Virus Protector

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav, imam problem na jednom racunaru, zarazio se infekcijom virus protector. Najgore je sto nemam pristup racunaru, ni iz safe moda, jedino mogu da pristupim "Safe mod with command prompt", tada se ne pojavljuje. Mislio sam da mogu da resim preko Safe moda, ali infekcija je zakljucala task manager i registry, tako da ne mogu nista da uradim.
Pokusavao sam sve i svasta, i po uputstvima, i sa malware antybytes i nece. Sta mogu da uradim i kako da uklonim infekciju. Evo link do opisa infekcije :
http://www.bleepingcomputer.com/virus-removal/remove-virus-protector

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...


Možeš li da startuješ Windows u bilo kojem GUI modu? Ako da, gde su logovi?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Napisano: 04 Apr 2010 12:35

Ja se izvinjavam boro, totalno sam zaboravio na pravila , a bila mi je namera i windows forumu da postavim topick pa ako odluce da je za ambulantu da bude.
Postavicu logove samo da osposobim osnovne funkcije da bih mogao da pokrenem programe. Uspeo sam da oslobodim registry editor i da vratim explorer u normalno korisno stanje.
Evo okacicu logove. (PS Skeniranje sa malware bytes, i brisanje rogue virusa nije pomoglo uopste)
(Editovacu post i okaciti logove)

Dopuna: 04 Apr 2010 12:54


DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Sloba at 12:44:34.57 on Sun 04/04/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3071.2496 [GMT 2:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\ctfmon.exe
C:\Windows\System32\rundll32.exe
F:\SystemExplorerPortable\SystemExplorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
F:\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uWinlogon: Shell=c:\users\sloba\appdata\roaming\control components\ccmain.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\sloba\appdata\roaming\microsoft\windows\start menu\programs\startup\UnistiVP.bat
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\sloba\appdata\roaming\mozilla\firefox\profiles\z012f8gr.default\
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-23 216200]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-23 29512]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-23 242696]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-23 916760]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-23 308064]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-1-11 240232]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-27 38224]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

=============== Created Last 30 ================

2010-04-04 10:09:33 452 --sha-r- c:\users\sloba\ntuser.pol
2010-04-03 22:13:44 1678336 ----a-w- c:\windows\system32\aSRoNLurH.dll
2010-04-03 22:13:28 1678336 ----a-w- c:\windows\system32\ajces63y6.exe
2010-04-02 14:49:08 0 d-----w- c:\windows\system32\appmgmt
2010-04-02 10:17:50 9849864 ----a-w- c:\program files\Opera_1051_en_Setup.exe
2010-03-28 16:47:46 0 d-----w- c:\users\sloba\appdata\roaming\Electronic Arts
2010-03-27 20:47:38 0 d--h--w- C:\$AVG
2010-03-27 15:26:32 0 d-----w- c:\users\sloba\appdata\roaming\Malwarebytes
2010-03-27 15:26:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-27 15:26:27 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 15:26:27 0 d-----w- c:\programdata\Malwarebytes
2010-03-27 15:26:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 14:24:06 14 ----a-w- c:\windows\popcinfo.dat
2010-03-24 14:23:20 0 d-----w- c:\programdata\PopCap Games
2010-03-24 14:23:20 0 d-----w- c:\program files\PopCap Games
2010-03-23 19:23:29 0 d-----w- c:\program files\World of Warcraft
2010-03-23 19:23:29 0 d-----w- c:\program files\common files\Blizzard Entertainment
2010-03-23 16:21:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-23 16:09:08 0 d-----w- c:\programdata\NVIDIA
2010-03-23 16:08:18 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-23 16:08:14 0 d-----w- c:\program files\NVIDIA Corporation
2010-03-23 15:21:37 0 d-----w- c:\program files\Analog Devices
2010-03-23 06:37:39 0 d-----w- c:\windows\Panther
2010-03-23 06:07:18 0 d-----w- c:\users\sloba\appdata\roaming\AVG8
2010-03-23 06:00:14 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 06:00:08 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-23 06:00:07 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-23 06:00:07 0 d-----w- c:\programdata\AVG Security Toolbar
2010-03-23 05:59:59 0 d-----w- c:\program files\AVG
2010-03-23 05:59:58 0 d-----w- c:\programdata\avg9
2010-03-23 05:59:26 0 d-sh--w- c:\windows\Installer
2010-03-22 21:59:20 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-03-22 21:55:33 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-03-22 21:55:03 0 d-----w- c:\windows\system32\wbem\Performance
2010-03-22 21:46:46 0 d-sh--w- C:\Recovery
2010-03-22 21:17:08 181632 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2010-01-11 21:18:00 962664 ----a-w- c:\windows\system32\nvsvc.dll
2010-01-11 21:18:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-01-11 21:18:00 1515112 ----a-w- c:\windows\system32\nvsvcr.dll
2010-01-11 21:18:00 13679720 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-11 21:18:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-01-11 21:18:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 12:44:48.36 ===============





https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

Do ovog trenutka uradio sam sledece :
Osposobio pristup registry bazi, osposobio pristup task manageru, i ocistio sam zarazu iz registrija tj. simptome koje sam pronasao na prvom linku.
I za svaki slucaj sam napisao bat fajl koji ubija proces i pokrece explorer. Sve u svemu radi sada, ali molim te proveri da li nisu ostali neki delovi zaraze koje nisam uocio.
I ukoliko mozes spoji mi post hvala!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Mislim da tu nema aktivnog malware-a.

Obriši sledeće file-ove:

c:\windows\system32\aSRoNLurH.dll
c:\windows\system32\ajces63y6.exe

i folder (ako postoji):

c:\users\sloba\appdata\roaming\control components


Otvori regedit i iz ključa:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

obriši Shell vrednost.


Ukoliko ti se ne startuje shell (explorer.exe) pri bootu, onda otvori ključ:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

i postavi Shell vrednost na explorer.exe