Trojan Horse Downloader.agent.apko
Buna,
De doua zile sunt fericita posesoare a Trojan horse Downloader.Agent.APKO.
[removed]-ul mi-a gasit virusul asta in 2 fisiere x si srxkslwf.dll in C:\WINDOWS\system32 (am atasat jpg), dar nu mi-le sterge tot timpul(cate o data le gasesc sterse,alteori nu).
Vazand ca nu pot scapa de el am instalat TrojanHunter. Daca il rulez din normal mode nu-mi gasesea nimic asa ca am trecut in safe mode si mi-a gasit in C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 in 4 fisiere niste jpg-uri infectate pe care le-am sters.
Dupa ce am restartat calc mi-a aparut iar trojan-ul.
Ma puteti ajuta?
Multumesc Anticipat,
Florentina
Comentarii
-
Eu nu vad BitDefender instalat pe PC-ul tau.
Descarca: ComboFix si salveaza-l pe Desktop.
Creeaza un fisier nou de tip .txt cu Notepad si scrie in el ce e mai jos in citat:File::
C:\WINDOWS\system32\x
C:\WINDOWS\system32\srxkslwf.dll
Denumeste fisierul CFScript.txt apoi trage-l peste ComboFix.exe asa cum e aratat in poza de mai jos.
Apoi asigura-te ca ai inchis toate programele care ruleaza (Yahoo Messenger, MozilaFirefox, etc) si ruleaza ComboFix. Te va intreba daca sa inceapa sa curete sistemul. Confirma cu Yes de fiecare data. Nu-l opri in timp ce scaneaza si dezinfecteaza sistemul. E posibil ca in timpul rularii lui desktop-ul sa dispara, dar nu te ingrijora.
La sfarsit va afisa rezultatele scanarii. Salveaza acel fisier si posteaza continutul AICI.0 -
Am facut ce mi-ai zis si iata rezultatul
Mersi
ComboFix 08-11-26.03 - admin 2008-11-26 10:12:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1481 [GMT 2:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\srxkslwf.dll
c:\windows\system32\x
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\x
.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.
2008-11-24 17:36 . 2008-11-24 17:39 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-24 17:01 . 2008-11-24 17:01 <DIR> d-------- c:\documents and settings\Administrator
2008-11-24 16:36 . 2008-11-24 16:36 <DIR> d-------- c:\documents and settings\admin\Application Data\TrojanHunter
2008-11-24 16:13 . 2008-11-24 16:14 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-11-07 14:55 . 2008-11-11 15:19 <DIR> d-------- c:\documents and settings\admin\.eas
2008-11-07 14:36 . 2008-11-07 14:48 28,974 --a------ c:\windows\vpd.properties
2008-11-07 14:34 . 2008-11-07 14:43 <DIR> d-------- C:\Hyperion
2008-11-07 12:41 . 2008-11-07 14:18 <DIR> d-------- c:\windows\Hotfix
2008-11-07 12:19 . 2008-11-07 12:19 <DIR> d-------- c:\program files\SQLXML 4.0
2008-11-07 12:19 . 2008-11-07 12:19 <DIR> d-------- c:\program files\Microsoft Analysis Services
2008-11-07 12:15 . 2008-11-07 12:16 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-07 12:15 . 2008-11-07 12:15 <DIR> d-------- c:\program files\Common Files\Merge Modules
2008-11-07 12:15 . 2008-11-07 14:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-07 12:11 . 2008-11-07 14:25 <DIR> d-------- c:\program files\Microsoft SQL Server
2008-10-29 09:41 . 2008-10-29 09:42 <DIR> d-------- c:\program files\The KMPlayer
2008-10-27 16:30 . 2008-11-24 16:10 <DIR> d-------- c:\windows\BDOSCAN8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 07:08 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2008-11-26 07:08 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-11-25 14:17 --------- d-----w c:\documents and settings\admin\Application Data\VMware
2008-11-21 14:31 --------- d-----w c:\program files\NET6
2008-10-20 13:00 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-16 20:26 21,419 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-10-16 20:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-16 20:26 --------- d-----w c:\program files\SMC
2008-10-16 09:09 --------- d-----w c:\program files\Winamp
2008-10-16 09:09 --------- d-----w c:\documents and settings\admin\Application Data\Winamp
2008-10-15 09:44 --------- d-----w c:\documents and settings\admin\Application Data\ICAClient
2008-10-15 09:43 --------- d-----w c:\program files\Citrix
2008-10-14 14:13 --------- d-----w c:\program files\DAEMON Tools
2008-10-14 13:44 --------- d-----w c:\program files\Yahoo!
2008-10-14 13:40 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-14 13:40 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-14 13:40 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-14 13:40 --------- d-----w c:\program files\AVG
2008-10-14 13:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-14 13:38 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-14 13:37 --------- d-----w c:\documents and settings\admin\Application Data\Yahoo!
2008-10-14 08:46 --------- d-----w c:\program files\Webshots
2008-10-14 08:43 --------- d-----w c:\documents and settings\LocalService\Application Data\agi
2008-10-14 08:43 --------- d-----w c:\documents and settings\admin\Application Data\Webshots
2008-10-14 08:43 --------- d-----w c:\documents and settings\admin\Application Data\agi
2008-10-14 08:41 339,968 ----a-w c:\windows\system32\pythoncom25.dll
2008-10-14 08:41 2,117,632 ----a-w c:\windows\system32\python25.dll
2008-10-14 08:41 114,688 ----a-w c:\windows\system32\pywintypes25.dll
2008-10-14 08:41 --------- d-----w c:\program files\AGI
2008-10-14 08:41 --------- d-----w c:\documents and settings\All Users\Application Data\agi
2008-10-14 08:20 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-14 08:19 --------- d-----w c:\program files\Common Files\Adobe
2008-10-14 07:33 --------- d-----w c:\program files\Microsoft.NET
2008-10-14 07:33 --------- d-----w c:\program files\Microsoft Works
2008-10-14 07:33 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-14 07:33 --------- d-----w c:\program files\Common Files\L&H
2008-10-14 07:23 682,232 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-14 05:03 --------- d-----w c:\program files\Hewlett-Packard
2008-10-14 05:02 --------- d-----w c:\program files\HPQ
2008-10-14 04:56 --------- d-----w c:\program files\VMware
2008-10-14 04:56 --------- d-----w c:\program files\Common Files\VMware
2008-10-13 13:23 --------- d-----w c:\program files\Intel
2008-10-13 13:15 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-13 13:15 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2008-10-13 13:15 --------- d-----w c:\program files\Synaptics
2008-10-13 13:15 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-13 13:15 --------- d-----w c:\documents and settings\admin\Application Data\InstallShield
2008-10-13 13:13 1,612 --sha-r c:\windows\system32\drivers\103C_HP_NTBK_HP Compaq 6720s_YN_0U_QCNU8364Y1Q_EU_46_I30D8_SHP_VKBC Version 83.0E_B68MDU Ver. F.0B_T080620_WXP2_L409_M2040_J250_7Intel_8Core2 Duo T5870_91.99_#081013_N_()_XMOBILE_CN10_Z_2F.0B_G.MRK
2008-10-13 13:11 --------- d-----w c:\program files\WIDCOMM
2008-10-13 13:08 --------- d-----w c:\documents and settings\admin\Application Data\hpqLog
2008-10-13 13:02 --------- d-----w c:\program files\Analog Devices
2008-10-13 12:52 --------- d-----w c:\program files\microsoft frontpage
2008-09-16 16:26 1,332,197 ----a-w c:\windows\system32\pythondll.zip
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-04 165784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 137752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-14 1234712]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2008-10-24 1056928]
c:\documents and settings\admin\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-10-14 157000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]
SMC USB Wireless Client Utility.lnk - c:\program files\SMC\SMC USB Wireless Client Utility\UMCCfg.exe [2008-10-16 2619904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1069:TCP"= 1069:TCP:WWW
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-14 97928]
R2 AGWinService;AG Windows Service;"c:\program files\AGI\common\win32\PythonService.exe" [2008-10-14 10240]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-14 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-14 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-14 76040]
R2 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2006-04-14 203552]
R2 NICSer_WUB370L;NICSer_WUB370L;c:\program files\SMC\SMC USB Wireless Client Utility\NICServ.exe [2008-10-16 530432]
R3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys [2008-10-15 44664]
S2 cinzkiid;cinzkiid;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S3 rt2870;802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2008-10-16 503680]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
cinzkiid
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e2eba47-b479-11dd-b622-005056c00008}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\KESHA.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b283d52-99a8-11dd-b5e1-001f3c9bc723}]
\Shell\AutoRun\command - G:\Launch.exe /run
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5483406-99c5-11dd-b5e5-005056c00008}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\KESHA.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b380dba5-9b48-11dd-b5ed-005056c00008}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\KESHA.EXE
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 10:13:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1488)
c:\windows\system32\avgrsstx.dll
- - - - - - - > 'lsass.exe'(1592)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-11-26 10:13:34
ComboFix-quarantined-files.txt 2008-11-26 08:13:20
Pre-Run: 74,676,977,664 bytes free
Post-Run: 74,780,708,864 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
186/applications/core/interface/file/attachment.php?id=4099" data-fileid="4099" rel="">ComboFix.txt
0 -
Pune urmatorul folder intr-o arhiva cu parola infected si ataseaz-o aici sau urc-o pe un server (de exemplu: http://www.rapidshare.com ) si pune aici link-ul de download sa trimit la analiza.
C:\Qoobox0 -
buna,
am atasat ce mi-ai cerut numai ca nu i-am pus parola
mersi0 -
am reatasat cu parola
0 -
Inca ceva, daca mi-as reinstala XP-ul si as formata numai C-ul fara D credeti ca as scapa de virus?
Nu in intentionez sa fac asta dar sunt curioasa0 -
Stai ca nu inteleg...tot mai ai probleme ?!
Fisierele infectate au fost sterse !
Descarca Malwarebytes Anti-Malware si salveaza-l pe Desktop.
Instaleaza-l si la sfarsit asigura-te ca ai bifat urmatoarele: Update Malwarebytes' Anti-Malware si Launch Malwarebytes' Anti-Malware. Apoi apasa Finish.
Dupa lansarea programului, selecteaza Perform full scan si apoi apasa pe Scan.
La terminarea scanarii apasa OK si apoi Show Results. Asigura-te ca e totul bifat si apoi apasa Remove Selected.
La final se va deschide un fisier in Notepad cu rezultatele scanarii. Posteaza continutul lui aici.0 -
Buna,
N-am facut ce mi-ai zis mai jos inca(abia marti ajung la calc meu) dar probleme nu s-au terminat deloc iar antivirusul meu imi zicea in contiuare ca cele 2 fisiere sunt infectate, cu toate ca eu nu le vad deloc.
O sa iti urmez sfatul si o sa-ti zic rezultatul
MersiStai ca nu inteleg...tot mai ai probleme ?!
Fisierele infectate au fost sterse !
Descarca Malwarebytes Anti-Malware si salveaza-l pe Desktop.
Instaleaza-l si la sfarsit asigura-te ca ai bifat urmatoarele: Update Malwarebytes' Anti-Malware si Launch Malwarebytes' Anti-Malware. Apoi apasa Finish.
Dupa lansarea programului, selecteaza Perform full scan si apoi apasa pe Scan.
La terminarea scanarii apasa OK si apoi Show Results. Asigura-te ca e totul bifat si apoi apasa Remove Selected.
La final se va deschide un fisier in Notepad cu rezultatele scanarii. Posteaza continutul lui aici.0 -
buna,
am atasat rezultatul scanarii, la sfarsit mi-a zis ca n-a gasit nimic.
mersi0 -
Arhiva pusa de tine aici a fost trimisa la analiza.
BitDefender o sa semneze virusii(ma rog, un VR o sa-i semneze).0 -
buna,
am atasat rezultatul scanarii, la sfarsit mi-a zis ca n-a gasit nimic.
mersi
Buna!
Si eu am avut probleme cu downloader.agent.apko.Din ce-am cautat pe google am gasit pe WikiAnswer urmatoarea postare:
http://wiki.answers.com/Q/How_do_you_remov...ader.agent.APKO
Am facut ce-i indicat acolo si am scapat.
Succes!0
Liderul tuturor timpurilor
Categorii de discuții
- Toate Categoriile
- 2 Știri și bloguri
- 10 Subiecte generale
- 2 Securitate pentru companii
- 4 Sugestii și idei pentru produse
- 12 Alte produse și servicii
- 19 Central & Abonamente
- 15 VPN
- 14 Mobile Security
- 2 Mac
- 39 Windows
- 1.3K Protectie utilizatori individuali
- 949 Arhiva
- 199 Discu355ii generale
- 199 Discu355ii malware
- 6 Discu355ii spam 351i phishing
- 58 Produse
- 49 Sta355ii de lucru
- 1 Unix
- Servere windows
- 3 Protec355ie enterprise
- 5 Mobile
- 487 350tiri
