O trojancu:
Molim te da sve sto pise procitas pazljivo i nemoj da me krivis ako nesto podje naopako. Izgleda da je ovaj Trojanac veoma z*ban...
Poseti i link:
http://www.scanspyware.net/info/Krepper-G.htm
gde ima neki program koji trojanca navodno uklanja.
Postoji nekoliko podvrsta Krepper-a X,U,T,G,O,A i L
Inace jedan od opisa je : "A hacker tool that is secretly installed on your PC and that allows the attacker to get almost complete control over your computer."
Evo sta sam prikupio o tom trojancu:
OVO JE PO MENI NAJSIGURNIJE ZA UKLANJANJE:
*****************************
Manual Removal:
1. Kill these running processes with Task Manager:
systemroot+\system\matrixhere.exe
systemroot+\system\sysstartup.exe
systemroot+\system32\matrixhere.exe
systemroot+\system32\sysstartup.exe
trojan.win32.krepper.a.exe
trojan.win32.krepper.a_(120).exe
2. Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\jopa, delete it and reboot the machine immediately.
If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\romahere, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\jopa, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\romahere, delete it and reboot the machine immediately.
3. Unregister these DLLs with Regsvr32, then reboot:
trojan.win32.krepper.o.dll
trojan.win32.krepper.p.dll
trojan.win32.krepper.p_(10).dll
4. Remove these registry items (if present) with RegEdit:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\jopa
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\romahere
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\jopa
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\romahere
5. Remove these files (if present) with Windows Explorer:
systemroot+\system\matrixhere.exe
systemroot+\system\sysstartup.exe
systemroot+\system32\matrixhere.exe
systemroot+\system32\sysstartup.exe
trojan.win32.krepper.a.exe
trojan.win32.krepper.a_(120).exe
trojan.win32.krepper.o.dll
trojan.win32.krepper.p.dll
trojan.win32.krepper.p_(10).dll
****************************
Ima i daljih podataka na drugim mestima:
**************
This Trojan program is a Windows PE EXE file approximately 24KB in size, packed using PEC. The unpacked file is approximately 78KB in size.
During the installation process, the Trojan creates a folder called 'inetdim' in the Windows root directory, and copies itself to this folder as 'services.exe'.
The Trojan then registers itself in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"xp_system" = "%WinDir%\inetdim\services.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"xp_system" = "%WinDir%\inetdim\services.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
"run" = "%WinDir%\inetdim\services.exe"
This ensures that a copy of the Trojan will be launched each time the victim machine is rebooted.
The Trojan also creates the following values in the system registry:
[HKCU\Software\Microsoft\Internet Explorer\Main]
Enable Browser Extensions = "yes"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(5321E378-FFAD-4999-8C62-03CA8155F0B3)]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
The Trojan is capable of downloading and launching files from the Internet on the victim machine. It also downloads a program from the AdvWare class to the victim machine; this program then directs the Internet browser on the victim machine to a portal where other types of AdvWare and other versions of the Trojan will be downloaded to the infected system.
******
A ima i ovih podataka na opet nekom drugom msetu:
*********************
winlogon.exe - Here is the scoop on Krepper-G Trojan. The big question: what is winlogon.exe and is it spyware, a trojan and if so, how do I get rid of Krepper-G Trojan?
winlogon.exe (Krepper-G Trojan) - Details
If a process named winlogon.exe is running on your computer, you have been infected with a strain of the Krepper-G trojan.
winlogon.exe is considered to be a security risk, not only because antivirus programs flag Krepper-G Trojan as a trojan, but also because other sites consider it a Trojan as well.
Krepper-G Trojan is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of winlogon.exe may cause serious harm to your system and will likely cause a number of problems, loss of data, loss of control or leaking private information.
You should visit our free spyware removal page to make sure your system does not have other programs like winlogon.exe.
WINLOGON.EXE - Disclaimer
Every attempt has been made to provide you with the correct information for winlogon.exe or KREPPER-G TROJAN. If we missed the mark, we would greatly appreciate your help by dropping us a comment and we'll promptly correct it.
**************
********** JOS JEDAN PRDLOG ZA UKLANJANJE
Manual Detection & Removal
of Krepper-G
It is recommended to take a backup of Registry before following manual instructions. The best solution for taking backup is creating a System Restore Point before following the instructions below. Please note that ScanSpyware uses certain other rules for detection and removal of spyware from your PC, which results in 100% accuracy in removal process. Only use the below given information for spyware removal if you are sure about what you are doing.
1. Delete the following directories:
INETDATA
Services
2.Delete the following files:
SERVICES.EXE
Winlogon.exe
3.Delete the folowing registr keys:
{5321E378-FFAD-4999-8C62-03CA8155F0B3}
{5321E378-FFAD-4999-8C62-03CA8155F0B3}
{5321E378-FFAD-4999-8C62-03CA8155F0B3}
4. Delete the following registry values:
XP_System
XP_System
***********
Ajd' javi sta si uradio...
