Kasperski nestao

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Skinuo sam sa rapidshare-a file ExtremePDF2Word ne znam sad tacno koaj verzija, i kod instalacije, mi je kasperski preporucivao da ga ne instaliram, medjutim, nije ga obrisao, samo nije dozvoljavao instal. Ove stvari su mi se i ranije desavale, pa sam ga pauzirao dok ne instaliram program, i posle sam isao na resume. KIS nije prijavljivao nikakvu gresku, i onda sam pokrenuo taj program, i samo sto se program pokrenuo nastali su problemi. KIS je poceo da izbacuje raznorazne warninge da je detektovao probleme, a program se jednostavno srusio uz windows poruku o tome. KIS je poceo da radi neki "scan" (posle kod restartuje komp) koji je zablokirao sistem, pa sam morao da ga ugasim na dugme. Posle ponovnog paljenja, posle kucanja poruke za logovanje na win imam plav ekran, bez desktop, start menija... nicega, uz poruke da je problem u curslib.dll fajlu. Ponekad mogu da pokrenem mozilu (tako sto kliknem na neki link u crash reportu) i tamo sam izguglao da se taj fajl nalazi tu i tu i ide sa flags.ini, uses32.dat, wincert.dll fajlovima iz sistema, koje sam sve nasao ali ne mogu da ih izbrisem. U safe modu, mogu i izbrisem ih, ali prilikom normalnog starta oni su tu i dalje sa problemima.

Najzanimljivije od svega mi je to sto i u safe modu i u normalnom win startu folder u kom je instaliran kasperski je sada prazan! U stvari folder struktura je netaknuta (bar mi se cini) ali nema ni jednog jedinog fajla, tj root folder je 0B.

Citavu navigaciju i pregled fajlova i foldera umjesto iz explorera radim iz firefoxa (tako sto idem save as... pa onda browsujem po folder struktuti i tako pokrecem fajlove). I tako dodjem do djela kada treba da pokrenem onaj DDS i pokrenem ga i... nista se ne desava, niti se otvore koji fajlovi. Kad radim sa Gmerom onako kako je opisano mogu da kreiram samo Gmer3 fajl a kod Gmer2 mi samo javi nesto: Nema izmjena na sistemu i prazan log fajl.
mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ko zna sta je bilo bundlovano u tom programu

Uradi sledece :

Preuzmi instalaciju za program Malwarebytes Anti-Malware sa sledećeg linka:
http://www.besttechie.net/tools/mbam-setup.exe

Dvoklikom pokreni instalaciju - na samom kraju procesa, proveri da su obeležene opcije:
Update Malwarebytes' Anti-Malware;
Launch Malwarebytes Anti-Malware;
a zatim klikni Finish.

Nakon završenog ažuriranja program će se pokrenuti.

Izaberi opciju Perform Quick Scan i klikni Scan.

Po završetku procesa klikni OK, Show Results: u listi detektovanog malware-a, obeleži sve stavke i klikni Remove Selected.

Po završetku procesa, logfile će se otvoriti u Notepad-u; iskopiraj ga u temu na forumu.
Ukoliko program zatraži restart kako bi se završio proces čišćenja, obavezno ga dozvoliti.

Napomena: ako dođe do restarta na kraju procesa čišćenja, logfile će biti dostupan na Logs kartici (obeleži ga i klikni Open).





Preuzmi Dr.Web CureIt (~13 MB).
Restartuj kompjuter u Safe Mode (uputstvo za Safe Mode)

Dvoklikom pokreni launch.exe, nakon čega će se pojaviti uvodni prozor - klikni Start

Pojaviće se obaveštenje o započinjanju uvodnog skeniranja - klikni OK

Sačekaj nekoliko minuta da Dr.Web CureIt izvrši Express Scan; ukoliko malware bude pronađen, klikom na taster Yes to All u prozoru koji se pojavi dozvoli programu da izvrši dezinfekciju

Klikni Options > Change settings F9; u prozoru koji će se otvoriti, dečekiraj opciju Heuristic Analysis a zatim klikni OK

U glavnom prozoru obeleži opciju Complete scan a zatim klikni i Dr.Web CureIt će započeti skeniranje

Ukoliko malware bude pronađen, klikom na taster Yes to All u prozoru koji se pojavi dozvoli programu da izvrši dezinfekciju

Kada skeniranje bude završeno, klikni Select all taster (ukoliko je dostupan), a zatim klikni Cure i,
u meniju koji se otvori, klikni Move incurable:


Po završetku procesa, klikni File > Save report list i sačuvaj log na Desktopu

Iskopiraj sadržaj Dr.Web CureIt loga u temu na forumu.

Ali mi i dalje nije jasan misteriozan nestanak explorera, cmd-a(neophodan za rad DDS-a) i Kasperskog

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 09 Dec 2009 18:57

OK,sutra cu ovo odraditi jer mi se ovo desilo na kompu na poslu, koji btw ima licenciran win, i u domenskoj je mrezi, ali ja nisam logovan na domenu. Ovo kazem jer mi se drugu desilo slicno pa mu je server zabranio butovanje sistema na domenskom nalogu, dok nije izbrisao program u sejf modu.

A sto se tice explorera i cmd-a, nisam bas siguran da su i oni nestali. Njihovi exe fajlovi se i dalje nalaze (koliko se sjecam) u sistemu, samo sto kad ih pokrecem win javlja da im gore pomenuti fajl curslib.dll pravi problem i proces nestane iz task managera. Kod DDS-a slicno, iskoci cmd u kome pise nesto, i error report posle koga se gasi cmd. Isto tako i kad pokusam da otvorim rar (da raspakujem Gmer) ili neki drugi program.

Zaboravio sam napomenuti, da su mi se u root folderu C-a pojavila dva nova foldera A i B koja su prazna, a cini mi se da prije nisu bila.

Dopuna: 10 Dec 2009 13:24

E ovako, uradio sam prvu stavku kao sto ste opisali i pastujem log fajl jer ne mogu da ga ubacim u atacment.

Malwarebytes' Anti-Malware 1.42
Database version: 3337
Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.18702

10.12.2009 9:11:13
mbam-log-2009-12-10 (09-11-13).txt

Scan type: Quick Scan
Objects scanned: 102378
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 24
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
C:\Windows\System32\DB32.tmp (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Koblu) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\unpr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.Exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fastnetsrv (Backdoor.Refpron) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tcpsr (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zrtxjs (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zrtxjs (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\curslib.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\curslib.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\DB32.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\userini.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-1009166996-2260411101-956433986-1005\$RJJ5L1V.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\System32\4677,958.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\5FAE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\A5C1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\BtwSrv.dll (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\curslib.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\wincert.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\unpr.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\msncuxqg.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Windows\Temp\VRT11CC.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\Temp\VRT649B.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\wmdtc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.


Medjutim kod Dr weba, posle drugog skeniranja (decekiran heurist) koje je trajalo 4 sata, kada sam isao na opciju oznaci sve, disejblovana je bila opcija cure (nesto drugo na srpskom), a kada sam isao na snimi izvjestaj onda je ekran poplavio i ugasio se komp, tako da nemam taj izvjestaj. Pokusao sam da uradim sistem restor ali nemam ni jedan restore point

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nema mu spasa nazalost

mora da padne format..Zakacio si virus koji inficira izvrsne fajlove( u tvom slucaju i rooktit-a i jos neke vrste malware-a... Virus je em sto je zarazio fajlove em je i blokirao izvrsavanje tj pokretanje Kasperskog i nekih esencijalnih sistemskih alata(registry editor, command prompt itd)

Moras uraditi sledece :

1.Formatiras sistemsku particiju
2.Odmah instaliras Antivirus (isti onaj koji si imao posto ga on detektuje tj ima njegov potpis u svojoj bazi) pustis full sistem sken;


Bitna stvar...Posle dizanja sistema ne ulazis u druge particije..ne pokreces nikako programe sa drugih particija..dok ne skeniras ceo racunar sa AV programom...