[entusiast]

hommikul siis söber helistab ja küsib et mida sa saada mulle siin, juba teab mitmendat korda, mina ei saanud nagu aru, et kuidas ma midagi saata saan kui ma ise koolis olen(arvuti on 24/7 sees ja msn ka). kui koju jöudsin siis plnud ühtegi msn'i akent lahti kuid logi failidest nägin et programm oli üritanud saata köikidele onlines olevatele inimestele faili nimega pic01.zip

nod 32 ei leia igatahes midagi selle kohta
panen ka spybotiga uurima asja


Msnis kirjutab siis sellsie loo

Hakkas faili saatma
Fantastic ahuahuahu




kellel kokku puude on sellega, ehk ütleb kuhu minema peab ja mida tegema.

[typical]

Kui ma aint mäletaks kust ma selle leidsin aga ma arvan,et tasub proovimist . igastahes oldi seal teemas hädas sama asjaga
http://www.forospyware.com/Msncleaner/MsnCleaner.zip

[laurx]

SAS aka SuperAntiSPyware peaks / võiks ka hakkama saada. viimasel ajal on olnud selline asi nagu "vundo" väga aktiivses arendamises.

[entusiast]

nod on ikka see trial variant.

see msnt cleaner leidis küll midagi
plugin1.dat.vir faili

[Lord Ami]

[entusiast]

praegusel hetkel ei jama. lasin köikide nende asjadega üle, ning sas'iga ei leidnud midagi peale ie'i cookie. kuid spybot leidis tunduvalt rohkem asju.
praegu tundub rahu majas olevat.

kusjuures viimane asi mida ma eile öhtul kasutasin ja peale mida see jamps pihta hakkas oli tune up 2007

[laurx]

abiks igasugu vigurid enne kasutamist korralikuls läbi skännida.

[entusiast]

nüüd on ta hakanud taas mingit veidrat asaja nöudma, nin selline fail nagu hvosmegnmp.exe üritab kusagile end konnektida kuid önneks püüab comodo selle kinni.
hvosmegnmp.exe

[Lord Ami]

[entusiast]

lasin juba üle trend secure housecall'iga ning tema siisl leidis mingisuguse trooja nimega TROJ_AKKR.A


virustotal siis suutis tuvastatada et see fail pics01.zip on:

AVG 7.5.0.503 2007.11.11 Generic9.SRB
BitDefender 7.2 2007.11.11 Backdoor.Pushbot.A
Ikarus T3.1.1.12 2007.11.11 Backdoor.Pushbot.A

kuid see asi tekib pideval uuesti ja uuesti sinna windows kataloogi, samas on sinna windows kataloogi tekkinud ka selline fail nagu lasse.exe(mille kohta AVG ütleb a threat was found during scanninga) seda aga ei saa kuidagi sinna virus totalisse uppida.

[laurx]

sul on temp kaustades midagi , kust see asi iga buudiga taastatakse. hakka sellest peale, et tee temp INternet files, kasutaja application data tembid jms tembid puhtaks.
scan tuleb teha sace modes ja nii, et system restore ei tööta.

[entusiast]

no pagan kergelt hakkab see asi juba närvidele käima, kuna siis kui tegin safe modes nii spybotiga kui ka avg'ga kontrolli, ei leidnud nad midagi. seejärel peale restarti taas sama jama. kustutasin ka köik failid temp kaustadest ära. nüüd aga on ta hakanud mingit sexy faili levitama

[Lord Ami]

http://support.f-secure.com/enu/home/ols.shtml
http://www.kaspersky.com/virusscanner

Skänni nendega, kui aega on.

[laurx]

saa palun aru, et avg ei leiagi midagi. kui muud üle ei jää, võta oma masinast ketas välja ja pista ta kuskile masinasse, milles on kindlasti legaalsel teel ja ilma pätsimata saadud korralik tõrje. viirused " äratab üles" nt defragment.

[chesm6mmi]

mina sain sellest täitsa edukalt lahti mingi tooliga, googlisse kirjutades tuli, et ala miskine new messenger virus vms ja siis sealt alt tli igasugu staffi...

[entusiast]

mis möttes pätsitud variant? mul on prooviversioonid peal, ning avg on tasuta. ning nod ei leidnud seda üles samas kui kaspersky ja avg vähemalt leiavad need failid üles mis tekivad igakord peale restarti. ning kui trükkida msn virus removal tool, siis midagi sarnast ta leiab kuid midagi sellist nagu mul siin on, kahjuks pole. panin ka möelmad online scannerid skanneerima vaatab mis nemad räägivad.

[laurx]

nod32 piirangutevabaks kasutamiseks seadistamise fix id on enamasti ise troojad olnud.
peale avg on tasuta korralikumad asjad veel ka avast! ja avira home edition. mõlemaidkasutan ise, mõlemal on puudused aga grisofti saasta löövad pooleks. scannimise ajaks keera maha system restore

http://housecall.trendmicro.com

[entusiast]

leidsin googeldades sellise lehe http://www.hftonline.com/forum/showthread.php?t=18473
tegin nii nagu seal öpetatud leidin ka endal msmsgs.exe kusutasin ning ka sdffix leidis mingid asjad.



peale siin kerget puhastamist ja näppimist nätab mu hijackthis raport niimoodi:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A939F2EE-50D8-4A46-92E0-74C46164881C} - (no file)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - F:\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E8EB147D-ABEF-4228-A603-AAA845D1B2C1} (esteidTool Class) - http://www.sk.ee/id-kontroll/20070223.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

ja SDFix raport oli selline


Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\883009~1 - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\drivers\etc\BackupHosts.bak - Deleted
C:\WINDOWS\system32\SysPr.prx - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 16:24:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:b8,06,32,cc,b0,d0,5b,9f,49,45,2c,d0,93,7f,be,71,0d,ac,07,b3,cc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,3d,57,36,ca,5a,3c,af,1e,05,05,04,d8,eb,6d,29,5f,43,..
"khjeh"=hex:2f,1b,72,a6,49,24,48,65,96,3d,ac,6d,14,f1,0f,a0,0f,b5,38,31,61,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:f4,ce,16,4c,23,83,ff,76,ee,19,bc,b7,4d,aa,1c,f1,b2,84,8e,10,d8,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:62,93,a3,7c,c2,80,ee,f6,9f,48,d2,d6,8c,11,52,45,85,41,84,2a,46,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:4a,47,75,3f,4f,df,ab,cc,1a,31,da,ff,f8,63,01,6a,95,ef,5e,b0,68,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:2f,1b,72,a6,49,24,48,65,96,3d,ac,6d,14,f1,0f,a0,0f,b5,38,31,61,..
"a0"=hex:20,01,00,00,72,49,08,a3,cb,79,02,75,c6,d4,b8,8c,72,2d,dc,9f,c4,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:53,86,51,f6,0e,81,0a,90,8f,21,50,5b,a4,2e,d3,9d,49,c2,f2,42,06,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:62,93,a3,7c,c2,80,ee,f6,9f,48,d2,d6,8c,11,52,45,85,41,84,2a,46,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:4a,47,75,3f,4f,df,ab,cc,1a,31,da,ff,f8,63,01,6a,95,ef,5e,b0,68,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:2f,1b,72,a6,49,24,48,65,96,3d,ac,6d,14,f1,0f,a0,0f,b5,38,31,61,..
"a0"=hex:20,01,00,00,72,49,08,a3,cb,79,02,75,c6,d4,b8,8c,72,2d,dc,9f,c4,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:53,86,51,f6,0e,81,0a,90,8f,21,50,5b,a4,2e,d3,9d,49,c2,f2,42,06,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Soulseek\\slsk.exe"="D:\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\MSN Messenger\\MSN.exe"="C:\\Program Files\\MSN Messenger\\MSN.exe:*:Enabled:Messenger"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Browser"
"C:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"="C:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe:*:Enabled:Media Player Classic"
"D:\\iTunes\\iTunes.exe"="D:\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 24 Jun 2007 211 ..SH. --- "C:\boot.bak"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 24 Jul 2007 885,587 ..SH. --- "C:\WINDOWS\system32\ijkkj.bak1"
Wed 27 Jun 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 18 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\573b8bee2d25ffedabde94732ae6dbae\BIT4F.tmp"
Tue 30 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\61c11e2fdf34fecc8cff9abbf8ac5613\BIT6.tmp"
Tue 30 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT7.tmp"
Mon 29 Oct 2007 1,301 ...HR --- "C:\Documents and Settings\Kristjan\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

[laurx]

ja mis meie sellega nüüd peale peame hakkama ? tulemust andis ?