Win32:Agent-AKOO [Drp]

[ nenad0000 @ 05.08.2010. 12:45 ] @

Ima problem sa Ime malware: Win32:Agent-AKOO [Drp], koji se nalazi u C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6N1XSMYV\20100730[1].exe\GoogleUpdateBeta.exe

i C:\Windows\Temp\pfxA0E7.tmp.exe\GoogleUpdateBeta.exe i ima imae Kukavièije jaje....

MOLIM VAS ZA POMOC, JER KADA GA OBRISHEM ON SE NOVIM STARTOVANJEM WINDOWS 7 POJAVI.

NAPOMENA: Osim interneta svi programi rade normalno. Internet nekada uspori pa moram da idem na reload. Nema ove oznake medju pomenutim crvicima i virusima na forumu.

Hvala!

[ Aleksandar Maletic @ 05.08.2010. 14:21 ] @

Očisti temp direktorijume:
C:\WINDOWS\Temp
C:\Documents and Settings\Vas-Account\Local Settings\Temp
C:\Documents and Settings\Vas-Account \Local Settings\Temporary Internet Files

Obrisi sve unutar Recycle Bin-a...skini Malwarebytes' Anti-Malware http://download.cnet.com/Malwa...8022_4-10804572.html?tag=mncol , update-uj i odradi Full scan...kada zavrsi, log (text file) sa rezultatima nam upload-uj ovde...
Koji AV koristis?

[ nenad0000 @ 05.08.2010. 16:53 ] @

Koristim AVAST 4.8 antivirus.

EVo loga:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4393

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

05-Aug-10 17:51:11
mbam-log-2010-08-05 (17-51-11).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 238395
Time elapsed: 47 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleUpdateBeta (Backdoor.IRCBot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\System32\memman.vxd (Rogue.sysCleaner) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\{784E3329-1B2A-421E-9427-596088B766F6}\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.sysCleaner) -> No action taken.
C:\Windows\System32\memman.vxd (Rogue.sysCleaner) -> No action taken.
D:\System Volume Information\_restore{0828F4C7-33E6-4A35-A9EB-0EF9E8DB1505}\RP15\A0005881.exe (Malware.Packer.Gen) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\Damn_MainConcept_MPEG_1&2_Plugin_v1.0_Keygen.exe (Trojan.Agent.CK) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\damn_MP3Plugin_kg.exe (Trojan.Agent.CK) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\Multi-KeyGenerator.exe (Trojan.Downloader) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\SF8_Retail.exe (Trojan.Downloader) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\SF8_Trial.exe (Trojan.Downloader) -> No action taken.
C:\Users\Nenad\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe (Trojan.Agent) -> No action taken.

[ Aleksandar Maletic @ 05.08.2010. 18:14 ] @

Ovako...deinstaliraj taj Avast i skini Avast!5 Free odavde http://download.cnet.com/Avast...2239_4-10019223.html?tag=mncol , instaliraj, update-uj ga i odradi Full scan...nakon toga odradi jos jednom Full scan Malwarebytes'-om i opet mi postavi log da vidim kakvo je stanje...posto dobar deo malware-a napada preko USB-a, instaliraj MCShield http://amf.mycity.rs/programs/mc/mcshield/ , on ce automatski brisati malware-e prilikom ubacivanja flash-a svaki sledeci put...

[ nenad0000 @ 05.08.2010. 23:04 ] @

Avast je 8 virusa, 7 na C i 1 na D, a posle toga sam uradio sa Malwarebytes'-om scan i log glasi:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4393

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

06-Aug-10 00:02:01
mbam-log-2010-08-06 (00-02-01).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 238775
Time elapsed: 42 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleUpdateBeta (Backdoor.IRCBot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\System32\memman.vxd (Rogue.sysCleaner) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\{784E3329-1B2A-421E-9427-596088B766F6}\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.sysCleaner) -> No action taken.
C:\Windows\System32\memman.vxd (Rogue.sysCleaner) -> No action taken.
D:\System Volume Information\_restore{0828F4C7-33E6-4A35-A9EB-0EF9E8DB1505}\RP15\A0005881.exe (Malware.Packer.Gen) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\Damn_MainConcept_MPEG_1&2_Plugin_v1.0_Keygen.exe (Trojan.Agent.CK) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\damn_MP3Plugin_kg.exe (Trojan.Agent.CK) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\Multi-KeyGenerator.exe (Trojan.Downloader) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\SF8_Retail.exe (Trojan.Downloader) -> No action taken.
D:\PROGRAMI\Sony_Sound_Forge_8.0\SF8_Trial.exe (Trojan.Downloader) -> No action taken.
C:\Users\Nenad\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe (Trojan.Agent) -> No action taken.

[ Aleksandar Maletic @ 05.08.2010. 23:20 ] @

Da li si po zavrsetku skeniranja isao na Remove selected???
Da li si restartovao komp kada je Malwarebytes zavrsio???
Nemoguce da je opet ista situacija...
Odradi opet Full scan Malwarebytes-om, ukloni detektovane malware-e, prekopiraj mi log, a zatim restartuj komp...

[ goran9888 @ 05.08.2010. 23:20 ] @

Nakon sto zavrsis scan MBAM-om, klikni kao na slici.

[ Goran Mijailovic @ 06.08.2010. 00:30 ] @

Citat:

C:\Windows\System32\memman.vxd (Rogue.sysCleaner) -> No action taken.

ocigledno nije isao...

[ Aleksandar Maletic @ 06.08.2010. 00:51 ] @

Shvatio sam, ali kad sam vec napisao poruku... :)
@nenad0000, uradi kako sam ti rekao...

[ nenad0000 @ 06.08.2010. 07:16 ] @

Hocu, pustio sam ga da radi pa cu da obrishem sve selectovana!
Nisam ti poslao Goran Mijailovic shta je Avast 5 uradio.

Evo ga:

http://img718.imageshack.us/i/scanresults.jpg/

Chim MBAM zavrshi, javljam za log!

[ nenad0000 @ 06.08.2010. 09:08 ] @

Zavrshio je sa skeniranjem Malwarebytes i sada log ovaj poslednji glasi:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4393

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

06-Aug-10 09:57:19
mbam-log-2010-08-06 (09-57-19).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 238292
Time elapsed: 40 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Obrisao sam sve selektovano, restartovao i sada nema vishe inficiranih file-ova. Da li da skeniram sa Avstom 5 opet?
Hvala!

[ goran9888 @ 06.08.2010. 10:09 ] @

Ugasi pa upali System Restore.
Nakon toga uradi full scan Avast-om...

[ Aleksandar Maletic @ 06.08.2010. 12:09 ] @

Nije potrebno nista vise, ukoliko je Malwarebytes' ocistio sve...jos samo Avastom prekontrolisi i bice sve ok... ;)

[ nenad0000 @ 06.08.2010. 12:37 ] @

Avast je opet pronashao 5 file-ova!\

Slika:

http://img196.imageshack.us/f/scanresults06082010.jpg/

Shta da radim?

[ Aleksandar Maletic @ 06.08.2010. 13:00 ] @

Brisi slodobno sve, ti trojanci se nalaze u Temporary Internet Files-u, ne mozes nista da ostetis...

[ nenad0000 @ 06.08.2010. 13:05 ] @

OK, obrisacu!

Hvala PUNO Aleksandar Maletic i goran9888 na pomoci!

[ dava @ 06.08.2010. 13:08 ] @

Ostaje pitanje odkud sad oni tu. Da li si surfao netom u medjuvremenu, ako jesi OK, ako nisi moguće je da imaš neki downloader u sistemu koji ih skida.

[ Aleksandar Maletic @ 06.08.2010. 13:18 ] @

Instaliraj MCShield http://amf.mycity.rs/programs/mc/mcshield/ , on ce svaki naredni put brisati malware-e prilikom ubacivanja USB flash-a...
Proveravaj stanje, odradi za dan-dva scan Avastom i Malwarebytes-om (dovoljan je Quick Scan) pa nas obavesti ako se slucajno pojavi nesto...
Mozda je @dava u pravu...

[ nenad0000 @ 06.08.2010. 13:25 ] @

Uradio sam ponovo Full Scan sa Avastom 5 i nema nishta. Chak sam i restartovao comp i sve je ok.
MCShield sam skinuo i instalirao i probao sam sa nekim USB fleshom i pronalazi i brishe sve malware koje nadje!

Hvala za napomenu @dave, dileme nema nestali su kada sam ih obrisao. To nisam napomenuo, sorry!
Skenirao sam nema nichega, sve je OK.

Hvala puno josh jednom...