MyCity » Ambulanta -> Arhiva Ambulante » Rustock trojan

Rustock trojan

Napisano na dan: 26.6.2010

Rustock trojan
Sledeća strana Pagination

Idi na vrh

Poslao: 26 Jun 2010 15:49
Idi na vrh
offline
  • Pridružio: 16 Mar 2010
  • Poruke: 481
  • Gde živiš: ...pod zvezdanim krakom...

Imam problem sa virusom zvan Rustock trojan.Kada skeniram kompijuter sa Nod32 antivirusom on ne može da ga očisti i izbacuje sledeću poruku "Operating memory - Win32/Rustock trojan - unable to clean".

Unapred zahvalna ako neko može da mi pomogne da ga se otarasim... smešak



Poslao: 26 Jun 2010 15:54
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Pozdrav.

Idea Isprati Uputstvo za otvaranje teme (postavi potrebne log-ove):

-> [Link mogu videti samo ulogovani korisnici]



Poslao: 26 Jun 2010 16:43
Idi na vrh
offline
  • Pridružio: 16 Mar 2010
  • Poruke: 481
  • Gde živiš: ...pod zvezdanim krakom...

Napisano: 26 Jun 2010 16:20

Izvinjavam se na propustu Embarassed

Evo DDS dela :



DDS (Ver_10-03-17.01) - NTFSx86
Run by Maja Jokic at 15:59:26,67 on sub 26.06.2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.422 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\OpenOffice.org 1.9.79\program\soffice.exe
C:\Program Files\OpenOffice.org 1.9.79\program\soffice.BIN
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Maja Jokic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Maja Jokic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Maja Jokic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Maja Jokic\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [Link mogu videti samo ulogovani korisnici]
uSearch Page = [Link mogu videti samo ulogovani korisnici]
uSearch Bar = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = [Link mogu videti samo ulogovani korisnici]
mSearchAssistant = [Link mogu videti samo ulogovani korisnici]
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mWinlogon: Taskman=c:\documents and settings\maja jokic\application data\yftza.exe
uWinlogon: Shell=c:\documents and settings\maja jokic\application data\yftza.exe,explorer.exe,c:\documents and settings\maja jokic\application data\mrpky.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\progra~1\textware\quickf~1\plugins\IEHelp.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Google Update] "c:\documents and settings\maja jokic\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB5137] command.com /c del "c:\windows\system32\drivers\str.sys"
uRunOnce: [SpybotDeletingD785] cmd.exe /c del "c:\windows\system32\drivers\str.sys"
mRun: [SkyTel] SkyTel.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRunOnce: [SpybotDeletingA33] command.com /c del "c:\windows\system32\drivers\str.sys"
mRunOnce: [SpybotDeletingC9530] cmd.exe /c del "c:\windows\system32\drivers\str.sys"
StartupFolder: c:\docume~1\majajo~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 1.9.79\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\maja jokic\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\majajo~1\applic~1\mozilla\firefox\profiles\hucfmymg.default\
FF - prefs.js: browser.search.defaulturl - [Link mogu videti samo ulogovani korisnici]
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\maja jokic\application data\mozilla\firefox\profiles\hucfmymg.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\maja jokic\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-2-10 27632]
S2 bsoyaepdou;Crystal Report Application Server;c:\windows\system32\lupoow.exe --> c:\windows\system32\lupoow.exe [?]
S2 clrgi;\??\C;c:\docume~1\majajo~1\locals~1\temp\mteqdszrb.sys []
S2 svyubrwrkzfylu;\??\c:\docume~;\??\c:\docume~1\majajo~1\locals~1\temp\zxltcijpg.sys --> c:\docume~1\majajo~1\locals~1\temp\zxltcijpg.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-2-10 13224]

=============== Created Last 30 ================

2010-06-26 12:05:43 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-26 12:05:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-26 11:26:46 0 d-----w- c:\program files\Enigma Software Group
2010-06-26 11:24:14 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-25 16:20:50 0 d-----w- c:\program files\ESET
2010-06-25 15:10:49 102562 ----a-w- c:\windows\system32\msvcrt2.dll
2010-06-25 15:10:40 132096 --sh--r- c:\docume~1\majajo~1\applic~1\yftza.exe
2010-06-25 09:58:30 0 d-----w- c:\program files\Hotel Dash - Suite Success
2010-06-23 16:43:57 45 ----a-w- C:\TEST.XML
2010-06-23 11:36:36 0 d-----w- c:\docume~1\majajo~1\applic~1\My Games
2010-06-23 11:19:45 0 d-----w- c:\program files\Posh Boutique
2010-06-23 11:14:05 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2010-06-20 13:04:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Go Go Gourmet
2010-06-20 12:55:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Fugazo
2010-06-19 18:53:19 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-06-19 18:53:17 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-06-19 18:53:17 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-19 18:53:17 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-17 17:42:22 0 d-----w- c:\program files\common files\Real
2010-06-17 17:36:52 10 ----a-w- c:\windows\system32\810429tv4-test.jun
2010-06-17 17:36:50 0 d-----w- c:\program files\Online TV Player 4
2010-06-09 23:36:52 0 d-----w- c:\program files\DavidRM Software
2010-06-09 23:36:52 0 d-----w- c:\docume~1\majajo~1\applic~1\The Journal 5
2010-06-09 23:36:52 0 d-----w- c:\docume~1\alluse~1\applic~1\The Journal
2010-06-09 23:32:45 24 ----a-w- c:\windows\system32\raknahs.mar

==================== Find3M ====================

2010-06-17 17:42:23 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-17 17:42:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-18 12:54:03 483 ----a-w- c:\program files\Shortcut to Life Quest.lnk
2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-29 13:30:59 2328832 ----a-w- c:\windows\system32\TUKernel.exe
2010-03-29 12:23:20 307968 ----a-w- c:\windows\system32\TuneUpDefragService.exe

============= FINISH: 15:59:38,84 ===============







[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

Prilikom skeniranja sa GMER programom kompijuter se sam od sebe restartovao,verovatno pod uticajem virusa...Pokušaću ponovo

Dopuna: 26 Jun 2010 16:43

Gmer program sada blokira





Ovako zastane i neće da nastavi

Poslao: 26 Jun 2010 16:52
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Procitaj jos jednom link sa Uputstvom koji sam dao.
U jednom delu tog uputstva pise sledece:

Citat:U slučaju da gornji program (misli se na GMER) ne radi stabilno (ili uopšte) na vašem računaru, kao alternativu možete koristiti RootRepeal.

Poslao: 26 Jun 2010 17:04
Idi na vrh
offline
  • Pridružio: 16 Mar 2010
  • Poruke: 481
  • Gde živiš: ...pod zvezdanim krakom...

Opet propust Embarassed

Hvala na strpljenju evo izveštaja :

[Link mogu videti samo ulogovani korisnici]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/26 16:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 000007F5
Image Path: 000007F5
Address: 0xAB124000 Size: 73472 File Visible: No Signed: -
Status: -

Name: 000009EE
Image Path: 000009EE
Address: 0xAAC73000 Size: 73472 File Visible: No Signed: -
Status: -

Name: 00000A27
Image Path: 00000A27
Address: 0xAAC39000 Size: 73472 File Visible: No Signed: -
Status: -

Name: PCI_PNP1386
Image Path: \Driver\PCI_PNP1386
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: pxtdypow.sys
Image Path: C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\pxtdypow.sys
Address: 0xAA43C000 Size: 93056 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB276000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spnt.sys
Image Path: spnt.sys
Address: 0xF7373000 Size: 995328 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-238DD849.pf
Status: Could not get file information (Error 0xc0000008-)

Path: C:\WINDOWS\Temp\NOD5AD1.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\NOD5AD3.tmp
Status: Invisible to the Windows API!

Path: C:\System Volume Information\_restore{B29903ED-0CEB-457B-8B86-61DCA7D3E4B2}\RP247\A0056432.exe:{E3C76A6B-DD50-F646-5A32-71579B127FF7}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{B29903ED-0CEB-457B-8B86-61DCA7D3E4B2}\RP249\A0056512.exe:{E3C76A6B-DD50-F646-5A32-71579B127FF7}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{B29903ED-0CEB-457B-8B86-61DCA7D3E4B2}\RP254\A0060918.exe:{E3C76A6B-DD50-F646-5A32-71579B127FF7}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{B29903ED-0CEB-457B-8B86-61DCA7D3E4B2}\RP254\A0060922.exe:{E3C76A6B-DD50-F646-5A32-71579B127FF7}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!

SSDT
-------------------
ServiceTable Hooked [0x84b13640]!

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x84df6580

#: 041 Function Name: NtCreateKey
Status: Hooked by "spnt.sys" at address 0xf73740e0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x84df7100

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x84df6b30

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spnt.sys" at address 0xf738cda4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spnt.sys" at address 0xf738d132

#: 119 Function Name: NtOpenKey
Status: Hooked by "spnt.sys" at address 0xf73740c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x84df5cc0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x84df5fc0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x84df69c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spnt.sys" at address 0xf738d20a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spnt.sys" at address 0xf738d08a

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x84df6860

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x84df66e0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "<unknown>" at address 0x84df3700

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spnt.sys" at address 0xf738d29c

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x84df6420

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x84df62c0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x84df5e50

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x84df6150

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x84df6f50

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x85f85020, TID: 1800]
Process: svchost.exe (PID: 972) Address: 0x00a51f3c Size: -

Object: Hidden Thread [ETHREAD: 0x85e60bd8, TID: 1176]
Process: svchost.exe (PID: 972) Address: 0x00dd1f3c Size: -

Object: Hidden Thread [ETHREAD: 0x84afcaa0, TID: 1464]
Process: svchost.exe (PID: 972) Address: 0x00e91f3c Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_POWER]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_CREATE]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_CLOSE]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_POWER]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_PNP]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_CREATE]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_CLOSE]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_READ]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_CLEANUP]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_PNP]
Process: System Address: 0x85f22500 Size: 121

Hidden Services
-------------------
Service Name: clrgi
Image Path: C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\mteqdszrb.sys

Service Name: tgcmsmvjblcdi
Image Path: C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\iwqemjfs.sys

Service Name: yxkzc
Image Path: C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\uwcxa.sys

==EOF==

Poslao: 26 Jun 2010 20:36
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder

Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:


Drivers to delete:
str
bsoyaepdou
clrgi
svyubrwrkzfylu
tgcmsmvjblcdi
yxkzc

Files to delete:
c:\documents and settings\maja jokic\application data\yftza.exe
c:\documents and settings\maja jokic\application data\mrpky.exe
c:\windows\system32\drivers\str.sys
c:\windows\system32\lupoow.exe
c:\docume~1\majajo~1\locals~1\temp\mteqdszrb.sys
c:\docume~1\majajo~1\locals~1\temp\zxltcijpg.sys
c:\windows\system32\msvcrt2.dll
C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\iwqemjfs.sys
C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\uwcxa.sys

Registry values to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Taskman


Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u
Iskopiraj sadržaj dobijenog loga u temu na forumu.

Poslao: 29 Jun 2010 17:33
Idi na vrh
offline
  • Pridružio: 16 Mar 2010
  • Poruke: 481
  • Gde živiš: ...pod zvezdanim krakom...

Mnogo ti se zahvaljujem na pomioci ali moj kompijuter je skroz bio poludeo i sam se restartovao,gasio i bagovao pa nisam mogla da ispunim tvoja upudstva...te sam ja odlucila da ga odnesem na reinstalaciju sistema...i evo sada radi smešak

Mnogo ti se zahvaljujem na trudu,pomoci i strpljenju... Zagrljaj

MyCity » Ambulanta -> Arhiva Ambulante » Rustock trojan

Ko je trenutno na forumu
 

Ukupno su 1561 korisnika na forumu :: 86 registrovanih, 12 sakrivenih i 1463 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 20624 - dana 04 Apr 2026 04:18

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 015, _Rade, alex1974, Belisarius, benne, Bobrock1, Bokiboks, bolenbgd, borya90, Boskovic, boxbole, CHARLIE JA., chichabg, Clouseau, comi_pfc, Dare, DeerHunter, Dimitrise93, divison, dolinalima, Draganeli, drimer, ElGenius, esx66, Feller, g_g, Govedock, Igor Antonic, Imperator_Aleksandr_lll, InzenjerBL, Jeremiah, Kalem, karakaj, Kolimator, kozhedub, leptirleptir, lima, Makarid, maksi007, Mcdado, Medojed, mercedesamg, Metanoja, miki kv, milanpb, Miler88, milutin134, Mićko, mm1811, MountAndBlade, Naum T, nazgul75, nenad81, nixos, Oklopnjak, Parker, pds, pein, Radula, redakzver, Remarqe, RJ, Roksi, royst33, ruso, sajorg, Sevetar, Smd, Srdjadj70, stegonosa, styg, tomo2, Topaz9, Trpe Grozni, Velibor Radoja, vespa nikola, vlad4, Vlada1389, Vojkan Petrovic, vrgudinac, W123, wolverined4, YU-UKI, zdrebac, Zoca, zoran77