Trojan Horse Downloader.agent.apko

euflorentinas
editat noiembrie 2008 în Discu355ii malware

Buna,


De doua zile sunt fericita posesoare a Trojan horse Downloader.Agent.APKO.


[removed]-ul mi-a gasit virusul asta in 2 fisiere x si srxkslwf.dll in C:\WINDOWS\system32 (am atasat jpg), dar nu mi-le sterge tot timpul(cate o data le gasesc sterse,alteori nu).


Vazand ca nu pot scapa de el am instalat TrojanHunter. Daca il rulez din normal mode nu-mi gasesea nimic asa ca am trecut in safe mode si mi-a gasit in C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 in 4 fisiere niste jpg-uri infectate pe care le-am sters.


Dupa ce am restartat calc mi-a aparut iar trojan-ul.


Ma puteti ajuta?


Multumesc Anticipat,


Florentina

Comentarii

  • rootkit
    rootkit ✭✭✭
    editat noiembrie 2008

    Eu nu vad BitDefender instalat pe PC-ul tau.


    Descarca: ComboFix si salveaza-l pe Desktop.


    Creeaza un fisier nou de tip .txt cu Notepad si scrie in el ce e mai jos in citat:


    File::


    C:\WINDOWS\system32\x


    C:\WINDOWS\system32\srxkslwf.dll


    Denumeste fisierul CFScript.txt apoi trage-l peste ComboFix.exe asa cum e aratat in poza de mai jos.


    CFScript.gif


    Apoi asigura-te ca ai inchis toate programele care ruleaza (Yahoo Messenger, MozilaFirefox, etc) si ruleaza ComboFix. Te va intreba daca sa inceapa sa curete sistemul. Confirma cu Yes de fiecare data. Nu-l opri in timp ce scaneaza si dezinfecteaza sistemul. E posibil ca in timpul rularii lui desktop-ul sa dispara, dar nu te ingrijora.


    La sfarsit va afisa rezultatele scanarii. Salveaza acel fisier si posteaza continutul AICI.

  • Am facut ce mi-ai zis si iata rezultatul


    Mersi


    ComboFix 08-11-26.03 - admin 2008-11-26 10:12:04.1 - NTFSx86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1481 [GMT 2:00]


    Running from: c:\documents and settings\admin\Desktop\ComboFix.exe


    Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt


    * Created a new restore point


    FILE ::


    c:\windows\system32\srxkslwf.dll


    c:\windows\system32\x


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    c:\windows\IE4 Error Log.txt


    c:\windows\system32\x


    .


    ((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))


    .


    2008-11-24 17:36 . 2008-11-24 17:39 664 --a------ c:\windows\system32\d3d9caps.dat


    2008-11-24 17:01 . 2008-11-24 17:01 <DIR> d-------- c:\documents and settings\Administrator


    2008-11-24 16:36 . 2008-11-24 16:36 <DIR> d-------- c:\documents and settings\admin\Application Data\TrojanHunter


    2008-11-24 16:13 . 2008-11-24 16:14 <DIR> d-------- c:\program files\TrojanHunter 5.0


    2008-11-07 14:55 . 2008-11-11 15:19 <DIR> d-------- c:\documents and settings\admin\.eas


    2008-11-07 14:36 . 2008-11-07 14:48 28,974 --a------ c:\windows\vpd.properties


    2008-11-07 14:34 . 2008-11-07 14:43 <DIR> d-------- C:\Hyperion


    2008-11-07 12:41 . 2008-11-07 14:18 <DIR> d-------- c:\windows\Hotfix


    2008-11-07 12:19 . 2008-11-07 12:19 <DIR> d-------- c:\program files\SQLXML 4.0


    2008-11-07 12:19 . 2008-11-07 12:19 <DIR> d-------- c:\program files\Microsoft Analysis Services


    2008-11-07 12:15 . 2008-11-07 12:16 <DIR> d-------- c:\program files\Microsoft Visual Studio 8


    2008-11-07 12:15 . 2008-11-07 12:15 <DIR> d-------- c:\program files\Common Files\Merge Modules


    2008-11-07 12:15 . 2008-11-07 14:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help


    2008-11-07 12:11 . 2008-11-07 14:25 <DIR> d-------- c:\program files\Microsoft SQL Server


    2008-10-29 09:41 . 2008-10-29 09:42 <DIR> d-------- c:\program files\The KMPlayer


    2008-10-27 16:30 . 2008-11-24 16:10 <DIR> d-------- c:\windows\BDOSCAN8


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-11-26 07:08 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware


    2008-11-26 07:08 --------- d-----w c:\documents and settings\All Users\Application Data\VMware


    2008-11-25 14:17 --------- d-----w c:\documents and settings\admin\Application Data\VMware


    2008-11-21 14:31 --------- d-----w c:\program files\NET6


    2008-10-20 13:00 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard


    2008-10-16 20:26 21,419 ----a-w c:\windows\system32\drivers\AegisP.sys


    2008-10-16 20:26 --------- d--h--w c:\program files\InstallShield Installation Information


    2008-10-16 20:26 --------- d-----w c:\program files\SMC


    2008-10-16 09:09 --------- d-----w c:\program files\Winamp


    2008-10-16 09:09 --------- d-----w c:\documents and settings\admin\Application Data\Winamp


    2008-10-15 09:44 --------- d-----w c:\documents and settings\admin\Application Data\ICAClient


    2008-10-15 09:43 --------- d-----w c:\program files\Citrix


    2008-10-14 14:13 --------- d-----w c:\program files\DAEMON Tools


    2008-10-14 13:44 --------- d-----w c:\program files\Yahoo!


    2008-10-14 13:40 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys


    2008-10-14 13:40 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys


    2008-10-14 13:40 10,520 ----a-w c:\windows\system32\avgrsstx.dll


    2008-10-14 13:40 --------- d-----w c:\program files\AVG


    2008-10-14 13:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg8


    2008-10-14 13:38 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!


    2008-10-14 13:37 --------- d-----w c:\documents and settings\admin\Application Data\Yahoo!


    2008-10-14 08:46 --------- d-----w c:\program files\Webshots


    2008-10-14 08:43 --------- d-----w c:\documents and settings\LocalService\Application Data\agi


    2008-10-14 08:43 --------- d-----w c:\documents and settings\admin\Application Data\Webshots


    2008-10-14 08:43 --------- d-----w c:\documents and settings\admin\Application Data\agi


    2008-10-14 08:41 339,968 ----a-w c:\windows\system32\pythoncom25.dll


    2008-10-14 08:41 2,117,632 ----a-w c:\windows\system32\python25.dll


    2008-10-14 08:41 114,688 ----a-w c:\windows\system32\pywintypes25.dll


    2008-10-14 08:41 --------- d-----w c:\program files\AGI


    2008-10-14 08:41 --------- d-----w c:\documents and settings\All Users\Application Data\agi


    2008-10-14 08:20 --------- d-----w c:\program files\Common Files\Adobe AIR


    2008-10-14 08:19 --------- d-----w c:\program files\Common Files\Adobe


    2008-10-14 07:33 --------- d-----w c:\program files\Microsoft.NET


    2008-10-14 07:33 --------- d-----w c:\program files\Microsoft Works


    2008-10-14 07:33 --------- d-----w c:\program files\Microsoft ActiveSync


    2008-10-14 07:33 --------- d-----w c:\program files\Common Files\L&H


    2008-10-14 07:23 682,232 ----a-w c:\windows\system32\drivers\sptd.sys


    2008-10-14 05:03 --------- d-----w c:\program files\Hewlett-Packard


    2008-10-14 05:02 --------- d-----w c:\program files\HPQ


    2008-10-14 04:56 --------- d-----w c:\program files\VMware


    2008-10-14 04:56 --------- d-----w c:\program files\Common Files\VMware


    2008-10-13 13:23 --------- d-----w c:\program files\Intel


    2008-10-13 13:15 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf


    2008-10-13 13:15 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf


    2008-10-13 13:15 --------- d-----w c:\program files\Synaptics


    2008-10-13 13:15 --------- d-----w c:\program files\Common Files\InstallShield


    2008-10-13 13:15 --------- d-----w c:\documents and settings\admin\Application Data\InstallShield


    2008-10-13 13:13 1,612 --sha-r c:\windows\system32\drivers\103C_HP_NTBK_HP Compaq 6720s_YN_0U_QCNU8364Y1Q_EU_46_I30D8_SHP_VKBC Version 83.0E_B68MDU Ver. F.0B_T080620_WXP2_L409_M2040_J250_7Intel_8Core2 Duo T5870_91.99_#081013_N_()_XMOBILE_CN10_Z_2F.0B_G.MRK


    2008-10-13 13:11 --------- d-----w c:\program files\WIDCOMM


    2008-10-13 13:08 --------- d-----w c:\documents and settings\admin\Application Data\hpqLog


    2008-10-13 13:02 --------- d-----w c:\program files\Analog Devices


    2008-10-13 12:52 --------- d-----w c:\program files\microsoft frontpage


    2008-09-16 16:26 1,332,197 ----a-w c:\windows\system32\pythondll.zip


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-04 165784]


    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]


    "Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]


    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]


    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 827392]


    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 141848]


    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 166424]


    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 137752]


    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]


    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-14 1234712]


    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]


    "THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2008-10-24 1056928]


    c:\documents and settings\admin\Start Menu\Programs\Startup\


    Webshots.lnk - c:\program files\Webshots\Launcher.exe [2008-10-14 157000]


    c:\documents and settings\All Users\Start Menu\Programs\Startup\


    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]


    SMC USB Wireless Client Utility.lnk - c:\program files\SMC\SMC USB Wireless Client Utility\UMCCfg.exe [2008-10-16 2619904]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


    "AppInit_DLLs"=avgrsstx.dll


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]


    @="Driver"


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "AntiVirusOverride"=dword:00000001


    "FirewallOverride"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]


    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=


    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=


    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=


    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    "1069:TCP"= 1069:TCP:WWW


    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-14 97928]


    R2 AGWinService;AG Windows Service;"c:\program files\AGI\common\win32\PythonService.exe" [2008-10-14 10240]


    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-14 875288]


    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-14 231704]


    R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-14 76040]


    R2 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2006-04-14 203552]


    R2 NICSer_WUB370L;NICSer_WUB370L;c:\program files\SMC\SMC USB Wireless Client Utility\NICServ.exe [2008-10-16 530432]


    R3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys [2008-10-15 44664]


    S2 cinzkiid;cinzkiid;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]


    S3 rt2870;802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2008-10-16 503680]


    S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs


    cinzkiid


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e2eba47-b479-11dd-b622-005056c00008}]


    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\KESHA.EXE


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b283d52-99a8-11dd-b5e1-001f3c9bc723}]


    \Shell\AutoRun\command - G:\Launch.exe /run


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5483406-99c5-11dd-b5e5-005056c00008}]


    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\KESHA.EXE


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b380dba5-9b48-11dd-b5ed-005056c00008}]


    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\KESHA.EXE


    *Newly Created Service* - PROCEXP90


    .


    - - - - ORPHANS REMOVED - - - -


    URLSearchHooks-{0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)


    **************************************************************************


    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-11-26 10:13:00


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]


    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"


    .


    --------------------- DLLs Loaded Under Running Processes ---------------------


    - - - - - - - > 'winlogon.exe'(1488)


    c:\windows\system32\avgrsstx.dll


    - - - - - - - > 'lsass.exe'(1592)


    c:\windows\system32\avgrsstx.dll


    .


    Completion time: 2008-11-26 10:13:34


    ComboFix-quarantined-files.txt 2008-11-26 08:13:20


    Pre-Run: 74,676,977,664 bytes free


    Post-Run: 74,780,708,864 bytes free


    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe


    [boot loader]


    timeout=2


    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS


    [operating systems]


    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


    186


    /applications/core/interface/file/attachment.php?id=4099" data-fileid="4099" rel="">ComboFix.txt

  • Pune urmatorul folder intr-o arhiva cu parola infected si ataseaz-o aici sau urc-o pe un server (de exemplu: http://www.rapidshare.com ) si pune aici link-ul de download sa trimit la analiza.




    C:\Qoobox


  • euflorentinas
    editat februarie 2009

    buna,


    am atasat ce mi-ai cerut numai ca nu i-am pus parola


    mersi

  • euflorentinas
    editat februarie 2009

    am reatasat cu parola :D

  • Inca ceva, daca mi-as reinstala XP-ul si as formata numai C-ul fara D credeti ca as scapa de virus?


    Nu in intentionez sa fac asta dar sunt curioasa

  • Stai ca nu inteleg...tot mai ai probleme ?!


    Fisierele infectate au fost sterse !


    Descarca Malwarebytes Anti-Malware si salveaza-l pe Desktop.


    Instaleaza-l si la sfarsit asigura-te ca ai bifat urmatoarele: Update Malwarebytes' Anti-Malware si Launch Malwarebytes' Anti-Malware. Apoi apasa Finish.


    Dupa lansarea programului, selecteaza Perform full scan si apoi apasa pe Scan.


    La terminarea scanarii apasa OK si apoi Show Results. Asigura-te ca e totul bifat si apoi apasa Remove Selected.


    La final se va deschide un fisier in Notepad cu rezultatele scanarii. Posteaza continutul lui aici.

  • Buna,


    N-am facut ce mi-ai zis mai jos inca(abia marti ajung la calc meu) dar probleme nu s-au terminat deloc iar antivirusul meu imi zicea in contiuare ca cele 2 fisiere sunt infectate, cu toate ca eu nu le vad deloc.


    O sa iti urmez sfatul si o sa-ti zic rezultatul


    Mersi


    Stai ca nu inteleg...tot mai ai probleme ?!


    Fisierele infectate au fost sterse !


    Descarca Malwarebytes Anti-Malware si salveaza-l pe Desktop.


    Instaleaza-l si la sfarsit asigura-te ca ai bifat urmatoarele: Update Malwarebytes' Anti-Malware si Launch Malwarebytes' Anti-Malware. Apoi apasa Finish.


    Dupa lansarea programului, selecteaza Perform full scan si apoi apasa pe Scan.


    La terminarea scanarii apasa OK si apoi Show Results. Asigura-te ca e totul bifat si apoi apasa Remove Selected.


    La final se va deschide un fisier in Notepad cu rezultatele scanarii. Posteaza continutul lui aici.

  • rootkit
    rootkit ✭✭✭
    editat decembrie 2008

    Arhiva pusa de tine aici a fost trimisa la analiza.


    BitDefender o sa semneze virusii(ma rog, un VR o sa-i semneze).

  • buna,


    am atasat rezultatul scanarii, la sfarsit mi-a zis ca n-a gasit nimic.


    mersi


    Buna!


    Si eu am avut probleme cu downloader.agent.apko.Din ce-am cautat pe google am gasit pe WikiAnswer urmatoarea postare:


    http://wiki.answers.com/Q/How_do_you_remov...ader.agent.APKO


    Am facut ce-i indicat acolo si am scapat.


    Succes!