trojanac

2

trojanac

offline
  • Pridružio: 25 Mar 2007
  • Poruke: 32

GMER 1.0.12.12086 - gmer.net
Rootkit scan 2007-03-26 22:41:52
Windows 5.1.2600 Service Pack 1


---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
? frxcpncg.sys The system cannot find the file specified.
.text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 720342D8
.text ntdll.dll!NtEnumerateKey 77F75B5C 4 Bytes JMP 3AF81693
.text ntdll.dll!NtEnumerateKey + 5 77F75B61 1 Byte [ C3 ]
.text ntdll.dll!NtEnumerateValueKey 77F75B7A 4 Bytes [ 68, ED, 34, BB ]
.text ntdll.dll!NtEnumerateValueKey + 5 77F75B7F 1 Byte [ C3 ]
.text ntdll.dll!NtQuerySystemInformation 77F76152 4 Bytes [ 68, 50, 36, BB ]
.text ntdll.dll!NtQuerySystemInformation + 5 77F76157 1 Byte [ C3 ]

---- User code sections - GMER 1.0.12 ----

.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtEnumerateKey 77F75B5C 4 Bytes JMP 3AF81693
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtEnumerateKey + 5 77F75B61 1 Byte [ C3 ]
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtEnumerateValueKey 77F75B7A 4 Bytes [ 68, ED, 34, BB ]
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtEnumerateValueKey + 5 77F75B7F 1 Byte [ C3 ]
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtQuerySystemInformation 77F76152 4 Bytes [ 68, 50, 36, BB ]
.text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[736] ntdll.dll!NtQuerySystemInformation + 5 77F76157 1 Byte [ C3 ]
.text C:\WINDOWS\explorer.exe[1460] ntdll.dll!NtEnumerateKey 77F75B5C 6 Bytes JMP 3AF8C993
.text C:\WINDOWS\explorer.exe[1460] ntdll.dll!NtEnumerateValueKey 77F75B7A 6 Bytes PUSH 016E34ED; RET
.text C:\WINDOWS\explorer.exe[1460] ntdll.dll!NtQuerySystemInformation 77F76152 6 Bytes PUSH 016E3650; RET
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtEnumerateKey 77F75B5C 4 Bytes JMP 3AF7EA93
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtEnumerateKey + 5 77F75B61 1 Byte [ C3 ]
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtEnumerateValueKey 77F75B7A 4 Bytes [ 68, ED, 34, 8F ]
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtEnumerateValueKey + 5 77F75B7F 1 Byte [ C3 ]
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtQuerySystemInformation 77F76152 4 Bytes [ 68, 50, 36, 8F ]
.text C:\WINDOWS\system32\rundll32.exe[2012] ntdll.dll!NtQuerySystemInformation + 5 77F76157 1 Byte [ C3 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtEnumerateKey 77F75B5C 4 Bytes JMP 3AF81B93
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtEnumerateKey + 5 77F75B61 1 Byte [ C3 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtEnumerateValueKey 77F75B7A 4 Bytes [ 68, ED, 34, C0 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtEnumerateValueKey + 5 77F75B7F 1 Byte [ C3 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtQuerySystemInformation 77F76152 4 Bytes [ 68, 50, 36, C0 ]
.text C:\Program Files\ESET\nod32kui.exe[2044] ntdll.dll!NtQuerySystemInformation + 5 77F76157 1 Byte [ C3 ]

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN F68257CB
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP F68223DF
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP F68223DF
Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible F6825733

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\systpro32.exe (*** hidden *** ) 1964

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\4T78D2V25K
Reg \Registry\MACHINE\SOFTWARE\4T78D2V25K@4T78D2V25K 0x41 0xE8 0x7B 0xAF ...
Reg \Registry\MACHINE\SOFTWARE\4T78D2V25K@4T78D2V25K 0x41 0xE8 0x7B 0xAF ...

---- EOF - GMER 1.0.12 ----
systpro32.exe nemogu naci jer je hiden evo ga u logu u prilogu

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Daj mi jos koji minut da smislim taktiku i da skontam o cemu se tacno radi.
Izgleda da imas vise infekcija na racunaru.

Dopuna: 26 Mar 2007 23:06

Pogledaj sledecu sliku:
http://gmer.net/faq.php
Kazi mi koja opcija je kod tebe omogucena kada klines desno dugme na ime tog skrivenog fajla?
Neke funkcije nece biti dostupne, ali barem jedna mora biti dostupna. Napisi mi ovde koja ti je dostupna.

offline
  • Pridružio: 25 Mar 2007
  • Poruke: 32

moze samo desni taster i to opcija copi i properties

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini program Avenger sa sledeceg linka:
http://swandog46.geekstogo.com/avenger.zip

Na prvom ekranu selektuj Input script manually pa klikni na ikonicu lupe.
U prozoru koji ce se pojavi unesi sledeci tekst:
Files to Delete:
C:\WINDOWS\systpro32.exe



Klikni na dugme Done.
Vratice te na prvi ekran gde je sada potrebno kliknuti na ikonicu semafora.
Ukoliko ti program sam ne zatrazi restart, onda ti sam restartuj racunar.
Nakon restartovanja bi folder trebao da bude obrisan, i backup napravljen u folderu c:\avenger.

Kada to bude obavljeno, postavi novi GMER log, kao i HijackThis log.

offline
  • Pridružio: 25 Mar 2007
  • Poruke: 32

Logfile of HijackThis v1.99.1
Scan saved at 0:11:52 AM, on 3/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Spider\Desktop\lola.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.240.111.196:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gvcotfvb

*******************

Script file located at: \??\C:\tpcywosc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\systpro32.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


gmer sam uradio ali nesto zaglavilo pa cu ponovo saljem za deset minuta dok uradi ponovo skan ali vec sada je izvesno da je druga prica drukcije podize sistem i nod vise ne prijavljuje nista ali videcemo tu sam

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Konacno sam uspeo da nadjem jos neke informacije.

Skeniraj HijackThis-om i stikliraj polje ispred sledece linije:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.240.111.196:8080
klikni Fix Checked

Taj proxy server je negde u Kini, i treba srediti tu liniju osim ukoliko namerno nisi ti postavio da ti veza sa netom ide preko tog servera.

offline
  • Pridružio: 25 Mar 2007
  • Poruke: 32

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gvcotfvb

*******************

Script file located at: \??\C:\tpcywosc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\systpro32.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

GMER 1.0.12.12086 - gmer.net
Rootkit scan 2007-03-27 00:29:55
Windows 5.1.2600 Service Pack 1


---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
? potvekma.sys The system cannot find the file specified.
.text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 720342D8

---- EOF - GMER 1.0.12 ----




samo je ovo napravio posle brisanja onog fajla mozda trebam ponovo da skinem instalaciju

Dopuna: 27 Mar 2007 0:35

Logfile of HijackThis v1.99.1
Scan saved at 0:34:51 AM, on 3/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Spider\Desktop\mara.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




evo ga posle cekiranja fix

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Meni ovo na oko izgleda OK.
Ja cu temu da ostavim par dana otkljucanom, pa ako se infekcija ponovo javi ti se javi ponovo nama.

Videces da na C:\ imas folder pod imenom Avenger.
Ja bih te zamolio da taj folder spakujes u ZIP i da nam ga posaljes preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

Ovo nije obavezno, ali ako nam posaljes sadrzaj tog foldera, mi cemo ga dalje poslati u anti-virus laboratorije na analizu. Time pomazemo da se usavrse anti-virus programi.
Taj folder obrisi nakon par dana ukoliko ti komp radi kako treba.

Na samom kraju bih ti savetovao da instaliras Service Pack 2 za Windows, posto ti je sistem jako ranjiv bez SP2.
Najmanje sto mozes da ucinis je da instaliras neki firewall da bi se zastitio koliko-toliko od botova i crva.
Takodje, ukoliko ne instaliras Service Pack 2 za Windows, mozes skinuti FireFox browser i koristiti ga umesto Internet Explorera, iz razloga sto Internet Explorer ima jako puno propusta koji cine kompletan sistem ranjiv.
Isto vazi i za Outlook Express, mozes ga zameniti sa Mozilla Thunderbird.

Sumnjam na osnovu onog proxy servera da je kod tebe do infekcije doslo zato sto si se prevario i kliknuo na adresu iz nekog spam-maila (email reklame), jer sam saznao da je taj server puno koriscen za slanje takvih mailova.

Pregledaj forum, imas tu puno saveta o ovakvim stvarima.

offline
  • Pridružio: 25 Mar 2007
  • Poruke: 32

sada je sve u redu, apsolutno ok, svaka cast na ovolikom poznavanju stvari, jednom recju, carobno, hvala, divni ste ljudi hvala svima, sada cu biti oprezniji a i sp 2 cu instalirati pozdrav.

Dopuna: 27 Mar 2007 1:06

shodno uputstvu obavestavam da sam poslao avenger.zip na naznacen link, i na nacin kako je opisano, zdravo se videli.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Hvala tebi puno za upload, zaista smo nasli nov malware.
Evo rezultata skeniranja sa par desetina antivirusa:
AhnLab-V3   2007.3.27.0   03.26.2007   no virus found
AntiVir   7.3.1.44   03.26.2007   TR/Crypt.XPACK.Gen
Authentium   4.93.8   03.26.2007   no virus found
Avast   4.7.936.0   03.25.2007   no virus found
AVG   7.5.0.447   03.26.2007   no virus found
BitDefender   7.2   03.27.2007   BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal   9.00   03.26.2007   no virus found
ClamAV   devel-20070312   03.27.2007   no virus found
DrWeb   4.33   03.26.2007   no virus found
eSafe   7.0.14.0   03.26.2007   suspicious Trojan/Worm
eTrust-Vet   30.6.3512   03.26.2007   no virus found
Ewido   4.0   03.25.2007   no virus found
FileAdvisor   1   03.27.2007   no virus found
Fortinet   2.85.0.0   03.26.2007   Clckr.KY!tr
F-Prot   4.3.1.45   03.26.2007   no virus found
F-Secure   6.70.13030.0   03.26.2007   no virus found
Ikarus   T3.1.1.3   03.26.2007   BehavesLikeWin32.ExplorerHijack
Kaspersky   4.0.2.24   03.27.2007   no virus found
McAfee   4992   03.26.2007   no virus found
Microsoft   1.2306   03.27.2007   no virus found
NOD32v2   2145   03.26.2007   no virus found
Norman   5.80.02   03.23.2007   no virus found
Panda   9.0.0.4   03.27.2007   Trj/Lineage.CVQ
Prevx1   V2   03.27.2007   worm.sdBot
Sophos   4.15.0   03.23.2007   Troj/Clckr-KY
Sunbelt   2.2.907.0   03.24.2007   no virus found
Symantec   10   03.27.2007   no virus found
TheHacker   6.1.6.080   03.23.2007   no virus found
UNA   1.83   03.16.2007   no virus found
VBA32   3.11.2   03.26.2007   no virus found
VirusBuster   4.3.7:9   03.26.2007   no virus found
Webwasher-Gateway   6.0.1   03.26.2007   Trojan.Crypt.XPACK.Gen


Odmah saljem na analizu.

Ko je trenutno na forumu
 

Ukupno su 826 korisnika na forumu :: 43 registrovanih, 4 sakrivenih i 779 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., awathorn, Bahuss, cikadeda, Cirkon, darkangel, djo97, Dorcolac, dragon986, Duh sa sekirom, Duško, goxin, havoc995, helen1, Helket, HrcAk47, ikan, konstruktor, Koridor 11, Kruger, KUZMAR, kvcali, mane123, MegaVLAdaR, mercedesamg, mihajlot2013, Milos ZA, Misirac, raketaš, RecA, sams6245, samsung, Sirius, Smd, Srki94, Steeeefan, Toni, VaRvArI 85, Vlad000, vlvl, vobo, zodiac94, zoranis