windows xp 2012 virus

1

windows xp 2012 virus

offline
  • MyCity Military Forum Chaplain~Verska služba Mycity foruma
  • Pridružio: 12 Jan 2006
  • Poruke: 513
  • Gde živiš: Gde ja zivim...

Od pre par sati imam problem da mi non stop iskace prozor sa 2012 WIndows XP security prozorom i navodnim upozorenjem da mi je kompijuter inficiran.

Prozor se pojavljuje svaki put kada probam da otvorim bilo koj program ili internet pretrazivac i jedva sam nekako uspeo da otovrim firefox da napisem ovu poruku. Browser mi ne da da otovrim micorsof stranicu, vec me salje na neke lazne stranice. Hvala

offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Pozdrav...

Isprati upustvo u http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html
i postavi potrebne izvještaje.

offline
  • MyCity Military Forum Chaplain~Verska služba Mycity foruma
  • Pridružio: 12 Jan 2006
  • Poruke: 513
  • Gde živiš: Gde ja zivim...

Zahvaljuje. Imam problem da otovrim DDS i Gmer, jer izlgleda da ga virus blokira i kaze da su gmer i DDS virusi!

offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Preimenuj DDS i GMER u iexplore.exe i firefox.exe pa probaj opet.

offline
  • MyCity Military Forum Chaplain~Verska služba Mycity foruma
  • Pridružio: 12 Jan 2006
  • Poruke: 513
  • Gde živiš: Gde ja zivim...

Napisano: 11 Dec 2011 18:15

Hvala. DDS uspeo da otvori, gmer nije-
DDS log-
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Balas at 12:14:08 on 2011-12-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1173 [GMT -5:00]
.
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Motive\McciServiceHost.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Documents and Settings\Balas\Local Settings\Application Data\lel.exe
C:\WINDOWS\System32\ping.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [AceGain LiveUpdate] c:\program files\acegain\liveupdate\LiveUpdate.exe
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedb.....fe86171d4f
StartupFolder: c:\docume~1\balas\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: $talisma_url$
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1307377826593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.7.254
TCP: Interfaces\{304DBD8A-F691-4A36-A849-BD80280C2C55} : DhcpNameServer = 192.168.7.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\balas\application data\mozilla\firefox\profiles\2hqklzjs.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z137&form=ZGAADF&install_date=20111015&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - 83a1ff2d-1b1a-4075-a9df-3fb6ef81566e
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-10-15 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-10-15 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20111114.002\BHDrvx86.sys [2011-11-14 819320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-10-15 136312]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 McciServiceHost;McciServiceHost;c:\program files\common files\motive\McciServiceHost.exe [2011-7-3 315392]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-10-15 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-9 106104]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-6-6 1390976]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-5 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-5 136176]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20111112.030\IDSXpx86.sys [2011-11-14 356280]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20111114.022\NAVENG.SYS [2011-11-14 86136]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20111114.022\NAVEX15.SYS [2011-11-14 1576312]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
.exe=VQ
.
=============== Created Last 30 ================
.
2011-12-11 16:28:24 291840 ----a-w- c:\documents and settings\balas\local settings\application data\lel.exe
2011-11-24 19:02:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-11-24 19:02:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-11-24 19:02:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-11-24 19:02:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-11-24 19:02:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-11-24 19:02:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-11-24 19:02:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-11-24 18:58:59 -------- d-----w- c:\program files\iPod
.
==================== Find3M ====================
.
2011-11-15 02:20:21 139152 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-11-15 02:20:14 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-11-15 01:56:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-27 22:49:39 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-16 01:21:23 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-10-16 01:21:23 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-30 19:37:26 17280 ----a-w- c:\windows\system32\roboot.exe
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 12:14:33.57 ===============

Dopuna: 11 Dec 2011 18:21

Rootrepeal isto tako ne mogu da otovri, odma mi iskoci prozor XP internet Security has blocked a program from accesig internet. itd...

Dopuna: 11 Dec 2011 18:29

Ovako izgledaju otprilike upozorenja koje dobijam-



offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Arrow

U toku riješavanja slučaja, zamolio bih te da se pridržavaš sledećeg:
Detaljno čitati moja uputstva ( ili uputstva kolega koji će me zamjenjivati) i raditi isključivo po njima;
Ne tražiti istovremeno pomoć na drugom mestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budeš dobio uputstvo;
U toku intervencije ne koristiti USB memorijske uređaje, dok to ne budem zatražio;
Ukoliko ne odgovorim u roku od 48h, osveži temu novim post-om;
Ukoliko se ne javiš u roku od 5 dana, zatvorićemo slučaj.

Za više informacija o pravilima Ambulante MyCity foruma: LINK



Arrow

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.

Preimenuj ga u iexplore.exe.


Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix;
u prozoru koji se otvori klikni "I Agree".

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • MyCity Military Forum Chaplain~Verska služba Mycity foruma
  • Pridružio: 12 Jan 2006
  • Poruke: 513
  • Gde živiš: Gde ja zivim...

Napisano: 11 Dec 2011 22:25

Hvala.
Uspeo sam da pokrenem gmer i uradim samo prvi sken, pre nego sto se program iskljucio.
Ne da mi da postavim attachemnt, pa cu iskopiorati izvestaj ovde-
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-11 16:19:57
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3160815AS rev.4.AAB
Running: firefox.exe.exe; Driver: C:\DOCUME~1\Balas\LOCALS~1\Temp\kwaorpob.sys


---- System - GMER 1.0.15 ----

SSDT 8997D468 ZwAlertResumeThread
SSDT 8997AB20 ZwAlertThread
SSDT 899DC988 ZwAllocateVirtualMemory
SSDT 89A4E0D0 ZwAssignProcessToJobObject
SSDT 897DFC10 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA8037710]
SSDT 89510280 ZwCreateMutant
SSDT 897C3BB8 ZwCreateSymbolicLinkObject
SSDT 89A616B0 ZwCreateThread
SSDT 899A40B0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA8037990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA8037EF0]
SSDT 89A20220 ZwDuplicateObject
SSDT 89A0A1C0 ZwFreeVirtualMemory
SSDT 8997F6F0 ZwImpersonateAnonymousToken
SSDT 8997F0C8 ZwImpersonateThread
SSDT 89695090 ZwLoadDriver
SSDT 89A5C390 ZwMapViewOfSection
SSDT 8998F0D0 ZwOpenEvent
SSDT 899A0D00 ZwOpenProcess
SSDT 8994E7B0 ZwOpenProcessToken
SSDT 899B0780 ZwOpenSection
SSDT 89A565E0 ZwOpenThread
SSDT 894FD1A8 ZwProtectVirtualMemory
SSDT 8996BBE0 ZwResumeThread
SSDT 89953E68 ZwSetContextThread
SSDT 89DE95F0 ZwSetInformationProcess
SSDT 89A4E098 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA8038140]
SSDT 8998B950 ZwSuspendProcess
SSDT 8996B198 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA7F9B640]
SSDT 89960268 ZwTerminateThread
SSDT 89950CB0 ZwUnmapViewOfSection
SSDT 899FC8B8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text mrxsmb.sys A7BB2000 32 Bytes JMP A7BB2C0D \SystemRoot\system32\DRIVERS\mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
.text mrxsmb.sys A7BB2021 18 Bytes [6A, 04, 5B, 39, 1D, 44, 01, ...]
.text mrxsmb.sys A7BB2034 99 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text mrxsmb.sys A7BB2099 24 Bytes [90, 64, 3A, 5C, 6E, 74, 5C, ...]
.text mrxsmb.sys A7BB20B2 86 Bytes [5C, 73, 6D, 62, 2E, 6D, 72, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\mrxsmb.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[292] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02DE000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[292] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 02DF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[292] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 02DD000C
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0182000A
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0183000A
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0181000C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106AC350 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106AC2E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1045E363 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1045E91C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) A7EB0000-A7EC6000 (90112 bytes)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\75UMBU51\InternetGatewayDevice[1].xml 4460 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8HWBYFG8\WFADevice[1].xml 1000 bytes
File C:\WINDOWS\$NtUninstallKB19512$\348042483 0 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821 0 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\bckfg.tmp 851 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\keywords 257 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\L 0 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\L\enntorkd 456320 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\U 0 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB19512$\3676673821\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----

Dopuna: 11 Dec 2011 22:39

Kad probam da downloadujem combofix, ne da mi da ga sacuvam. I posle jedno 30 pukusaja, uspeo sam da ga sacuvam na desktop i preimenujem, ali mi ne da da ga otvorim.
Gmer sam uspeo da pokrenem tek kada sam scenirao sa superantispyware i restartovao. Tih prvih nekoliko minuta posle restarta sve radi normalno , pa onda pocne da zapinje opet. Tako cu probati opet comofix i 2 i treci gmer sken.

offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Prikači uz poruku izvještaj od SuperAntispyware, za kojeg se ne sjećam da sam ti rekao da koristiš.
Otvori Super Anti-Spyware -> View scan logs i okači log poslednjeg skena (ne kpiraj u poruku već ga korsiti opciju prikači fajl).

Pokreni samo ComboFix, GMER nam trenutno nije potreban.

offline
  • MyCity Military Forum Chaplain~Verska služba Mycity foruma
  • Pridružio: 12 Jan 2006
  • Poruke: 513
  • Gde živiš: Gde ja zivim...

Napisano: 11 Dec 2011 23:13

Znam da mi niste rekli da ga koristim, ali je to jedini nacin bio da pokrenem combofix. Virus jednostavno ne da da otovrim bilo sta. Jedino radi prvih par sekundi posle pokretanja restartovanja, a posle superantispayware. Izvinjavam se.
https://www.mycity.rs/must-login.png

Combofix pokusava da uradi nesto, mada se ne vidi, osim ako ne kliknem na njega. onda se pojavi crno rpzor sa zelin slovima (dosta extract redova), pa onda se otovri na sekund plavi prozor i kome pise, please stand by. coombofix is preparing to run. Ali se posle toga nista ne desava.

Dopuna: 11 Dec 2011 23:28

Nasao ovo rootkit.zeroaccess, rekao da restartujem

offline
  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Restartuj.

Ko je trenutno na forumu
 

Ukupno su 1127 korisnika na forumu :: 46 registrovanih, 2 sakrivenih i 1079 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aleksmajstor, AleksSE, alkatraz080, Apok, bladesu, bojan_t, bokisha253, brundo65, Denaya, DH, Dogma21, Dzoni90, Japidson, Kibice, Koridor, Kriglord, kunktator, kuntalo, maiden6657, Marko Marković, MegaVLAdaR, Mercury, MiG-29M2, milenko crazy north, milimoj, Milometer, nebkv, pedjolino76, Povratak1912, Prašinar, procesor, rovac, royst33, S-lash, sabac015555m, ser.hill, Srle993, stegonosa, t84dar, tubular, UAV operator, vathra, VJ, voja64, wizzardone