Validnost logova van safe moda

1

Validnost logova van safe moda

offline
  • Velin 
  • Novi MyCity građanin
  • Pridružio: 21 Avg 2009
  • Poruke: 11

Postovni,

Pokusavao sam, zbog skeniranja DSS-om i GMERom da udjem u safe mode, medjutim, svaki put kad izaberem Safe Mode, racunar se automatski resetuje, pokusavao sam i sa Safe mode with networking, kao i Safe Mode with Command Prompt, ali me uvek resetuje i jedino sto mogu da odaberem, a da se ne resetuje je Start Windows normally.
Da li ce logovi koje postavim, a nisu iz Safe Mode biti validni?

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Pa i treba da postavis logove iz normal mode. Ajde odradi da vidimo sta je.

offline
  • Velin 
  • Novi MyCity građanin
  • Pridružio: 21 Avg 2009
  • Poruke: 11

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_29
Run by Asko at 11:11:14 on 2011-11-15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.281 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe
C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Win\lsass.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&mntrId=14a3b3610000000000000007951fccfb&tlver=1.4.19.19&affID=17159
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\bh\BabylonToolbar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarTlbr.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\asko\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Java Update Manager] c:\documents and settings\asko\application data\hex-5823-6893-6818\jusched.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [BabylonToolbar] "c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarsrv.exe" /md I
mRun: [PlusService] "c:\program files\yuna software\messenger plus!\PlusService.exe"
mRun: [TWCU] "c:\program files\tp-link\twcu\TWCU.exe" -nogui
mRun: [run32] c:\win\lsass.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 77.239.64.19 77.239.64.20
TCP: Interfaces\{259B303E-4E62-4AE0-96B5-7A11F9B3E468} : NameServer = 8.8.8.8,77.239.64.19
TCP: Interfaces\{259B303E-4E62-4AE0-96B5-7A11F9B3E468} : DhcpNameServer = 77.239.64.19 77.239.64.20
TCP: Interfaces\{C5992DEA-6389-4A88-8773-DB248A61CA44} : DhcpNameServer = 77.239.64.19 77.239.64.20
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 avast.com
Hosts: 127.0.0.1 avg.com
Hosts: 127.0.0.1 bitdefender.com
Hosts: 127.0.0.1 eset.com
Hosts: 127.0.0.1 f-secure.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\asko\application data\mozilla\firefox\profiles\t907mhq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&mntrId=14a3b3610000000000000007951fccfb&tlver=1.4.19.19&instlRef=sst&affID=17159&q=
FF - plugin: c:\documents and settings\asko\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2008-7-11 328992]
R3 adatadrv;Autodata Protection Service;c:\windows\system32\drivers\adatadrv.sys [2011-7-7 762112]
R3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\jlkjmn.sys --> c:\windows\system32\drivers\jlkjmn.sys [?]
S3 amsint32;amsint32;\??\c:\windows\system32\drivers\jlkjmn.sys --> c:\windows\system32\drivers\jlkjmn.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-3-29 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2011-3-29 8576]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2010-11-11 820133]
.
=============== Created Last 30 ================
.
2011-11-14 11:40:45 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-11-14 11:37:01 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-11-14 11:18:58 7168 -c--a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2011-11-14 11:17:59 5632 -c--a-w- c:\windows\system32\dllcache\kbdfa.dll
2011-11-14 11:16:58 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2011-11-14 11:06:02 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-11-14 11:06:02 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-11-14 11:06:02 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-11-14 11:06:02 13312 ----a-w- c:\windows\system32\irclass.dll
2011-11-14 11:05:47 13753 ----a-r- c:\windows\SET48.tmp
2011-11-14 11:05:44 1086058 ----a-r- c:\windows\SET3C.tmp
2011-11-14 11:05:41 1042903 ----a-r- c:\windows\SET38.tmp
2011-11-14 09:46:55 -------- d-----w- c:\windows\system32\%systemroots
2011-11-10 16:46:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-18 19:31:44 -------- d-sh--r- C:\Win
.
==================== Find3M ====================
.
2011-11-10 16:45:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-15 23:27:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-08 18:14:17 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
.
============= FINISH: 11:12:22.69 ===============

mycity.rs/must-login.png

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Zkacio si Sality virus (fajl infektor), sto znaci da su sve particije zarazene, posebno exe fajlovi.
Moje misljenje je da si Sality zakacio preko neke fleske ili memoriske kartice, sve jedno.

Ovo nije moguće očistiti iz aktivnog Windows-a (tj. nije moguće uspešno dezinfikovati file-ove inficirane Sality-jem).

Teoretski, postoje dve mogućnosti.

1. Da skineš neki LiveCD za AV skener-om koji je sposoban da ovo dezinfikuje.

No, tvoj Windows i programi su u toliko lošem stanju da se to prosto ne isplati. Morao bi ponovo da instaliraš sve što je već obrisano i da radiš repair Windows-a, a to što na kraju dobiješ teško da će da radi kako treba.

2. Da izvršiš backup svega što ti je bitno, formatiraš particiju na kojoj je Windows, instaliraš Windows nanovo i zatim dezinfikuješ to što si backup-ovao.



Preporučujem opciju 2 jer će uzeti manje vremena i nakon toga ćeš imati funkcionalan Windows.


Pitanje: imaš li više particija na hard disku i za koju opciju se odlučuješ (da znam na šta da te uputim)?

offline
  • Velin 
  • Novi MyCity građanin
  • Pridružio: 21 Avg 2009
  • Poruke: 11

Napisano: 15 Nov 2011 11:50

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

Dopuna: 15 Nov 2011 11:53

Malo kasnim sa gmer logovima, ali eto i njih, ako trebaju.
Imam 2 particije na hard disku, a druga opcija mi je prihvatljivija.

Dopuna: 15 Nov 2011 11:56

Pretpostavljam preko kog flasha je to doslo do ovog racunara. Postoji li nesto sa cim mogu da dezinfikujem taj flash?

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Napisano: 15 Nov 2011 12:09

Postoji, ali prvo moras da se odlucis za neku od opcija koje sam predlozio u prethodnom postu.

Ako se odlucis da formatiras C i podignes novi sistem (to je najbrza i najsigurnija varijanta), instaliraces drajver za mreznu kartu da bi dobio net. Drajvere ako nemas na CD-u preuzmi sa drugog racunara i narezi na CD ne na flash.
Zatim preuzmi na desktop Avast free (ima opciju Boot time scan) i preskeniraj sve particije. On to dosta brzo odradi jer skenira pre podizanja sistema.

Zatim preuzmi na desktop program MCShield
Vise o njemu mozes procitati na ovom linku http://www.mycity.rs/Antispyware-programi/MCShield.html

Instaliras program i samo prikljucis flash, program ce sam da odradi posao za nekoliko sekundi.

Arrow

Nikako ne klikci na druge particije dok ne odradis ovo sto sam napisao


Imas li pitanja?

Dopuna: 15 Nov 2011 12:16

Podaci koji nisu osteceni, su slike, muzika, filmovi, dokumenta. Od programa i igrica se oprosti, nazalost Sad

offline
  • Velin 
  • Novi MyCity građanin
  • Pridružio: 21 Avg 2009
  • Poruke: 11

Napisano: 17 Nov 2011 15:05

Reinstaliran sistem, Avast skenirao obe particije, izbrisani svi infected fajlovi, Avast je restartovao racunar nakon sto je zavrsio sa brisanjem i nakon toga sistem vise nije mogao da se podigne, resetovao se svaki put kad dodje do log ona, pa sam onda opet formatirao particiju C i digao sistem, ali nisam vise instalirao Avast.
Uskoro cu da postavim log DDS-a.

Dopuna: 17 Nov 2011 15:19

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2800.1106
Run by ZerOCooL at 15:13:27 on 2011-11-17
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.384 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
============== Pseudo HJT Report ===============
.
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [SiSSoundMan] c:\windows\system32\SoundMan.exe
mRun: [SiSSetCDfmt] c:\windows\system32\SetCDfmt.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
TCP: DhcpNameServer = 77.239.64.19 77.239.64.20
TCP: Interfaces\{930E3D76-57CD-4A28-9AB8-ED33845D4FFC} : DhcpNameServer = 77.239.64.19 77.239.64.20
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\zerocool\application data\mozilla\firefox\profiles\9aqc0rgu.default\
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-11-17 14:05:27 36992 ----a-r- c:\windows\system32\drivers\SISAGPX.SYS
2011-11-17 14:05:27 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-11-17 14:03:18 516096 ------w- c:\windows\system32\ati2sgag.exe
2011-11-17 14:03:14 294912 ----a-r- c:\windows\system32\atiiiexx.dll
2011-11-17 14:03:13 131072 ----a-r- c:\windows\system32\ATIDEMGR.dll
2011-11-17 14:02:56 -------- d-----w- c:\program files\ATI Technologies
2011-11-17 14:02:13 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-11-17 14:02:13 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-11-17 14:02:13 221184 ------w- c:\program files\common files\installshield\iscript\IScript.dll
2011-11-17 14:02:13 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-11-17 14:02:12 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-11-17 07:33:58 7296 ------r- c:\windows\system32\drivers\EIO.sys
.
==================== Find3M ====================
.
.
============= FINISH: 15:13:59.55 ===============

mycity.rs/must-login.png

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

DDS izvestaj nam govori da je racunar cist. Nema drajver sekcije, jer pretpostavljam da nisi instalirao drajvere osim za grafiku, da li sam u pravu?

Ono sto mogu da vidim je da si instalirao SP1 sto nikako ne valja.

Prva i osnovna odbrana od malware-a je azuriran OS, a trenutno je sto se tice XP SP3 je dostupan za besplatno preuzimanje sa ovog linka http://www.microsoft.com/download/en/details.aspx?id=24

Da li si koristio ovu opciju kad si skenirao Avastom? To sa restartovanjem nije trebalo da se desi.



Da li si petljao nesto sa drugim particijama posle podizanja sistema, ako jesi onda si se ponovo zarazio, pa je Avast brisao sistemski fajl.

----------------------------

Preuzmi SalityKiller sa ovog linka http://support.kaspersky.com/downloads/utils/salitykiller.zip
Rasakuj ga na root-u C:\, znaci cim kliknes na C

Klikni start > run > kopiraj ovo boldovano c:\salitykiller.exe -a -j -k -l c:\SKLog.txt enter

Sacekaj da se skeniranje zavrsi, na kraju klikni bilo koji taster.

Log ce se nalaziti na C:\SKLog.txt

Prilozi ga uz poruku, opcija Prikaci fajl

offline
  • Velin 
  • Novi MyCity građanin
  • Pridružio: 21 Avg 2009
  • Poruke: 11

Moj brat je bio nestrpljiv, posto ja nisam bas tako cesto kod kuce, pa je instalirao ponesto.

Na Avastu nisam koristio opciju restart i nisam kliktao na drugu particiju nikako, kao sto ste mi rekli da ne diram.


mycity.rs/must-login.png

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Racunar je cist.

Instaliraj MCShield, zatim prikljuci problematicni flash, sacekaj da ga skenira i izbaci log, pa mi kopiraj ovde izvestaj.

Ko je trenutno na forumu
 

Ukupno su 456 korisnika na forumu :: 11 registrovanih, 1 sakriven i 444 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Bane san, cikadeda, Despot1, ILGromovnik, LUDI, mikki jons, mushroom, Radiša, Sale.S, Simon simonović, Snorks