MyCity » Ambulanta -> Arhiva Ambulante » Rootkit problem

Rootkit problem

Napisano na dan: 24.6.2011
2

Rootkit problem
Pagination Prethodna strana
Sledeća strana Pagination

Idi na vrh

Poslao: 26 Jun 2011 11:32
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Moj komp je Nomak Power 310i... Obican desktop, valjda.....

Poslao: 26 Jun 2011 12:08
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

> Pazljivo procitaj i isprati ovo uputstvo! Ako ti nesto nije jasno,stani i pitaj.

..................................................

Ponovo pokreni MBRCheck.exe.

Sacekaj dok ne vidis sledeci red: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Pritisni Y' potom pritisni Enter.
Kada budes dobio upit: 'Enter your choice:', izaberi opciju 2 (Restore the MBR of a physical disk with a standard boot code) i pritisni Enter.
Sada ce te program pitati sledece: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
Pritisni 0 a potom pritisni Enter
Program ce prikazati dostupne MBR kodove ( Available MBR codes ) prikazivajuci spisak Operativnih Sistema kao sto je prikazano u nastavku.

Citat:Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
Please select the MBR code to write to this drive:




Pritisni broj 5 da bi izabrao tvoju verziju Windows-a sa liste i pritisni Enter

Kada budes bio upitan za potvrdu "Do you want to fix the MBR code?" ukucaj Yes i pritisni Enter.
Levi klik na naslovnoj traci (gde je ime programa i njegova putanja napisana).
Iz menu-ja izaberi Edit -> Select All.
Pritisni Enter da bi kopirao obelezen text.
Otvori novi Notepad, i tamo kopiraj (opcija Paste) i sacuvaj to na Desktop kao MBRCheck.txt.
Kada bude zavrseno, trebao bi da vidis poruku Done! Press ENTER to exit.... Pritisni Enter na tastaturi.
Restartuj racunar da bi se dovrsilo ciscenje i kopiraj MBRCheck.txt.

Upozorenje: Ako se tvoj racunar ne restartuje sam, ucini to rucno.



............................................


Javi se u temi kada ovo odradis.

Poslao: 26 Jun 2011 12:38
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Odradjeno. Restartovao sam racunar. Kako sam poceo da pisem Avast nista ne prijavljuje on izbaci opet isti prozor kao sto sam postavio pre. Evo loga:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Gigabyte Technology Co., Ltd.
BIOS Manufacturer: Award Software International, Inc.
System Manufacturer: Gigabyte Technology Co., Ltd.
System Product Name: P35-DS3L
Logical Drives Mask: 0x0000003c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000b`f3413e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 3312F05D7939BF197D0957FED89EFCD7294CFD9D


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
[ 0] Default (Windows 7)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 5
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!
Press ENTER to exit...

Poslao: 26 Jun 2011 12:53
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

Bravo. Ovo izgleda dobro.

Obrisi Combofix program ( desni klik >> pa delete na ikonicu )
Preuzmi svez Combofix.
Privremeno iskljuci AntiVirus i pokreni Combofix.
Kopiraj ovde log koji ces dobiti na kraju procesa.

..............................................

Obrisi TDSSKiller i prezumi svez sa gore datog linka i pokreni ga po uputstvu.
Uz poruku prikaci mi njegov log.

................................................

Obrisi aswMBR program i preuzmi svez sa gore datog linka i pokreni ga po gore datom uputstvu.

Proveri da li je pod AV engine stiklirana opcija QuickScan kao na slici:


o Klikni na Scan i kad zavrsi skeniranje sacuvaj log klikom na Save log i taj izvestaj okaci uz poruku.

...............................

U sledecu poruku kopiraj svez Combofix.txt log i prikaci izvestaje od TDSSKiller-a i aswMBR-a.

Poslao: 26 Jun 2011 13:33
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Uradio. Koliko sam primetio Combofix nije neso puno nasao, TDSS kao i prosli put nista, ali zato aswMBR je nasao dosta stvari. Sta to ustvari radi aswMBR? Kako do sad nisu dezinficirane? Evo logova:


ComboFix 11-06-25.05 - Dimitrije 26.06.2011 13:01:42.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1226 [GMT 2:00]
Running from: c:\users\Dimitrije\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 )))))))))))))))))))))))))))))))
.
.
2011-06-26 11:09 . 2011-06-26 11:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-23 11:10 . 2011-06-23 11:10 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Microsoft Games
2011-06-18 19:17 . 2011-06-23 14:56 -------- d-----w- c:\users\Dimitrije\AppData\Local\CrashDumps
2011-06-18 09:10 . 2011-06-18 18:44 -------- d-----w- c:\program files\IObit
2011-06-17 12:34 . 2011-06-17 12:45 -------- d-----w- c:\users\Dimitrije\AppData\Local\NPE
2011-06-16 12:58 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-16 12:58 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-16 12:58 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-15 12:05 . 2011-04-29 02:57 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 12:05 . 2011-04-29 02:57 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 12:05 . 2011-04-29 02:57 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 12:05 . 2011-04-25 04:56 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 12:05 . 2011-04-25 02:35 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 12:05 . 2010-12-18 05:31 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 12:05 . 2011-04-27 02:33 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-15 12:05 . 2011-05-03 04:50 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 12:00 . 2011-05-04 02:43 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 12:00 . 2011-05-04 02:43 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 12:00 . 2011-05-04 02:43 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-12 17:03 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-06-12 17:03 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-06-12 17:02 . 2011-06-12 17:02 -------- d-----w- c:\windows\system32\RsFx
2011-06-12 16:56 . 2011-06-12 17:02 -------- d-----w- c:\program files\Microsoft SQL Server
2011-06-12 16:53 . 2011-06-12 16:53 -------- d-----w- c:\programdata\PreEmptive Solutions
2011-06-12 16:49 . 2011-06-12 16:49 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-06-12 16:49 . 2011-06-12 16:49 -------- d-----w- c:\program files\IIS
2011-06-12 16:47 . 2011-06-16 18:09 2478272 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-06-12 16:37 . 2011-06-12 17:00 -------- d-----w- c:\windows\system32\1033
2011-06-12 16:36 . 2011-06-12 16:36 -------- d-----w- c:\windows\symbols
2011-06-12 16:36 . 2011-06-12 16:55 -------- d-----w- c:\program files\Microsoft SDKs
2011-06-12 16:36 . 2011-06-12 16:41 -------- d-----w- c:\program files\Microsoft F#
2011-06-12 16:36 . 2011-06-12 16:39 -------- d-----w- c:\program files\HTML Help Workshop
2011-06-12 16:36 . 2011-06-15 19:56 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-06-12 16:36 . 2011-06-12 16:36 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-06-12 16:33 . 2011-06-12 16:33 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2011-06-12 13:10 . 2011-06-12 13:10 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\OpenOffice.org
2011-06-09 14:25 . 2011-06-09 14:25 -------- d-----w- C:\Program Files (x86)
2011-06-09 14:23 . 2011-06-09 14:23 -------- d-----w- c:\program files\VirtualDJ
2011-06-08 12:33 . 2011-06-08 12:33 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\com.adobe.dmp.contentviewer
2011-06-05 11:41 . 2011-06-05 11:41 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Nokia Ovi Suite
2011-06-05 11:38 . 2011-06-05 11:38 -------- d-----w- c:\programdata\Nokia
2011-06-05 11:36 . 2011-06-05 11:36 -------- d-----w- c:\users\Dimitrije\AppData\Local\Nokia
2011-06-05 11:33 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-06-05 11:33 . 2011-06-05 11:33 -------- d-----w- c:\program files\PC Connectivity Solution
2011-06-05 11:32 . 2011-06-05 11:33 -------- d-----w- c:\program files\Nokia
2011-06-01 13:56 . 2011-06-01 13:56 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2011-06-01 13:56 . 2011-06-18 09:31 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Winamp
2011-05-31 20:36 . 2011-06-17 12:29 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-30 13:40 . 2011-05-30 13:40 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-29 08:09 . 2011-06-18 09:43 -------- d-----w- c:\programdata\IObit
2011-05-29 07:23 . 2011-05-29 07:23 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\FLEXnet
2011-05-29 07:23 . 2011-05-29 07:23 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Zeon
2011-05-29 07:23 . 2011-05-29 07:23 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\ScanSoft
2011-05-29 07:18 . 2011-05-29 07:18 -------- d-----w- c:\users\Dimitrije\AppData\Roaming\Nuance
2011-05-29 07:18 . 2011-05-29 07:18 -------- d-----w- c:\programdata\ScanSoft
2011-05-29 07:17 . 2011-05-29 07:17 -------- d-----w- c:\programdata\FLEXnet
2011-05-29 07:17 . 2011-05-29 07:17 -------- d-----w- c:\program files\Nuance
2011-05-29 07:15 . 2011-05-29 07:15 -------- d-----w- c:\program files\Common Files\InstallShield
2011-05-28 09:24 . 2010-05-21 10:11 475648 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.scr
2011-05-28 09:24 . 2010-05-21 10:11 1061888 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.3.1.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-15 20:21 . 2011-05-17 20:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 07:11 . 2011-03-07 19:28 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 07:11 . 2011-03-07 19:28 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-18 19:33 . 2011-05-18 19:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-11 07:39 . 2011-05-11 07:39 77004 ----a-w- c:\windows\system32\drivers\AFS.SYS
2011-05-10 12:10 . 2011-03-07 18:33 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-03-07 18:33 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-03-07 18:33 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-03-07 18:34 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-03-07 18:33 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2011-03-07 18:34 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-03-07 18:33 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2011-03-07 18:34 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-10 08:13 . 2011-01-06 16:36 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-05-08 10:31 . 2011-05-08 10:31 31744 ----a-w- c:\windows\system32\maplec.dll
2011-05-08 10:31 . 2011-05-08 10:31 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll
2011-05-08 10:31 . 2011-05-08 10:31 20480 ----a-w- c:\windows\system32\maplecompat.dll
2011-05-05 07:54 . 2010-12-29 00:42 284744 ----a-w- c:\windows\system32\guard32.dll
2011-05-05 07:54 . 2011-01-06 16:36 37592 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-05 07:54 . 2011-01-06 16:36 238960 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-05 07:54 . 2011-01-06 16:36 19088 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-04-22 10:15 . 2011-04-22 10:15 87888 ----a-w- c:\windows\system32\vcomp100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 80720 ----a-w- c:\windows\system32\mfcm100u.dll
2011-04-22 10:15 . 2011-04-22 10:15 80208 ----a-w- c:\windows\system32\mfcm100.dll
2011-04-22 10:15 . 2011-04-22 10:15 768848 ----a-w- c:\windows\system32\msvcr100.dll
2011-04-22 10:15 . 2011-04-22 10:15 743248 ----a-w- c:\windows\system32\msvcp100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 6994256 ----a-w- c:\windows\system32\mfc100ud.dll
2011-04-22 10:15 . 2011-04-22 10:15 6926672 ----a-w- c:\windows\system32\mfc100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 64336 ----a-w- c:\windows\system32\mfc100fra.dll
2011-04-22 10:15 . 2011-04-22 10:15 64336 ----a-w- c:\windows\system32\mfc100deu.dll
2011-04-22 10:15 . 2011-04-22 10:15 63824 ----a-w- c:\windows\system32\mfc100esn.dll
2011-04-22 10:15 . 2011-04-22 10:15 62288 ----a-w- c:\windows\system32\mfc100ita.dll
2011-04-22 10:15 . 2011-04-22 10:15 60752 ----a-w- c:\windows\system32\mfc100rus.dll
2011-04-22 10:15 . 2011-04-22 10:15 55120 ----a-w- c:\windows\system32\mfc100enu.dll
2011-04-22 10:15 . 2011-04-22 10:15 51024 ----a-w- c:\windows\system32\vcomp100.dll
2011-04-22 10:15 . 2011-04-22 10:15 43856 ----a-w- c:\windows\system32\mfc100jpn.dll
2011-04-22 10:15 . 2011-04-22 10:15 4368720 ----a-w- c:\windows\system32\mfc100u.dll
2011-04-22 10:15 . 2011-04-22 10:15 4342600 ----a-w- c:\windows\system32\mfc100.dll
2011-04-22 10:15 . 2011-04-22 10:15 43344 ----a-w- c:\windows\system32\mfc100kor.dll
2011-04-22 10:15 . 2011-04-22 10:15 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-04-22 10:15 . 2011-04-22 10:15 36176 ----a-w- c:\windows\system32\mfc100cht.dll
2011-04-22 10:15 . 2011-04-22 10:15 36176 ----a-w- c:\windows\system32\mfc100chs.dll
2011-04-22 10:15 . 2011-04-22 10:15 1497936 ----a-w- c:\windows\system32\msvcr100d.dll
2011-04-22 10:15 . 2011-04-22 10:15 137544 ----a-w- c:\windows\system32\atl100.dll
2011-04-22 10:15 . 2011-04-22 10:15 104784 ----a-w- c:\windows\system32\mfcm100ud.dll
2011-04-22 10:15 . 2011-04-22 10:15 103248 ----a-w- c:\windows\system32\mfcm100d.dll
2011-04-18 16:01 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-18 16:01 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-09 06:13 . 2011-05-11 07:29 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 07:29 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-23 19:04 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-04-06 08:44 . 2011-04-06 08:44 409088 ----a-w- c:\windows\system32\systemcpl.dll
2011-04-06 08:44 . 2011-03-06 17:22 13824 ----a-w- c:\windows\system32\slwga.dll
2011-04-03 09:55 . 2011-04-03 09:55 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-03 09:55 . 2011-04-03 09:55 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-03 09:55 . 2011-04-03 09:55 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-03 09:55 . 2011-04-03 09:55 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-03 09:55 . 2011-04-03 09:55 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-03 09:55 . 2011-04-03 09:55 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-03 09:55 . 2011-04-03 09:55 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-03 09:55 . 2011-04-03 09:55 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-03 09:55 . 2011-04-03 09:55 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-03 09:55 . 2011-04-03 09:55 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-03 09:55 . 2011-04-03 09:55 367104 ----a-w- c:\windows\system32\html.iec
2011-04-03 09:55 . 2011-04-03 09:55 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-03 09:55 . 2011-04-03 09:55 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-03 09:55 . 2011-04-03 09:55 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-03 09:55 . 2011-04-03 09:55 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-03 09:55 . 2011-04-03 09:55 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-03 09:55 . 2011-04-03 09:55 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-03 09:55 . 2011-04-03 09:55 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-03 09:55 . 2011-04-03 09:55 101888 ----a-w- c:\windows\system32\admparse.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- d:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO_TimeMachine"="d:\program files\COMODO\Time Machine\CTMTRAY.exe" [2010-07-20 4910904]
"avast"="d:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"COMODO Internet Security"="d:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "d:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Watch.lnk]
backup=c:\windows\pss\Watch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Dimitrije^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
backup=c:\windows\pss\Stardock ObjectDock.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 15:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 05:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 02:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-01-21 16:22 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-01-20 09:20 1305408 ----a-w- d:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2003-05-21 16:37 229437 ----a-w- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
2007-07-11 14:09 20480 ----a-w- c:\windows\FixCamera.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 17:51 233472 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 09:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-05-29 07:11 1047656 ----a-w- d:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 00:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2011-05-20 14:56 724536 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-12-21 10:53 1483264 ----a-w- d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2010-04-12 08:40 180224 ----a-w- d:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 15:38 421888 ----a-w- d:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2011-03-24 11:24 409320 ----a-w- d:\program files\Sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-06-15 13:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
2007-05-10 14:58 344064 ----a-w- c:\windows\vsnp2std.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 11:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-04-18 16:01 273544 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
2007-05-12 09:19 270336 ----a-w- c:\windows\tsnp2std.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
2010-11-11 12:47 129648 ----a-w- d:\program files\VMware\vmware-tray.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RocketDock"="d:\program files\RocketDock\RocketDock.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Nuance OmniPage 17-reminder"="d:\program files\Nuance\OmniPage17\Ereg\Ereg.exe" -r "c:\programdata\ScanSoft\OmniPage 17\Ereg\Ereg.ini"
.
R1 SASDIFSV;SASDIFSV;c:\users\DIMITR~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\DIMITR~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R2 AdvancedSystemCareService;Advanced SystemCare Service;d:\program files\IObit\Advanced SystemCare 4\ASCService.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Aken;Aken;d:\program files\0 A.D. alpha\binaries\system\aken.sys [x]
R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-03-24 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-03-24 8456]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-12-02 137600]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-12-02 8576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 VSPerfDrv100;Performance Tools Driver 10.0;d:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [2009-12-08 48128]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-03 1343400]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 136176]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 Secunia PSI Agent;Secunia PSI Agent;d:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
R4 Secunia Update Agent;Secunia Update Agent;d:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
R4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 AFS;AFS; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-05-05 238960]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-05-05 37592]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-03-11 218688]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-11-11 70768]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-01-21 328808]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-26 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities\initialize.exe [2011-03-18 06:25]
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 18:34]
.
2011-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: + Offline &Explorer: Download the link - file://d:\program files\Offline Explorer\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://d:\program files\Offline Explorer\Add_AllO.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: LastPass - file://d:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass ?????????? ????????? - file://d:\program files\LastPass\context.html?cmd=fillforms
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: d:\program files\VMware\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{97D69B6F-5FE6-455F-9758-1CE371667471}: NameServer = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\Dimitrije\AppData\Roaming\Mozilla\Firefox\Profiles\ymjltxfa.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=685749&p=
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, gmer.net
Windows 6.1.7600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
copy of MBR has been found in sector 22 !
copy of MBR has been found in sector 23 !
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(688-)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(2548-)
d:\program files\Stardock\Fences\FencesMenu.dll
d:\program files\stardock\fences\DesktopDock.dll
.
Completion time: 2011-06-26 13:11:45
ComboFix-quarantined-files.txt 2011-06-26 11:11
ComboFix2.txt 2011-06-24 21:24
ComboFix3.txt 2011-06-24 18:54
.
Pre-Run: 18.337.243.136 bytes free
Post-Run: 18.263.666.688 bytes free
.
- - End Of File - - 7687467B017A0BE19005E615C336AF7F



mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

Poslao: 26 Jun 2011 19:28
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

Zamena MBR nije prosla onako kako smo se nadali.
Odradicemo to na drugi nacin koji zahteva Windows-ov instalacioni DVD.

Imas li instalacioni DVD za Windows7 pri ruci ?

Poslao: 26 Jun 2011 20:14
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Nije. Dao sam drugu. Jel mora, ili ima neko drugo resenje? Mogao bih nabaviti za nekih 5-6 dana...

Poslao: 26 Jun 2011 21:03
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

Napisano: 26 Jun 2011 20:46

Sacekaj da se konsultujem sa kolegama.

Dopuna: 26 Jun 2011 21:03

Nista,hajde da probamo ovako pa da vidimo hoce li biti pozitivnog efekta.


Ponovo pokreni aswMBR.
Pod AV engine: sa QuickScan prebaci na (none)
Klikni na Scan.
Kada zavrsi skeniranje, klikni na FixMBR.
Kada zavrsi popravku (zamenu MBR-a), izaberi Save Log i sacuvaj log na desktop.
Potrebno je restartovati racunar.
Kopiraj sadrzaj aswMBR loga nazad u temu.

Poslao: 26 Jun 2011 22:02
Idi na vrh
offline
  • Pridružio: 26 Feb 2011
  • Poruke: 164

Molim te nemoj vise ovo nikom da predlazes. Upravo mi je pao sistem. Na svu srecu pa sam se setio da imam Win7 Starter CD pa sam uspeo da uz spomoc oporavka sistema vratim sistem. Sreca u nesreci napravio sam restor point kad sam instalirao sistem. Sad moram sve ponovo da instaliram od AV do Dreamweaver-a... Jel znas neki nacin makar da vratim te programi svi su mi u D\Programs Files pa nekako da ih vratim bez ponovnog instaliranja? Jel sam se makar sad resio tog malwarea. Daj sta treba jos da uradim da vidim da li sam se reso mawlarea pa da pocenm sa intalacijom hrpe programa.

Poslao: 27 Jun 2011 13:44
Idi na vrh
offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6103

Ovo nije smelo da se desi. Sad
Alate koje mi koristimo u Ambulanti dolaze sa proverenih izvora.
Ovaj alat je prosao raznorazna testiranja pre nego sto je dospeo u nas arsenal.
I nasi programi/alati se nikako ne daju napamet.

Trebao si da mi nekako javis da ti je sistem non bootable. Ispravili bi to.
Kao sto sam odmah na pocetku rekao MBR Rootkit je veoma komplekstan.
Citat:Daj sta treba jos da uradim da vidim da li sam se reso mawlarea pa da pocenm sa intalacijom hrpe programa.
Potrebno je da mi postavis sveze logove odredjenih programa da bih to mogao ustanoviti.

.............................................
Arrow Preuzmi program DDS sa ovog, ovog ili ovog linka na Desktop.


Dvoklikom pokreni DDS;

nakon par minuta će se pojaviti poruka o završetku procesa i otvoriće se dva izveštaja;

snimi oba izveštaja na Desktop (izborom File > Save As);

dvoklikom otvori DDS.txt i iskopiraj sadržaj u temu;

file Attach.txt priloži uz poruku korišćenjem opcije Prikači fajl.

Napomena: u slučaju da zaštitni softver omete DDS u radu, privremeno deaktiviraj isti (uputstvo) i ponovo pokreni DDS.

.............................................
Arrow PreuzmiTDSSKiller sa gore datog linka i pokreni ga po uputstvu.
Uz poruku prikaci mi njegov log.

.............................................

Arrow Preuzmi aswMBR i sacuvaj ga na Desktop.


Dvoklikom pokreni aswMBR.
Ukoliko ti program ponudi da sa interneta svuces najnovije definicije,dopusti mu.

Proveri da li je pod AV engine stiklirana opcija QuickScan kao na slici:


Klikni na Scan.
Kada zavrsi skeniranje, klikni Save log.
Sacuvaj aswMBR log na Desktop.
Sadrzaj tog loga iskopiraj u temi.

MyCity » Ambulanta -> Arhiva Ambulante » Rootkit problem

Ko je trenutno na forumu
 

Ukupno su 938 korisnika na forumu :: 56 registrovanih, 6 sakrivenih i 876 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., arton, Atomski čoban, bankulen, bato, Battlehammer, Ben Roj, Boris Bosiljčić, boris.zic, brundo65, CrazyDiablo, dmdr, doklevise, doktor123, dozorni, Dukelander, Frunze, Georgius, goxin, Japidson, jukeboxer, Karla, kikisp, kjkszpj, kokodakalo, Kriglord, Kubovac, kunktator, LUDI, MB120mm, mercedesamg, Mercury, mgolub, MiroslavD, moldway, mrav pesadinac, NoOneEver Dreams, oldtimer, opt1, Panter, pein, raptorsi, Ripanjac, Smiljke, SR-3m, stegonosa, Stoilkovic, strelac07, suton, Vatreni Zmaj, Vlad000, vobo, wolverined4, yrraf, |_MeD_|, Žrnov