win32/agent

1

win32/agent

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

ovo mi je nod32 malo pre javio
208.100.1.14:7777/x a variant of win32/agent
Inace racunar je nakacen na adsl ruter

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Sajt koji si upravo posetio je pokusao uz pomoc exploita da sa te adrese ubaci nesto na tvoj komp.
NOD je to otkrio i uspesno blokirao.

Odgovara li moj opis onome sto se desilo?

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

i posle toga nece da mi otvori nijedan sajt, veza sa netom postoji ali nijedan web browser nece nista da otvara. Jel moguce da je to razlog? Nod mi nud samo opciju terminated za taj napad

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

U redu je sto postoji samo opcija Terminated.

Je li to neki od kompova cije si logove postavljao u Ambulanti ovih dana?

Potrebno mi je da znam da li se ovo desava samo kod poseta odredjenom sajtu, ili se desava cak i kada nemas pokrenut ni jedan browser?

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

ovo se desava kada nije pokrenut nijedan browser. Jeste ,ovo je na racunaru koji smo prvi cistili u ambulanti.(http://www.mycity.rs/Ambulanta/Pomoc-trojanci.html). Desavalo se i pre ciscenja tog racunara a evo i sada nakon ciscenja.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Hmmm...

Hajde da pogledamo ponovo taj racunar.
Skini ponovo HijackThis i ComboFix, pa mi postavi logove (prvo HJT log, pa onda ComboFix).

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:05:07, on 02.03.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\progra~1\samsung\smarthru\PORTCTRL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\t1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [GW Port Controller] c:\progra~1\samsung\smarthru\PORTCTRL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3694 bytes

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Daj i ComboFix log.

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

ComboFix 09-03-01.01 - bojana 2009-03-02 16:11:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.256.22 [GMT 1:00]
Running from: c:\documents and settings\bojana\Desktop\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning disabled* (Updated)
AV: F-Secure Anti-Virus Client Security 5.55 *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\sysdrv32.sys

.
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.

2009-03-02 07:22 . 2009-03-02 07:22 109,996 --a------ C:\rest.exe
2009-03-02 07:03 . 2009-03-02 07:03 532,992 --a------ c:\windows\system32\ni.exe
2009-03-02 06:58 . 2009-03-02 06:58 532,992 --a------ c:\windows\system\wmibus.exe.vir
2009-02-28 15:12 . 2009-02-28 15:12 <DIR> d-------- c:\program files\Trend Micro
2009-02-28 14:19 . 2009-02-28 14:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 14:19 . 2009-02-28 14:19 <DIR> d-------- c:\documents and settings\bojana\Application Data\Malwarebytes
2009-02-28 14:19 . 2009-02-28 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 14:19 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 14:19 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-28 14:17 . 2009-02-28 14:17 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-27 19:08 . 2009-03-02 06:22 <DIR> d-------- C:\USBNoRisk
2009-02-27 09:58 . 2009-03-02 13:38 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-27 09:58 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-02-27 09:58 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-02-27 09:58 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-02-27 09:58 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-02-27 09:58 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-02-27 09:57 . 2009-02-27 10:11 <DIR> d-------- c:\program files\Trojan Remover
2009-02-27 09:57 . 2009-02-27 09:57 <DIR> d-------- c:\documents and settings\bojana\Application Data\Simply Super Software
2009-02-27 09:57 . 2009-02-27 09:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-02-27 09:39 . 2001-08-17 12:13 27,165 --a------ c:\windows\system32\drivers\fetnd5.sys
2009-02-27 09:39 . 2001-08-17 12:13 27,165 --a--c--- c:\windows\system32\dllcache\fetnd5.sys
2009-02-26 12:23 . 2009-02-26 12:23 <DIR> d-------- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 05:09 --------- d-----w c:\program files\ESET
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2006-09-02 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="c:\progra~1\samsung\smarthru\PORTCTRL.EXE" [2004-02-09 163840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-05-31 921600]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-02-15 1214856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-12-15 10:18 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RZZO\\Apoteka 2.1\\Obrada Recepata.exe"=
"c:\\WINDOWS\\System32\\ni.exe"=

S2 WMIBUS;WMI Bus Database; [x]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2006-03-18 9344]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bojana\Application Data\Mozilla\Firefox\Profiles\9wde14uz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-02 16:13:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\imon.dll
.
Completion time: 2009-03-02 16:16:08
ComboFix-quarantined-files.txt 2009-03-02 15:15:54
ComboFix2.txt 2009-02-28 15:36:58

Pre-Run: 2,861,891,584 bytes free
Post-Run: 2,850,295,808 bytes free

116

Dopuna: 02 Mar 2009 17:04

evo i poruka iz noda od danas:
Time Module Object Name Threat Action User Information
02.03.2009 12:21:28 IMON file http://208.100.1.14:7777/x a variant of Win32/Agent.NSH trojan NT AUTHORITY\SYSTEM

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Hajde instaliraj neki firewall program, da vidimo da li je ovo u pitanju bot.

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\rest.exe
c:\windows\system32\ni.exe
c:\windows\system\wmibus.exe.vir

Driver::
WMIBUS


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

================================

Koristis li neku animiranu pozadinu za desktop? Neki flash fajl koji si skoro skinuo?

Ko je trenutno na forumu
 

Ukupno su 918 korisnika na forumu :: 15 registrovanih, 1 sakriven i 902 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Bluper, brundo65, draganl, kikisp, Koridor, Kriglord, kybonacci, lcc, mgolub, Motocar, nemkea71, procesor, radionica1, sovanova95, VJ