Srodne teme
Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

Trojan-Dropper.Win32.Small.rd ili sta drugo?

[es] :: Security :: Trojan-Dropper.Win32.Small.rd ili sta drugo?

[ Pregleda: 4707 | Odgovora: 7 ] > FB > Twit

Postavi temu Odgovori

Autor
Pretraga teme: Traži
Markiranje Štampanje RSS

yolja624

Član broj: 9380
Poruke: 1856



+643 Profil

icon Trojan-Dropper.Win32.Small.rd ili sta drugo?28.06.2005. u 12:14 - pre 229 meseci
Zdravo!

Na nekom od sajtova sa "edukativnim softverom" pokupio sam ovaj trojanac.
Kerio firewall mi stalno prijavljuje da se program sa imenom "tmpf00.exe" pokusava da nakaci na NET. Naravno, ne dozvolim to, ali me iritira sto nikako ne mogu da ga uklonim. Avast ga ne prepoznaje, adware i spybot takodje nista ne signaliziraju.
Ima li ko iskustva sa ovim trojancem, i kako da ga uklonim?

Hvala unaprijed!
Yolja
 
Odgovor na temu

`and

Član broj: 32490
Poruke: 776
*.vdial.verat.net.

Sajt: www.bitbyterz.org


Profil

icon Re: Trojan-Dropper.Win32.Small.rd ili sta drugo?28.06.2005. u 15:26 - pre 229 meseci
Pa obrisi ga rucno ! ( Udji u command line, a pre toga ga potrazi po hardu ... )
A mozes da vidis sta kaze Google : http://www.google.com/search?b...remover&btnG=Google+Search

[Ovu poruku je menjao `and dana 28.06.2005. u 16:28 GMT+1]
 
Odgovor na temu

yolja624

Član broj: 9380
Poruke: 1856



+643 Profil

icon Re: Trojan-Dropper.Win32.Small.rd ili sta drugo?29.06.2005. u 01:44 - pre 229 meseci
@`and
Hvala na preporuci, ali google sam vec "pitao". Nacini za ciscenje na koje sam naisao na stranicama koje je google izlistao, ne uklanjaju ovaj trojanac.
Rucno brisanje radi, i to nije problem, problem je sto se nakon restarta ponovo pojavljuje taj prokleti tmpf00.exe sto znaci da trojanac jos negdje ima kopiju.

@all
Ima li jos kakvih prijedloga? (format ne predlazite, jer za to znam i sam ;) )


Respect4all
Yolja
 
Odgovor na temu

Jbyn4e

Član broj: 422
Poruke: 6049
*.vdial.verat.net.



+257 Profil

icon Re: Trojan-Dropper.Win32.Small.rd ili sta drugo?29.06.2005. u 09:06 - pre 229 meseci
Da li si pre toga iskljucio system restore? Ako nisi, mozda ti ga windows sam vraca...

I jos:
Pokreni msconfig (Start>run>msconfig) i napisi sta imas u startup listi. Ili jos bolje ako imas hijack this! program, postuj njegov log skeniranja.



[Ovu poruku je menjao Jbyn4e dana 29.06.2005. u 10:06 GMT+1]
Kad sve ostalo zakaže, pročitaj uputstvo...
 
Odgovor na temu

yolja624

Član broj: 9380
Poruke: 1856



+643 Profil

icon Re: Trojan-Dropper.Win32.Small.rd ili sta drugo?29.06.2005. u 13:18 - pre 229 meseci
Citat:
Jbyn4e: Da li si pre toga iskljucio system restore? Ako nisi, mozda ti ga windows sam vraca...

System restore je iskljucen. To uradim uvijek poslije instalacije! ;)


Citat:

I jos:
Pokreni msconfig (Start>run>msconfig) i napisi sta imas u startup listi. Ili jos bolje ako imas hijack this! program, postuj njegov log skeniranja.


Evo sta je logovao Hijack this!

Citat:

Logfile of HijackThis v1.99.1
Scan saved at 14:13:37, on 29.6.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4-1\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4-1\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\ALWILS~1\Avast4-1\ashDisp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Visage\Visual Printer\vspradvsrv.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Allied Telesyn\AT-WCU200G Wireless USB Adapter Client Manager\WCU200G.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\roboform\RoboTaskBarIcon.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4-1\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4-1\ashMaiSv.exe
C:\Program Files\Outlook Express\msimn.exe
c:\mirc\mirc.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Maxthon\Maxthon.exe
C:\Documents and Settings\*****\Desktop\putty.exe
C:\Documents and Settings\*****\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - blank (file missing)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {5437D1E0-FA38-41EF-816B-D9F299E767CA} - C:\WINDOWS\System32\yxs6898.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\roboform\roboform.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - blank (file missing)
O3 - Toolbar: Net Snippets - {67970B26-F57D-4455-8262-81C3AE3B8B5E} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\roboform\roboform.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4-1\ashDisp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [vspradvsrv.exe] C:\Program Files\Visage\Visual Printer\vspradvsrv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKCU\..\Run: [Allied Telesyn] C:\Program Files\Allied Telesyn\AT-WCU200G Wireless USB Adapter Client Manager\WCU200G.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\tool-baru.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Net Snippets - C:\PROGRA~1\NETSNI~1\Res\Clipper.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Podesi Meni - file://C:\Program Files\roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Puni Formular - file://C:\Program Files\roboform\RoboFormComFillForms.html
O8 - Extra context menu item: Sacuvaj Formular - file://C:\Program Files\roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Snippets - {7130DF06-BBC1-4e16-83D4-1F875E65B695} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0391DE49-C532-438A-8BE7-5263D028FDD6}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CBFDB4F-EBED-4BA5-8C80-A181FFE8737E}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0391DE49-C532-438A-8BE7-5263D028FDD6}: NameServer = 127.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0391DE49-C532-438A-8BE7-5263D028FDD6}: NameServer = 127.0.0.1
O20 - Winlogon Notify: iexplore - C:\WINDOWS\SYSTEM32\Yd4fY.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4-1\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4-1\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4-1\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4-1\ashWebSv.exe" /service (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE



Pozdrav
Yolja
 
Odgovor na temu

Jbyn4e

Član broj: 422
Poruke: 6049
*.vdial.verat.net.



+257 Profil

icon Re: Trojan-Dropper.Win32.Small.rd ili sta drugo?29.06.2005. u 14:25 - pre 229 meseci
postuj taj log na:
http://www.hijackthis.de/
ili
http://hjt.iamnotageek.com/
i vidi sta ti sve kaze tamo (da ne bih ponavljao).
Meni ne izgleda tu nista toliko sumnjivo.

P.S. Pre pustanja hijack this-a pogasi sto je vise moguce programa, znaci da ti ne radi ni explorer, ni ovo ono...

Lazem, mozda ovo nije nista naslo, ali sam nasao uzrok tvog problema. Slucajno sam zapazio:
Citat:

O20 - Winlogon Notify: iexplore - C:\WINDOWS\SYSTEM32\Yd4fY.dll

i malom proverom preko google-ta na "Winlogon Notify: iexplore" dobio sam:
http://www.sophos.com/virusinfo/analyses/trojdloaderew.html
pa procitaj sta sve treba da uklonis iz registry-ja i kako.

Javi sta si uradio/la (nisam obratio paznju na pol).

[Ovu poruku je menjao Jbyn4e dana 29.06.2005. u 15:33 GMT+1]
Kad sve ostalo zakaže, pročitaj uputstvo...
 
Odgovor na temu

Lord_Sauron
Vladimir Urdesic
Herceg-Novi (trenutno PG)

Član broj: 4154
Poruke: 401
*.crnagora.net.



Profil

icon Re: Trojan-Dropper.Win32.Small.rd ili sta drugo?29.06.2005. u 14:56 - pre 229 meseci
Ja sam prije 3 dana imao identičan problem, mada nisam zapamtio ime virusa (IE je prijavio grešku). Pošast mi je stalno izbacivala neke reklamne pr0n i p2p sajtove u Firefoxu, pa sam morao da odreagujem. Adaware i spybot mi nisu pomogli, kao ni Hijack this!, pa sam morao ručno.

Uočio sam gada u user procesima, zvao se nešto kao tm209.exe (nisam siguran za slova li 209.exe mi je zapalo za oko). Prvo sam ga ubio kao proces, zatim ga potražio u registy-ju. Kao što sam i pretpostavio bio je u Run folderu, ali i na drugim mjestima, i svi su vodili ka tom istom fajlu "C:\WINDOWS\SYSTEM32\tm209.exe". Izbrisao sam sve registry key-eve, kao i izvršni fajl iz foldera system32 i rebootovao.

Više nisam imao problema sa njim ;)

[Ovu poruku je menjao Lord_Sauron dana 29.06.2005. u 16:00 GMT+1]
Montenegro - Coastline Apartments
 
Odgovor na temu

yolja624

Član broj: 9380
Poruke: 1856



+643 Profil

icon Re: Trojan-Dropper.Win32.Small.rd ili sta drugo?29.06.2005. u 17:24 - pre 229 meseci
Citat:
Jbyn4e: postuj taj log na:
Lazem, mozda ovo nije nista naslo, ali sam nasao uzrok tvog problema. Slucajno sam zapazio:
i malom proverom preko google-ta na "Winlogon Notify: iexplore" dobio sam:
http://www.sophos.com/virusinfo/analyses/trojdloaderew.html
pa procitaj sta sve treba da uklonis iz registry-ja i kako.

Javi sta si uradio/la (nisam obratio paznju na pol).
[Ovu poruku je menjao Jbyn4e dana 29.06.2005. u 15:33 GMT+1]


Hvala na savjetu! U registry sam nasao taj .dll i uklonio sam ga. Pricekacu da vidim efekte, pa cu vam javiti... ;)
BTW... Yolja = Zolja - Musko Bre! (zeznuo sam se prilikom registracije... bio sam pod "gasom" )

Hvala svima na savjetima!

Yolja
 
Odgovor na temu

[es] :: Security :: Trojan-Dropper.Win32.Small.rd ili sta drugo?

[ Pregleda: 4707 | Odgovora: 7 ] > FB > Twit

Postavi temu Odgovori

Srodne teme
Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.