MyCity » Ambulanta -> Arhiva Ambulante » Rustock trojan

Rustock trojan

Napisano na dan: 26.6.2010

Rustock trojan
Sledeća strana Pagination

Idi na vrh

Poslao: 26 Jun 2010 15:49
Idi na vrh
offline
  • Pridružio: 16 Mar 2010
  • Poruke: 481
  • Gde živiš: ...pod zvezdanim krakom...

Imam problem sa virusom zvan Rustock trojan.Kada skeniram kompijuter sa Nod32 antivirusom on ne može da ga očisti i izbacuje sledeću poruku "Operating memory - Win32/Rustock trojan - unable to clean".

Unapred zahvalna ako neko može da mi pomogne da ga se otarasim... smešak

Poslao: 26 Jun 2010 15:54
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Pozdrav.

Idea Isprati Uputstvo za otvaranje teme (postavi potrebne log-ove):

-> http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

Poslao: 26 Jun 2010 16:43
Idi na vrh
offline
  • Pridružio: 16 Mar 2010
  • Poruke: 481
  • Gde živiš: ...pod zvezdanim krakom...

Napisano: 26 Jun 2010 16:20

Izvinjavam se na propustu Embarassed

Evo DDS dela :



DDS (Ver_10-03-17.01) - NTFSx86
Run by Maja Jokic at 15:59:26,67 on sub 26.06.2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.422 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\OpenOffice.org 1.9.79\program\soffice.exe
C:\Program Files\OpenOffice.org 1.9.79\program\soffice.BIN
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Maja Jokic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Maja Jokic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Maja Jokic\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Maja Jokic\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.majorgeeks.com/download.php?det=5927
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mWinlogon: Taskman=c:\documents and settings\maja jokic\application data\yftza.exe
uWinlogon: Shell=c:\documents and settings\maja jokic\application data\yftza.exe,explorer.exe,c:\documents and settings\maja jokic\application data\mrpky.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\progra~1\textware\quickf~1\plugins\IEHelp.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Google Update] "c:\documents and settings\maja jokic\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB5137] command.com /c del "c:\windows\system32\drivers\str.sys"
uRunOnce: [SpybotDeletingD785] cmd.exe /c del "c:\windows\system32\drivers\str.sys"
mRun: [SkyTel] SkyTel.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRunOnce: [SpybotDeletingA33] command.com /c del "c:\windows\system32\drivers\str.sys"
mRunOnce: [SpybotDeletingC9530] cmd.exe /c del "c:\windows\system32\drivers\str.sys"
StartupFolder: c:\docume~1\majajo~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 1.9.79\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\maja jokic\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\majajo~1\applic~1\mozilla\firefox\profiles\hucfmymg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\maja jokic\application data\mozilla\firefox\profiles\hucfmymg.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\maja jokic\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-2-10 27632]
S2 bsoyaepdou;Crystal Report Application Server;c:\windows\system32\lupoow.exe --> c:\windows\system32\lupoow.exe [?]
S2 clrgi;\??\C;c:\docume~1\majajo~1\locals~1\temp\mteqdszrb.sys []
S2 svyubrwrkzfylu;\??\c:\docume~;\??\c:\docume~1\majajo~1\locals~1\temp\zxltcijpg.sys --> c:\docume~1\majajo~1\locals~1\temp\zxltcijpg.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-2-10 13224]

=============== Created Last 30 ================

2010-06-26 12:05:43 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-26 12:05:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-26 11:26:46 0 d-----w- c:\program files\Enigma Software Group
2010-06-26 11:24:14 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-25 16:20:50 0 d-----w- c:\program files\ESET
2010-06-25 15:10:49 102562 ----a-w- c:\windows\system32\msvcrt2.dll
2010-06-25 15:10:40 132096 --sh--r- c:\docume~1\majajo~1\applic~1\yftza.exe
2010-06-25 09:58:30 0 d-----w- c:\program files\Hotel Dash - Suite Success
2010-06-23 16:43:57 45 ----a-w- C:\TEST.XML
2010-06-23 11:36:36 0 d-----w- c:\docume~1\majajo~1\applic~1\My Games
2010-06-23 11:19:45 0 d-----w- c:\program files\Posh Boutique
2010-06-23 11:14:05 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2010-06-20 13:04:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Go Go Gourmet
2010-06-20 12:55:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Fugazo
2010-06-19 18:53:19 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-06-19 18:53:17 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-06-19 18:53:17 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-19 18:53:17 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-17 17:42:22 0 d-----w- c:\program files\common files\Real
2010-06-17 17:36:52 10 ----a-w- c:\windows\system32\810429tv4-test.jun
2010-06-17 17:36:50 0 d-----w- c:\program files\Online TV Player 4
2010-06-09 23:36:52 0 d-----w- c:\program files\DavidRM Software
2010-06-09 23:36:52 0 d-----w- c:\docume~1\majajo~1\applic~1\The Journal 5
2010-06-09 23:36:52 0 d-----w- c:\docume~1\alluse~1\applic~1\The Journal
2010-06-09 23:32:45 24 ----a-w- c:\windows\system32\raknahs.mar

==================== Find3M ====================

2010-06-17 17:42:23 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-17 17:42:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-18 12:54:03 483 ----a-w- c:\program files\Shortcut to Life Quest.lnk
2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-29 13:30:59 2328832 ----a-w- c:\windows\system32\TUKernel.exe
2010-03-29 12:23:20 307968 ----a-w- c:\windows\system32\TuneUpDefragService.exe

============= FINISH: 15:59:38,84 ===============







https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

Prilikom skeniranja sa GMER programom kompijuter se sam od sebe restartovao,verovatno pod uticajem virusa...Pokušaću ponovo

Dopuna: 26 Jun 2010 16:43

Gmer program sada blokira





Ovako zastane i neće da nastavi

Poslao: 26 Jun 2010 16:52
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Procitaj jos jednom link sa Uputstvom koji sam dao.
U jednom delu tog uputstva pise sledece:

Citat:U slučaju da gornji program (misli se na GMER) ne radi stabilno (ili uopšte) na vašem računaru, kao alternativu možete koristiti RootRepeal.

Poslao: 26 Jun 2010 17:04
Idi na vrh
offline
  • Pridružio: 16 Mar 2010
  • Poruke: 481
  • Gde živiš: ...pod zvezdanim krakom...

Opet propust Embarassed

Hvala na strpljenju evo izveštaja :

https://www.mycity.rs/must-login.png

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/26 16:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 000007F5
Image Path: 000007F5
Address: 0xAB124000 Size: 73472 File Visible: No Signed: -
Status: -

Name: 000009EE
Image Path: 000009EE
Address: 0xAAC73000 Size: 73472 File Visible: No Signed: -
Status: -

Name: 00000A27
Image Path: 00000A27
Address: 0xAAC39000 Size: 73472 File Visible: No Signed: -
Status: -

Name: PCI_PNP1386
Image Path: \Driver\PCI_PNP1386
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: pxtdypow.sys
Image Path: C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\pxtdypow.sys
Address: 0xAA43C000 Size: 93056 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB276000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spnt.sys
Image Path: spnt.sys
Address: 0xF7373000 Size: 995328 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-238DD849.pf
Status: Could not get file information (Error 0xc0000008-)

Path: C:\WINDOWS\Temp\NOD5AD1.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\NOD5AD3.tmp
Status: Invisible to the Windows API!

Path: C:\System Volume Information\_restore{B29903ED-0CEB-457B-8B86-61DCA7D3E4B2}\RP247\A0056432.exe:{E3C76A6B-DD50-F646-5A32-71579B127FF7}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{B29903ED-0CEB-457B-8B86-61DCA7D3E4B2}\RP249\A0056512.exe:{E3C76A6B-DD50-F646-5A32-71579B127FF7}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{B29903ED-0CEB-457B-8B86-61DCA7D3E4B2}\RP254\A0060918.exe:{E3C76A6B-DD50-F646-5A32-71579B127FF7}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{B29903ED-0CEB-457B-8B86-61DCA7D3E4B2}\RP254\A0060922.exe:{E3C76A6B-DD50-F646-5A32-71579B127FF7}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!

SSDT
-------------------
ServiceTable Hooked [0x84b13640]!

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x84df6580

#: 041 Function Name: NtCreateKey
Status: Hooked by "spnt.sys" at address 0xf73740e0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x84df7100

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x84df6b30

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spnt.sys" at address 0xf738cda4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spnt.sys" at address 0xf738d132

#: 119 Function Name: NtOpenKey
Status: Hooked by "spnt.sys" at address 0xf73740c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x84df5cc0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x84df5fc0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x84df69c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spnt.sys" at address 0xf738d20a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spnt.sys" at address 0xf738d08a

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x84df6860

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x84df66e0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "<unknown>" at address 0x84df3700

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spnt.sys" at address 0xf738d29c

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x84df6420

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x84df62c0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x84df5e50

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x84df6150

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x84df6f50

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x85f85020, TID: 1800]
Process: svchost.exe (PID: 972) Address: 0x00a51f3c Size: -

Object: Hidden Thread [ETHREAD: 0x85e60bd8, TID: 1176]
Process: svchost.exe (PID: 972) Address: 0x00dd1f3c Size: -

Object: Hidden Thread [ETHREAD: 0x84afcaa0, TID: 1464]
Process: svchost.exe (PID: 972) Address: 0x00e91f3c Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x863861f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x85fd4500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8638a1f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x86012468 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8638b1f8 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_POWER]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: ag4a2gqqЅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x85ed0500 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_CREATE]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_CLOSE]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_POWER]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_PNP]
Process: System Address: 0x863881f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x84ec11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86052500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x84d631f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_CREATE]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_CLOSE]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_READ]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_CLEANUP]
Process: System Address: 0x85f22500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ浗灩IPNATMofReso, IRP_MJ_PNP]
Process: System Address: 0x85f22500 Size: 121

Hidden Services
-------------------
Service Name: clrgi
Image Path: C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\mteqdszrb.sys

Service Name: tgcmsmvjblcdi
Image Path: C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\iwqemjfs.sys

Service Name: yxkzc
Image Path: C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\uwcxa.sys

==EOF==

Poslao: 26 Jun 2010 20:36
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder

Dvoklikom pokreni avenger.exe

Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:


Drivers to delete:
str
bsoyaepdou
clrgi
svyubrwrkzfylu
tgcmsmvjblcdi
yxkzc

Files to delete:
c:\documents and settings\maja jokic\application data\yftza.exe
c:\documents and settings\maja jokic\application data\mrpky.exe
c:\windows\system32\drivers\str.sys
c:\windows\system32\lupoow.exe
c:\docume~1\majajo~1\locals~1\temp\mteqdszrb.sys
c:\docume~1\majajo~1\locals~1\temp\zxltcijpg.sys
c:\windows\system32\msvcrt2.dll
C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\iwqemjfs.sys
C:\DOCUME~1\MAJAJO~1\LOCALS~1\Temp\uwcxa.sys

Registry values to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Taskman


Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti

Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja

Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u
Iskopiraj sadržaj dobijenog loga u temu na forumu.

Poslao: 29 Jun 2010 17:33
Idi na vrh
offline
  • Pridružio: 16 Mar 2010
  • Poruke: 481
  • Gde živiš: ...pod zvezdanim krakom...

Mnogo ti se zahvaljujem na pomioci ali moj kompijuter je skroz bio poludeo i sam se restartovao,gasio i bagovao pa nisam mogla da ispunim tvoja upudstva...te sam ja odlucila da ga odnesem na reinstalaciju sistema...i evo sada radi smešak

Mnogo ti se zahvaljujem na trudu,pomoci i strpljenju... Zagrljaj

MyCity » Ambulanta -> Arhiva Ambulante » Rustock trojan

Ko je trenutno na forumu
 

Ukupno su 833 korisnika na forumu :: 34 registrovanih, 5 sakrivenih i 794 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Rade, A.R.Chafee.Jr., Amigdala, babaroga, bigfoot, bojank, Boris90, DonRumataEstorski, esx66, jackreacher011011, Još malo pa deda, Krvava Devetka, Kubovac, laurusri, Leonov, Lucije Kvint, MB120mm, mercedesamg, Mixelotti, mrav pesadinac, nenad81, nuke92, pein, rajkoplje, sap, slonic_tonic, stegonosa, Tvrtko I, Vlad000, Vlada1389, vladulns, voja64, zbazin, zlaya011