iz razloga sto Internet Explorer ima jako puno propusta koji cine kompletan sistem ranjiv.
Isto vazi i za Outlook Express, mozes ga zameniti sa Mozilla Thunderbird.
Sumnjam na osnovu onog proxy servera da je kod tebe do infekcije doslo zato sto si se prevario i kliknuo na adresu iz nekog spam-maila (email reklame), jer sam saznao da je taj server puno koriscen za slanje takvih mailova.
Pregledaj forum, imas tu puno saveta o ovakvim stvarima.
|
|
|
|
Poslao: 27 Mar 2007 01:06
|
offline
- Pridružio: 25 Mar 2007
- Poruke: 32
|
sada je sve u redu, apsolutno ok, svaka cast na ovolikom poznavanju stvari, jednom recju, carobno, hvala, divni ste ljudi hvala svima, sada cu biti oprezniji a i sp 2 cu instalirati pozdrav.
Dopuna: 27 Mar 2007 1:06
shodno uputstvu obavestavam da sam poslao avenger.zip na naznacen link, i na nacin kako je opisano, zdravo se videli.
|
|
|
|
Poslao: 27 Mar 2007 01:14
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Hvala tebi puno za upload, zaista smo nasli nov malware.
Evo rezultata skeniranja sa par desetina antivirusa:
AhnLab-V3 2007.3.27.0 03.26.2007 no virus found
AntiVir 7.3.1.44 03.26.2007 TR/Crypt.XPACK.Gen
Authentium 4.93.8 03.26.2007 no virus found
Avast 4.7.936.0 03.25.2007 no virus found
AVG 7.5.0.447 03.26.2007 no virus found
BitDefender 7.2 03.27.2007 BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal 9.00 03.26.2007 no virus found
ClamAV devel-20070312 03.27.2007 no virus found
DrWeb 4.33 03.26.2007 no virus found
eSafe 7.0.14.0 03.26.2007 suspicious Trojan/Worm
eTrust-Vet 30.6.3512 03.26.2007 no virus found
Ewido 4.0 03.25.2007 no virus found
FileAdvisor 1 03.27.2007 no virus found
Fortinet 2.85.0.0 03.26.2007 Clckr.KY!tr
F-Prot 4.3.1.45 03.26.2007 no virus found
F-Secure 6.70.13030.0 03.26.2007 no virus found
Ikarus T3.1.1.3 03.26.2007 BehavesLikeWin32.ExplorerHijack
Kaspersky 4.0.2.24 03.27.2007 no virus found
McAfee 4992 03.26.2007 no virus found
Microsoft 1.2306 03.27.2007 no virus found
NOD32v2 2145 03.26.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.27.2007 Trj/Lineage.CVQ
Prevx1 V2 03.27.2007 worm.sdBot
Sophos 4.15.0 03.23.2007 Troj/Clckr-KY
Sunbelt 2.2.907.0 03.24.2007 no virus found
Symantec 10 03.27.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.26.2007 no virus found
VirusBuster 4.3.7:9 03.26.2007 no virus found
Webwasher-Gateway 6.0.1 03.26.2007 Trojan.Crypt.XPACK.Gen
Odmah saljem na analizu.
|
|
|
|