Možda tražite i:
Trojanac win32/agent ponovo
moj prvi trojanac...POMOZITEEEEEEEEE
Trojanac mozda....
IE trojanac

MyCity » Ambulanta -> Arhiva Ambulante » trojanac

trojanac

Napisano na dan: 25.3.2007

Strana:
1
2
3

trojanac

Sledeća strana

Pagination

Odgovori

Strana:
1
2
3

zoranjag Poslao: 25 Mar 2007 10:12 Idi na vrh
offline zoranjag Građanin Pridružio: 25 Mar 2007 Poruke: 32	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! kako da obrisem trojanca it_0301.exe, av koji koristim je nod 32 2.5 hvala na pomoci, inace to je win32/dialer.agent.d

Profil

marko antonije Poslao: 25 Mar 2007 10:59 Idi na vrh
offline marko antonije Ugledni građanin Pridružio: 09 Jan 2006 Poruke: 317	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Zoranjag, procitaj ovo uputstvo http://www.mycity.rs/Ambulanta/Procitati-pre-otvaranja-teme.html i kao sto u njemu pise postavi ovde log programa HijackThis, budi strpljiv/a i dobices zadovoljavajuci odgovor o tvom problemu.

Profil

zoranjag Poslao: 25 Mar 2007 13:41 Idi na vrh
offline zoranjag Građanin Pridružio: 25 Mar 2007 Poruke: 32	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Logfile of HijackThis v1.99.1 Scan saved at 13:38:18 PM, on 3/25/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\RunDLL32.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Internet Explorer\iexplore.exe D:\ZVUCI\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.240.111.196:8080 F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\Documents and Settings\Spider\324231330.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Profil

marko antonije Poslao: 26 Mar 2007 00:45 Idi na vrh
offline marko antonije Ugledni građanin Pridružio: 09 Jan 2006 Poruke: 317	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Zoranjag, pazljivo sledi sledece instrukcije: prvo, pokusaj da nadjes i obrises sledeci fajl: C:\Documents and Settings\Spider\324231330.dll, mala napomena, da bi mogao da obrises ovaj fajl moras uci u Safe Mode, evo uputstva za ulazak u Safe Mode http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-uci-u-SAFE-MODE.html drugo, preimenuj program HijackThis.exe u bilo koje drugo ime, na primer u duga.exe, trece, skeniraj opet, ali ovoga puta preimenovanim programom HijackThis i cekiraj sledecu putanju: F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe, pretisni dugme Fix checked, cetvrto, skini Ewido micro (8Mb) : http://downloads.ewido.net/ewido_micro.exe Kako se radi sa Ewido micro: - na prvom ekranu odaberi sve particije (štikliraj polja ispred njih) - klikni na dugme Start Scan - nakon završenog skeniranja klikni na Save Report i snimi log fajl na sigurno mesto - klikni na Remove Infections - iskopiraj nam ovde sadržaj log fajla koji je malopre snimljen peto, nakon skeniranja sa Ewidom i postavljanja njegovog log fajla, postavi nam i svez log preimenovanog programa HijackThis.

Profil

zoranjag Poslao: 26 Mar 2007 20:12 Idi na vrh
offline zoranjag Građanin Pridružio: 25 Mar 2007 Poruke: 32	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! evo uspeo sam, postupio sam po instrukciji sto se tice HijackThis.exe promeni sam ime i skenirao pa cekirao ono sto ste naznacili pa opet logo i to je u redu medjutim geskom nisam napravio logo ewido a bio je pronasao dva dropera i jedan generik u registrima obrisao sam i sada neme logo.Logfile of HijackThis v1.99.1 Scan saved at 11:23:43 AM, on 3/26/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RunDLL32.exe C:\Program Files\Eset\nod32kui.exe C:\Documents and Settings\Spider\Desktop\duga.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.240.111.196:8080 F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe /NoDialog O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Dopuna: 26 Mar 2007 12:15 Time Module Object Name Threat Action User Information 3/26/2007 12:04:59 PM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/Rustock.NAX trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 12:04:55 PM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/TrojanClicker.Agent.HZ trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 12:04:51 PM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\it_0301.exe a variant of Win32/Dialer.Agent.D application quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 10:43:04 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\it_0301.exe a variant of Win32/Dialer.Agent.D application quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 10:43:01 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/TrojanClicker.Agent.HZ trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 10:42:58 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\it_0301.exe a variant of Win32/Dialer.Agent.D application quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 10:42:56 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/Rustock.NAX trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 10:23:18 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/Rustock.NAX trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 10:23:14 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/TrojanClicker.Agent.HZ trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 10:23:10 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\it_0301.exe a variant of Win32/Dialer.Agent.D application quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 9:08:53 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/TrojanClicker.Agent.HZ trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 9:08:49 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\it_0301.exe a variant of Win32/Dialer.Agent.D application quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 9:08:24 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\it_0301.exe a variant of Win32/Dialer.Agent.D application quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 9:08:16 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/Rustock.NAX trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 8:43:07 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/Rustock.NAX trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 8:43:04 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/TrojanClicker.Agent.HZ trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 8:41:42 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\it_0301.exe a variant of Win32/Dialer.Agent.D application quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 7:35:49 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/TrojanClicker.Agent.HZ trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 7:35:42 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\it_0301.exe a variant of Win32/Dialer.Agent.D application quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. 3/26/2007 7:35:30 AM AMON file C:\DOCUME~1\Spider\LOCALS~1\Temp\winsyst32.exe Win32/Rustock.NAX trojan quarantined - deleted SLUZBA-E5ECM8G7\Spider Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window. Ovo je sadrzina loga koje pravi nod 32 2.5 i uvek kad startujem racunar izadje crven prozor nod 32 Threat detected i to samo kad je adsl ukljucen kad nije ukljucen adsl nod nista ne prijavljuje, veliko Vam hvala nadam se da cemo uspeti da ga povratimo. Dopuna: 26 Mar 2007 20:12 postovani evo poslednje stanje logo jer sam u medjuvremenu pobrisao stvari koje sam cuvao na hard disku koje mogu kasnije da ponovo instaliramLogfile of HijackThis v1.99.1 Scan saved at 20:05:27 PM, on 3/26/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\RunDLL32.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Spider\Desktop\duga.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.240.111.196:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Dakle i dalje postoje trojanci pod istim nazivom

Profil

bobby Poslao: 26 Mar 2007 20:17 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pozdrav zoranjag, posto marko antonije nije trenutno na forumu, uputicu te na sledeci korak. Uradi sledeće: Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u. Raspakuj ga u neki folder. Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu. Klikni na Scan. Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard. U polju za pisanje poruke na forumu klikni desno dugme misa i odaberi opciju Paste.

Profil

zoranjag Poslao: 26 Mar 2007 21:29 Idi na vrh
offline zoranjag Građanin Pridružio: 25 Mar 2007 Poruke: 32	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! GMER 1.0.12.12086 - gmer.net Rootkit scan 2007-03-26 21:28:27 Windows 5.1.2600 Service Pack 1 ---- System - GMER 1.0.12 ---- SYSENTER \??\C:\WINDOWS\System32:lzx32.sys Code \??\C:\WINDOWS\System32:lzx32.sys ---- Kernel code sections - GMER 1.0.12 ---- .text ntoskrnl.exe!KeInitializeInterrupt + B67 .text ntoskrnl.exe!Kei386EoiHelper + 1448 ? C:\WINDOWS\System32:lzx32.sys .text tcpip.sys!IPTransmit + 93E .text tcpip.sys!IPTransmit + A35E .text tcpip.sys!IPSetIPSecStatus + 53A .text wanarp.sys .text ntdll.dll!NtClose .text ntdll.dll!NtCreateProcess .text ntdll.dll!NtCreateProcessEx .text ntdll.dll!NtCreateSection .text ntdll.dll!NtEnumerateKey .text ntdll.dll!NtEnumerateKey + 5 .text ntdll.dll!NtEnumerateValueKey .text ntdll.dll!NtEnumerateValueKey + 5 .text ntdll.dll!NtQuerySystemInformation .text ntdll.dll!NtQuerySystemInformation + 5 ---- User code sections - GMER 1.0.12 ---- .text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary .text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary .text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary .text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary .text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary .text C:\Documents and Settings\Spider\Local Settings\Temp\Temporary .text C:\WINDOWS\system32\rundll32.exe[468] ntdll.dll!NtEnumerateKey .text C:\WINDOWS\system32\rundll32.exe[468] ntdll.dll!NtEnumerateKey + 5 .text C:\WINDOWS\system32\rundll32.exe[468] ntdll.dll!NtEnumerateValueKey .text C:\WINDOWS\system32\rundll32.exe[468] ntdll.dll!NtEnumerateValueKey + 5 .text C:\WINDOWS\system32\rundll32.exe[468] ntdll.dll!NtQuerySystemInformation .text C:\WINDOWS\system32\rundll32.exe[468] ntdll.dll!NtQuerySystemInformation .text C:\Program Files\ESET\nod32kui.exe[476] ntdll.dll!NtEnumerateKey .text C:\Program Files\ESET\nod32kui.exe[476] ntdll.dll!NtEnumerateKey + 5 .text C:\Program Files\ESET\nod32kui.exe[476] ntdll.dll!NtEnumerateValueKey .text C:\Program Files\ESET\nod32kui.exe[476] ntdll.dll!NtEnumerateValueKey + 5 .text C:\Program Files\ESET\nod32kui.exe[476] ntdll.dll!NtQuerySystemInformation .text C:\Program Files\ESET\nod32kui.exe[476] ntdll.dll!NtQuerySystemInformation .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1208] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1208] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1208] .text C:\WINDOWS\explorer.exe[1704] ntdll.dll!NtEnumerateKey .text C:\WINDOWS\explorer.exe[1704] ntdll.dll!NtEnumerateKey + 5 .text C:\WINDOWS\explorer.exe[1704] ntdll.dll!NtEnumerateValueKey .text C:\WINDOWS\explorer.exe[1704] ntdll.dll!NtEnumerateValueKey + 5 .text C:\WINDOWS\explorer.exe[1704] ntdll.dll!NtQuerySystemInformation .text C:\WINDOWS\explorer.exe[1704] ntdll.dll!NtQuerySystemInformation + 5 ---- Processes - GMER 1.0.12 ---- Process C:\WINDOWS\systpro32.exe (* hidden * ) ---- Services - GMER 1.0.12 ---- Service C:\WINDOWS\System32:lzx32.sys (* hidden * ) ---- Registry - GMER 1.0.12 ---- Reg \Registry\MACHINE\SOFTWARE\4T78D2V25K Reg \Registry\MACHINE\SOFTWARE\4T78D2V25K@4T78D2V25K Reg \Registry\MACHINE\SOFTWARE\4T78D2V25K@4T78D2V25K Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386\Security Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386\Enum Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Security Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked ---- Files - GMER 1.0.12 ---- ADS C:\WINDOWS\system32:lzx32.sys ---- EOF - GMER 1.0.12 ---- postovani bobby evo to je gotovo cekam instrukciju pozdrav F7EC2B9F pIofCallDriver 804DA23C 1 Byte [ 06 ] 804DBD7F 3 Bytes [ D1, 46, 6A ] The system cannot find the file specified. F7E4F6A2 6 Bytes CALL F7EC4924 \??\C:\WINDOWS\System32:lzx32.sys F7E590C2 6 Bytes CALL F7EC4924 \??\C:\WINDOWS\System32:lzx32.sys F7E6386C 6 Bytes CALL F7EC4924 \??\C:\WINDOWS\System32:lzx32.sys F9C460C1 7 Bytes CALL F7EC492E \??\C:\WINDOWS\System32:lzx32.sys 77F758AA 5 Bytes JMP 720342BA 77F759F4 5 Bytes JMP 72034445 77F75A03 5 Bytes JMP 72034329 77F75A21 5 Bytes JMP 720342D8 77F75B5C 4 Bytes JMP 3AF81693 77F75B61 1 Byte [ C3 ] 77F75B7A 4 Bytes [ 68, ED, 34, BB ] 77F75B7F 1 Byte [ C3 ] 77F76152 4 Bytes [ 68, 50, 36, BB ] 77F76157 1 Byte [ C3 ] Directory 3 for gmer.zip\gmer.exe[384] ntdll.dll!NtEnumerateKey 77F75B5C 4 Bytes JMP 3AF81693 Directory 3 for gmer.zip\gmer.exe[384] ntdll.dll!NtEnumerateKey + 5 77F75B61 1 Byte [ C3 ] Directory 3 for gmer.zip\gmer.exe[384] ntdll.dll!NtEnumerateValueKey 77F75B7A 4 Bytes [ 68, ED, 34, BB ] Directory 3 for gmer.zip\gmer.exe[384] ntdll.dll!NtEnumerateValueKey + 5 77F75B7F 1 Byte [ C3 ] Directory 3 for gmer.zip\gmer.exe[384] ntdll.dll!NtQuerySystemInformation 77F76152 4 Bytes [ 68, 50, 36, BB ] Directory 3 for gmer.zip\gmer.exe[384] ntdll.dll!NtQuerySystemInformation + 5 77F76157 1 Byte [ C3 ] 77F75B5C 4 Bytes JMP 3AF7EA93 77F75B61 1 Byte [ C3 ] 77F75B7A 4 Bytes [ 68, ED, 34, 8F ] 77F75B7F 1 Byte [ C3 ] 77F76152 4 Bytes [ 68, 50, 36, 8F ] + 5 77F76157 1 Byte [ C3 ] 77F75B5C 4 Bytes JMP 3AF81B93 77F75B61 1 Byte [ C3 ] 77F75B7A 4 Bytes [ 68, ED, 34, C0 ] 77F75B7F 1 Byte [ C3 ] 77F76152 4 Bytes [ 68, 50, 36, C0 ] + 5 77F76157 1 Byte [ C3 ] ntdll.dll!NtEnumerateKey 77F75B5C 6 Bytes JMP 3AF88893 ntdll.dll!NtEnumerateValueKey 77F75B7A 6 Bytes PUSH 012D34ED; RET ntdll.dll!NtQuerySystemInformation 77F76152 6 Bytes PUSH 012D3650; RET 77F75B5C 4 Bytes JMP 3AF85893 77F75B61 1 Byte [ C3 ] 77F75B7A 4 Bytes [ 68, ED, 34, FD ] 77F75B7F 1 Byte [ C3 ] 77F76152 4 Bytes [ 68, 50, 36, FD ] 77F76157 1 Byte [ C3 ] 432 [SYSTEM] pe386 <-- ROOTKIT !!! 0x41 0xE8 0x7B 0xAF ... 0x41 0xE8 0x7B 0xAF ... 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 1 1 0 \??\C:\WINDOWS\System32:lzx32.sys Win23 lzx files loade Base 0xF1 0x63 0x94 0xA0 ... 1 <-- ROOTKIT !!!

Profil

bobby Poslao: 26 Mar 2007 21:41 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Skini i startuj sledeci program: http://www.uploads.ejvindh.net/Rustbfix.exe Moze da se desi da ti cak dva puta zatrazi restart racunara. Kada on odradi svoje, napravi ponovo logove GMER-o i HijackThis-om i postavi ih ovde.

Profil

zoranjag Poslao: 26 Mar 2007 22:08 Idi na vrh
offline zoranjag Građanin Pridružio: 25 Mar 2007 Poruke: 32	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! evo saljem zadnjeLogfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\xqpowtju ***************** Script file located at: \??\C:\yicbglcq.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Driver PE386 unloaded successfully. Program C:\Rustbfix\2run.bat successfully set up to run once on reboot. Completed script processing. *************** Finished! Terminate. ********************* Rustock.b-fix -- By ejvindh ********************* Mon 03/26/2007 21:54:39.74 *************** Pre-run Status of system *************** Rootkit driver PE386 is found. Starting the unload-procedure.... Rustock.b-ADS attached to the System32-folder: :lzx32.sys 72376 Total size: 72376 bytes. Attempting to remove ADS... system32: deleted 72376 bytes in 1 streams. Looking for Rustock.b-files in the System32-folder: No Rustock.b-files found in system32 *************** Post-run Status of system *************** Rustock.b-driver on the system: NONE! Rustock.b-ADS attached to the System32-folder: No System32-ADS found. Looking for Rustock.b-files in the System32-folder: No Rustock.b-files found in system32 *************************** End of Logfile ****************************** Logfile of HijackThis v1.99.1 Scan saved at 22:05:06 PM, on 3/26/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\System32\RunDLL32.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Spider\Desktop\mira.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.240.111.196:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Profil

bobby Poslao: 26 Mar 2007 22:24 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Nadji sada na disku sledeci fajl: C:\WINDOWS\systpro32.exe Ukoliko imas dobre volje, spakuj ga u ZIP i posalji nam ga preko sledece forme: http://www.mycity.rs/ambulanta-upload.php Nakon toga ga obrisi sa diska. Uradi jedan restart racunara, pa napravi jos jedan log uz pomoc HijackThis da bi smo videli da li je sve sredjeno.

Profil

MyCity » Ambulanta -> Arhiva Ambulante » trojanac

Ko je trenutno na forumu

Ukupno su 1161 korisnika na forumu :: 30 registrovanih, 5 sakrivenih i 1126 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: ajo baba, aleksmajstor, aramis s, bojcistv, colji, darcaud, darkangel, Denaya, dzoni19, E_Kurir, Kandrbandrdzilo, Lieutenant, mačković, mercedesamg, milenko crazy north, milos97, MilosKop, nenad81, pein, rovac, S-lash, savaskytec, USSVoyager, Viktor Petrenko, VJ, Vlada1389, W123, YugoSlav, zdrebac, 2001

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by