Win32/Protector.G vírus

Zpráva

#31 Příspěvek od **motji** » 18 úno 2010 00:40

Nevadí, upravíme ho

"%userprofile%\desktop\mbr" -t

Otestujte na www.virustotal.com
C:\WINDOWS\System32\DNSAPI.dll
C:\WINDOWS\System32\gdiplus.dll

Na log se ještě pořádně podívám zítra

Mikey2692 · #32 Příspěvek od **Mikey2692** » 18 úno 2010 00:44

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
kernel: MBR read successfully
user & kernel MBR OK

Mikey2692 · #33 Příspěvek od **Mikey2692** » 18 úno 2010 00:45

File has already been analysed:
MD5: 5d3fde8fb2801a2041d1b965372c4928
First received: 2009.03.30 16:04:49 UTC
Date: 2010.02.11 06:48:51 UTC [>6D]
Results: 0/41
Permalink: analisis/4ccdc67160606acdc67b50d93f760e7c689fd3f33375dd259f35c76451acb7a8-1265870931

Mikey2692 · #34 Příspěvek od **Mikey2692** » 18 úno 2010 00:46

File has already been analysed:
MD5: d0aaae16ba162dd89d646887f1539855
First received: 2009.02.15 19:44:54 UTC
Date: 2010.02.14 03:46:33 UTC [>3D]
Results: 0/41
Permalink: analisis/d84e7eb505adee8ea660f48c89705977f5eb33b7299d0bd981624e3ece320223-1266119193

Mikey2692 · #35 Příspěvek od **Mikey2692** » 18 úno 2010 00:47

ok takže zatial dakujem ja už idem spať ak sa to teda dá tak ešte povedať

zajtra môžeme pokračovať

#36 Příspěvek od **motji** » 18 úno 2010 00:55

Dobrou noc

.

testoval jste ty Vaše soubory? Když se Vás na virustotalu zeptají, dejte je otestovat znovu

#37 Příspěvek od **motji** » 18 úno 2010 12:56

Použíl jste ten SPTD http://www.duplexsecure.com/en/downloads, jak jsem psala?

ještě otestujte na www.virustotal.com
c:\windows\system32\SyncMan.exe

Stáhněte
http://rootrepeal.googlepages.com/RootRepeal.zip
-Stáhněte,rozbalte a spusťte
-vyberte záložku drivers, pak Files, klikněte na Scan,
-proběhne sken, po něm klikněte na Save Report , tím se uloží log, který zkopírujete sem

Mikey2692 · #38 Příspěvek od **Mikey2692** » 18 úno 2010 18:01

ano šak stiahol som to dal na plochu spustil dal uninstal reštartoval komp stiahol som gmer a potom pokračoval podla postupu..

Mikey2692 · #39 Příspěvek od **Mikey2692** » 18 úno 2010 18:04

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.18 Trojan.Crypt!IK
AhnLab-V3 5.0.0.2 2010.02.17 -
AntiVir 8.2.1.170 2010.02.18 TR/Crypt.ZPACK.Gen
Antiy-AVL 2.0.3.7 2010.02.18 -
Authentium 5.2.0.5 2010.02.18 -
Avast 4.8.1351.0 2010.02.18 -
AVG 9.0.0.730 2010.02.18 -
BitDefender 7.2 2010.02.18 -
CAT-QuickHeal 10.00 2010.02.18 -
ClamAV 0.96.0.0-git 2010.02.18 -
Comodo 3981 2010.02.18 Heur.Suspicious
DrWeb 5.0.1.12222 2010.02.18 Trojan.Packed.19699
eSafe 7.0.17.0 2010.02.18 Win32.TRCrypt.ZPACK
eTrust-Vet 35.2.7310 2010.02.18 -
F-Prot 4.5.1.85 2010.02.17 -
F-Secure 9.0.15370.0 2010.02.18 -
Fortinet 4.0.14.0 2010.02.18 -
GData 19 2010.02.18 -
Ikarus T3.1.1.80.0 2010.02.18 Trojan.Crypt
Jiangmin 13.0.900 2010.02.18 -
K7AntiVirus 7.10.977 2010.02.18 -
Kaspersky 7.0.0.125 2010.02.17 -
McAfee 5896 2010.02.18 -
McAfee+Artemis 5896 2010.02.18 Artemis!B88F2F6E933E
McAfee-GW-Edition 6.8.5 2010.02.18 Heuristic.LooksLike.Win32.Suspicious.A!80
Microsoft 1.5406 2010.02.18 -
NOD32 4877 2010.02.18 -
Norman 6.04.08 2010.02.18 -
nProtect 2009.1.8.0 2010.02.18 -
Panda 10.0.2.2 2010.02.18 Suspicious file
PCTools 7.0.3.5 2010.02.17 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.18 Sus/UnkPack-C
Sunbelt 5684 2010.02.18 -
Symantec 20091.2.0.41 2010.02.18 Suspicious.Insight
TheHacker 6.5.1.4.198 2010.02.18 -
TrendMicro 9.120.0.1004 2010.02.18 TROJ_SHGRAY.SM
VBA32 3.12.12.2 2010.02.18 -
ViRobot 2010.2.18.2192 2010.02.18 -
VirusBuster 5.0.27.0 2010.02.18 -
Additional information
File size: 42531 bytes
MD5...: b88f2f6e933e4a0a69b0a6fe443269dc
SHA1..: cc5f885d70e7fea8739b2a45f8ba749a1f6b8294
SHA256: 16de9202675b3b2b6145dfa18d4a4325b587210e9854090921486cf47baf8e62
ssdeep: 768:JGjt8xk7G2A2tZ7K88un8srCFlw4Zu+PmxkMl7AcJhZqrApLNcHkSLVrB:k9
nnAlw4E+Pmx/lfJhZQApLNiLVF
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3af
timedatestamp.....: 0x4b7a600e (Tue Feb 16 09:06:22 2010)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x20c 0x300 4.30 2872248aff5d6fd4b9361c9c568fff64
.rdata 0x600 0xfc 0x100 3.88 12119a9433d6ec14ac97d1596536967a
.data 0x700 0x42 0x100 1.39 a2d85fd52227707916ee70bcf1c060d6
.rsrc 0x800 0xd60 0xe00 5.39 ab990fe738109107fd6c6fecb1f1911c
.text 0x1600 0x9100 0x9100 7.81 779bd0098bb765b22e73925dfdc48446

( 2 imports )
> kernel32.dll: ExitProcess, GetLastError, GetModuleHandleA, GetProcAddress
> user32.dll: EnumChildWindows, MessageBoxA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Mikey2692 · #40 Příspěvek od **Mikey2692** » 18 úno 2010 18:12

no chcel som to dať skenovať dal som drivers scan potom files a tam to zamrzlo a windows mi vyhodil modrú obrazovku a chybu a ked som ho reštartoval a pustil tak mi napísal nejakú chybu súboru schvost.exe či tak nejako...

Mikey2692 · #41 Příspěvek od **Mikey2692** » 18 úno 2010 18:31

podarilo sa mi analyzovať ten prvý čo mi stále antivirus buzeruje
File cdrom.sys received on 2010.02.18 17:26:43 (UTC)
Current status: finished
Result: 20/41 (48.78%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.18 Rootkit.Kobcka!IK
AhnLab-V3 5.0.0.2 2010.02.18 -
AntiVir 8.2.1.170 2010.02.18 TR/Rootkit.Gen
Antiy-AVL 2.0.3.7 2010.02.18 -
Authentium 5.2.0.5 2010.02.18 -
Avast 4.8.1351.0 2010.02.18 -
AVG 9.0.0.730 2010.02.18 Hider.MY
BitDefender 7.2 2010.02.18 Rootkit.Kobcka.Patched.Gen
CAT-QuickHeal 10.00 2010.02.18 W32.Protector.C
ClamAV 0.96.0.0-git 2010.02.18 -
Comodo 3982 2010.02.18 Virus.Win32.Protector.A
DrWeb 5.0.1.12222 2010.02.18 BackDoor.Bulknet.448
eSafe 7.0.17.0 2010.02.18 Win32.TRRootkit
eTrust-Vet 35.2.7310 2010.02.18 -
F-Prot 4.5.1.85 2010.02.17 -
F-Secure 9.0.15370.0 2010.02.18 Rootkit.Kobcka.Patched.Gen
Fortinet 4.0.14.0 2010.02.18 -
GData 19 2010.02.18 Rootkit.Kobcka.Patched.Gen
Ikarus T3.1.1.80.0 2010.02.18 Rootkit.Kobcka
Jiangmin 13.0.900 2010.02.18 -
K7AntiVirus 7.10.977 2010.02.18 -
Kaspersky 7.0.0.125 2010.02.17 -
McAfee 5896 2010.02.18 Generic.dx!npc
McAfee+Artemis 5896 2010.02.18 Generic.dx!npc
McAfee-GW-Edition 6.8.5 2010.02.18 Trojan.Rootkit.Gen
Microsoft 1.5406 2010.02.18 -
NOD32 4878 2010.02.18 Win32/Protector.G
Norman 6.04.08 2010.02.18 -
nProtect 2009.1.8.0 2010.02.18 -
Panda 10.0.2.2 2010.02.18 Suspicious file
PCTools 7.0.3.5 2010.02.17 -
Prevx 3.0 2010.02.18 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.18 Mal/Generic-A
Sunbelt 5684 2010.02.18 -
Symantec 20091.2.0.41 2010.02.18 Hacktool.Rootkit
TheHacker 6.5.1.4.198 2010.02.18 -
TrendMicro 9.120.0.1004 2010.02.18 TROJ_CUTWAIL.SMR
VBA32 3.12.12.2 2010.02.18 -
ViRobot 2010.2.18.2192 2010.02.18 Win32.Protector.C
VirusBuster 5.0.27.0 2010.02.18 -
Additional information
File size: 97696 bytes
MD5 : d4f9c7768444017bdf3b08fe0621b74a
SHA1 : 0fb13a37af2ef72d272b213bfeace805ff6a7426
SHA256: 1251b9012e76ad8f325235fdd8491c3f898d7c3af1ae4217af30814c2559e321
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xDD2
timedatestamp.....: 0x4B726341 (Wed Feb 10 08:41:53 2010)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2A0 0xBEE 0xC00 5.81 104cbc8e2275b1296eebb26fc754794e
.rdata 0xEA0 0x8 0x20 0.40 1de9e9a5a4e5c9d99b41c037741647dd
.data 0xEC0 0x23 0x40 1.90 bc652683832e460ad0df550163732614
INIT 0xF00 0x56 0x60 2.94 305c9f83184b1e38ad2b5e26164c7d0c
.reloc 0xF60 0x16E22 0x16E40 6.76 80f4ab402845d0627ff7c0a12987dc96

( 1 imports )

> ntoskrnl.exe: PsGetCurrentProcessId

( 0 exports )
TrID : File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ssdeep: 1536:wRfEwOBJafYhEl4T+nnhiZnlx3oR8HJxj4Lr1s9Z:rwSUYdUnhIlaR8HPAG
sigcheck: publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set
-

Mikey2692 · #42 Příspěvek od **Mikey2692** » 18 úno 2010 18:34

File cdrom.sys received on 2010.02.18 17:32:30 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 20/41 (48.79%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.18 Rootkit.Kobcka!IK
AhnLab-V3 5.0.0.2 2010.02.18 -
AntiVir 8.2.1.170 2010.02.18 TR/Rootkit.Gen
Antiy-AVL 2.0.3.7 2010.02.18 -
Authentium 5.2.0.5 2010.02.18 -
Avast 4.8.1351.0 2010.02.18 -
AVG 9.0.0.730 2010.02.18 Hider.MY
BitDefender 7.2 2010.02.18 Rootkit.Kobcka.Patched.Gen
CAT-QuickHeal 10.00 2010.02.18 W32.Protector.C
ClamAV 0.96.0.0-git 2010.02.18 -
Comodo 3982 2010.02.18 Virus.Win32.Protector.A
DrWeb 5.0.1.12222 2010.02.18 BackDoor.Bulknet.448
eSafe 7.0.17.0 2010.02.18 Win32.TRRootkit
eTrust-Vet 35.2.7310 2010.02.18 -
F-Prot 4.5.1.85 2010.02.17 -
F-Secure 9.0.15370.0 2010.02.18 Rootkit.Kobcka.Patched.Gen
Fortinet 4.0.14.0 2010.02.18 -
GData 19 2010.02.18 Rootkit.Kobcka.Patched.Gen
Ikarus T3.1.1.80.0 2010.02.18 Rootkit.Kobcka
Jiangmin 13.0.900 2010.02.18 -
K7AntiVirus 7.10.977 2010.02.18 -
Kaspersky 7.0.0.125 2010.02.17 -
McAfee 5896 2010.02.18 Generic.dx!npc
McAfee+Artemis 5896 2010.02.18 Generic.dx!npc
McAfee-GW-Edition 6.8.5 2010.02.18 Trojan.Rootkit.Gen
Microsoft 1.5406 2010.02.18 -
NOD32 4878 2010.02.18 Win32/Protector.G
Norman 6.04.08 2010.02.18 -
nProtect 2009.1.8.0 2010.02.18 -
Panda 10.0.2.2 2010.02.18 Suspicious file
PCTools 7.0.3.5 2010.02.17 -
Prevx 3.0 2010.02.18 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.18 Mal/Generic-A
Sunbelt 5684 2010.02.18 -
Symantec 20091.2.0.41 2010.02.18 Hacktool.Rootkit
TheHacker 6.5.1.4.198 2010.02.18 -
TrendMicro 9.120.0.1004 2010.02.18 TROJ_CUTWAIL.SMR
VBA32 3.12.12.2 2010.02.18 -
ViRobot 2010.2.18.2192 2010.02.18 Win32.Protector.C
VirusBuster 5.0.27.0 2010.02.18 -
Additional information
File size: 97696 bytes
MD5...: d4f9c7768444017bdf3b08fe0621b74a
SHA1..: 0fb13a37af2ef72d272b213bfeace805ff6a7426
SHA256: 1251b9012e76ad8f325235fdd8491c3f898d7c3af1ae4217af30814c2559e321
ssdeep: 1536:wRfEwOBJafYhEl4T+nnhiZnlx3oR8HJxj4Lr1s9Z:rwSUYdUnhIlaR8HPAG
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xdd2
timedatestamp.....: 0x4b726341 (Wed Feb 10 07:41:53 2010)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2a0 0xbee 0xc00 5.81 104cbc8e2275b1296eebb26fc754794e
.rdata 0xea0 0x8 0x20 0.40 1de9e9a5a4e5c9d99b41c037741647dd
.data 0xec0 0x23 0x40 1.90 bc652683832e460ad0df550163732614
INIT 0xf00 0x56 0x60 2.94 305c9f83184b1e38ad2b5e26164c7d0c
.reloc 0xf60 0x16e22 0x16e40 6.76 80f4ab402845d0627ff7c0a12987dc96

( 1 imports )
> ntoskrnl.exe: PsGetCurrentProcessId

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#43 Příspěvek od **motji** » 18 úno 2010 19:31

Prosím Vás ten první výsledek z virustotalu dnes patří k jakému souboru? K tomuto?
c:\windows\system32\SyncMan.exe

A psala jsem at znovu otestujete tyto dvaaby to byli Vaše otestované, a ne stálý odkaz

C:\WINDOWS\System32\DNSAPI.dll
C:\WINDOWS\System32\gdiplus.dll

Log ze záložky drivers by nebyl? Nebo jste ho neuložil a rovnou dal files? Ted Rotrepeal nespouštějte, udělejte, co jsem psala výš, at se hneme z místa.

Mikey2692 · #44 Příspěvek od **Mikey2692** » 18 úno 2010 20:13

ano ten prvý odkaz z dnešku patrí k tomu

#45 Příspěvek od **motji** » 18 úno 2010 20:15

Tak prosim otestujte ještě ty dva a jdem na věc

VIRY.CZ

Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus

Re: Win32/Protector.G vírus