Imam problem sa virusom koji moj antivirus nece da obrise...  Prilikom skeniranja kompa obrise sve osim tog jednog
Operating memory » svchost.exe(1120) - a variant of Win32/Sirefef.DT trojan - unable to clean. Uvek kada ukljucim komp prvo mi prijavi ovaj virus i to da nemoze da ga obrise... Kako da ga obrisem?

Preuzmi program DDS na desktop   http://download.bleepingcomputer.com/sUBs/dds.scr
Dvoklikom pokreni DDS
Sacekaj malo, izbacice ti dva loga
Kopiraj mi log DDS.txt > koristi dodatne opcije i prilozi fajl.


--------------------------------------

Preuzmi aswMBR i sacuvaj ga na Desktop.

• Dvoklikom pokreni aswMBR.
  
• Klikni na Scan.
  
• Kada zavrsi skeniranje, klikni Save log.
  
• Sacuvaj aswMBR log na Desktop.
  
• Sadrzaj tog loga iskopiraj u temi.

============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\uTorrent\uTorrent.exe
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Srdjan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Srdjan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Srdjan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Srdjan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Srdjan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Srdjan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Srdjan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050&SSPV=IEAUTOTB
uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\prxtbDVDV.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\prxtbDVDV.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\prxtbDVDV.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"  /MINIMIZED
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\srdjan\application data\dvdvideosoftiehelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\srdjan\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 89.216.1.40 89.216.1.50
TCP: Interfaces\{B03A5BB9-CBA3-4DB6-9036-98380E04F133} : DhcpNameServer = 89.216.1.40 89.216.1.50
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\srdjan\application data\mozilla\firefox\profiles\jweii4fg.default\
FF - prefs.js: browser.search.selectedEngine - DVDVideoSoftTB Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=2&q=
FF - plugin: c:\documents and settings\srdjan\application data\mozilla\firefox\profiles\jweii4fg.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\srdjan\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.softonic_i.hmpg - true
FF - user.js: extensions.softonic_i.hmpgUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=13&cc=
FF - user.js: extensions.softonic_i.dfltSrch - true
FF - user.js: extensions.softonic_i.srchPrvdr - Search the web (Softonic)
FF - user.js: extensions.softonic_i.keyWordUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=2&cc=&q=
FF - user.js: extensions.softonic_i.dnsErr - true
FF - user.js: extensions.softonic_i.newTab - true
FF - user.js: extensions.softonic_i.newTabUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=15&cc=
FF - user.js: extensions.softonic_i.tlbrSrchUrl - hxxp://search.softonic.com/MON00006/tb_v1?SearchSource=1&cc=&q=
FF - user.js: extensions.softonic_i.id - a07ca981000000000000001d7d0259 8d
FF - user.js: extensions.softonic_i.instlDay - 15413
FF - user.js: extensions.softonic_i.vrsn - 1.5.11.5
FF - user.js: extensions.softonic_i.vrsni - 1.5.11.5
FF - user.js: extensions.softonic_i.vrsnTs - 1.5.11.521:48:40
FF - user.js: extensions.softonic_i.prtnrId - softonic
FF - user.js: extensions.softonic_i.prdct - softonic
FF - user.js: extensions.softonic_i.aflt - SD
FF - user.js: extensions.softonic_i.smplGrp - eng7
FF - user.js: extensions.softonic_i.tlbrId - en12JANdefault_chrome
FF - user.js: extensions.softonic_i.instlRef - MON00006
FF - user.js: extensions.softonic_i.dfltLng -
FF - user.js: extensions.softonic_i.excTlbr - false
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-1-6 232512]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-8 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-8 22344]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-25 257696]
S3 GEST Service;GEST Service for program management.;c:\program files\gigabyte\gest\GSvr.exe [2012-1-6 47624]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 129976]
.
=============== Created Last 30 ================
.
2012-05-22 16:54:02   --------   d-----w-   c:\program files\CCleaner
2012-05-20 19:00:25   --------   d-----w-   C:\output
2012-05-17 13:26:29   --------   d-----w-   c:\documents and settings\srdjan\local settings\application data\DVDVideoSoftTB
2012-05-17 13:26:27   --------   d-----w-   c:\program files\DVDVideoSoftTB
2012-05-17 13:18:48   --------   d-----w-   c:\documents and settings\srdjan\application data\DVDVideoSoftIEHelpers
2012-05-17 13:18:36   405176   ----a-w-   c:\windows\system32\Newtonsoft.Json.Net20.dll
2012-05-17 13:18:36   2557952   ----a-w-   c:\windows\system32\QtCore4.dll
2012-05-17 13:16:43   --------   d-----w-   c:\program files\DVDVideoSoft
2012-05-17 13:16:43   --------   d-----w-   c:\program files\common files\DVDVideoSoft
2012-05-17 13:16:25   --------   d-----w-   c:\documents and settings\srdjan\application data\DVDVideoSoft
2012-05-08 19:56:05   --------   d-----w-   c:\documents and settings\srdjan\application data\Malwarebytes
2012-05-08 19:55:58   --------   d-----w-   c:\documents and settings\all users\application data\Malwarebytes
2012-05-08 19:55:57   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-05-08 19:55:57   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-05-03 18:24:55   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2012-05-03 18:24:53   157352   ----a-w-   c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-03 18:24:53   129976   ----a-w-   c:\program files\mozilla firefox\maintenanceservice.exe
2012-04-25 11:28:31   419488   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M  ====================
.
2012-05-23 08:05:27   0   --sha-w-   c:\windows\system32\dds_trash_log.cmd
2012-05-05 17:01:06   70304   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14:41   2148352   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06   1862272   ----a-w-   c:\windows\system32\win32k.sys
2012-04-11 12:35:51   2026496   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-03-01 11:01:32   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-03-01 11:01:32   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16   177664   ----a-w-   c:\windows\system32\wintrust.dll
2012-02-29 14:10:16   148480   ----a-w-   c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40   385024   ------w-   c:\windows\system32\html.iec

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-23 10:26:28
-----------------------------
10:26:28.453    OS Version: Windows 5.1.2600 Service Pack 3
10:26:28.453    Number of processors: 2 586 0x1706
10:26:28.453    ComputerName: DJIDJA-0EA26640  UserName: Srdjan
10:26:29.234    Initialize success
10:26:44.953    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:26:44.953    Disk 0 Vendor: WDC_WD3200JS-00PDB0 21.00M21 Size: 305244MB BusType: 3
10:26:45.093    Disk 0 MBR read successfully
10:26:45.093    Disk 0 MBR scan
10:26:45.093    Disk 0 Windows XP default MBR code
10:26:45.109    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       149997 MB offset 63
10:26:45.109    Disk 0 Partition - 00     0F Extended LBA            155245 MB offset 307194930
10:26:45.109    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       155245 MB offset 307194993
10:26:45.125    Disk 0 scanning sectors +625137345
10:26:45.187    Disk 0 scanning C:\WINDOWS\system32\drivers
10:26:53.328    File: C:\WINDOWS\system32\drivers\serial.sys  **SUSPICIOUS**
10:26:54.703    Disk 0 trace - called modules:
10:26:54.703    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89901fd0]<<
10:26:54.703    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d5aab8]
10:26:54.703    3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> [0x899f7760]
10:26:54.703    \Driver\00000689[0x899f7340] -> IRP_MJ_CREATE -> 0x89901fd0
10:26:54.703    Scan finished successfully
10:27:07.765    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Srdjan\My Documents\MBR.dat"
10:27:07.781    The log file has been saved successfully to "C:\Documents and Settings\Srdjan\My Documents\aswMBR.txt"

Imas ZeroAccess infekciju.


Pazljivo procitaj i uradi tacno onako kako je napisano u uputstvu



Preuzmi ComboFix sa sledece adrese na Desktop:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Iskljuci AV

Pokreni Combofix iskljucivo sa desktopa (I Agree)
Na svaki popup prozor klikci Yes \ Ok

Kad zavrsi skeniranje izbacice ti log na desktop

Nemoj da mi kopiras log (veliki je) vec ga prilozi uz poruku (attach)

evo

Otvori Notepad i kopiraj tekst koji se nalazi ispod:



Klikni na File\Save as i sacuvaj tekst kao CFScript na desktop




Prati uputstvo sa slike i prevuci CFScript.txt preko ikonice ComboFix.exe
To ce startovati ComboFix

Kada zavrsi,pojavice se log koji ces poslati na uvid.


--------------------------------

Ponovo pokreni aswMBR i prilozi i njegov log.

Ako ponudi avast update prihvati.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-23 12:31:02
-----------------------------
12:31:02.843    OS Version: Windows 5.1.2600 Service Pack 3
12:31:02.843    Number of processors: 2 586 0x1706
12:31:02.843    ComputerName: DJIDJA-0EA26640  UserName: Srdjan
12:31:03.890    Initialize success
12:31:09.484    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:31:09.484    Disk 0 Vendor: WDC_WD3200JS-00PDB0 21.00M21 Size: 305244MB BusType: 3
12:31:09.515    Disk 0 MBR read successfully
12:31:09.531    Disk 0 MBR scan
12:31:09.531    Disk 0 Windows XP default MBR code
12:31:09.546    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       149997 MB offset 63
12:31:09.546    Disk 0 Partition - 00     0F Extended LBA            155245 MB offset 307194930
12:31:09.562    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       155245 MB offset 307194993
12:31:09.593    Disk 0 scanning sectors +625137345
12:31:09.687    Disk 0 scanning C:\WINDOWS\system32\drivers
12:31:12.046    Service scanning
12:31:18.703    Modules scanning
12:31:21.687    Disk 0 trace - called modules:
12:31:21.718    ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:31:21.718    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89e48ab8]
12:31:21.718    3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> \Device\00000068[0x89e23400]
12:31:21.718    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89df0940]
12:31:21.718    Scan finished successfully
12:33:00.578    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Srdjan\My Documents\MBR.dat"
12:33:00.578    The log file has been saved successfully to "C:\Documents and Settings\Srdjan\My Documents\aswMBR1.txt"

kakvo je stanje, imas li i dalje redirekcije browsera?

Za sad je sve ok ne prijavljuje vise virus, hvala puno...
Nzm sta zanaci redirekcija browsera

Kada u google.com ukucas neki pojam npr. "auto" on ti ne da pravu listu rezultata vec te vodi na neki tamo nepoznat sajt.
Ili kada startujes browser, ne otvara ti se home page stranica vec nesto trece... to te je pitao da li se desava tako nesto i dalje. 

Ne desava se... 

To je to, verovatno vise ni Nod ne prijavljuje nista.

Ostaje da deinstaliras ComboFix

Start/run  kopiraj Combofix /Uninstall enter  i potvrdi sa OK.

Prilikom podizanja sistema pojavljuje se Recovery Console koju je instalirao Combofix. Mozemo da je uklonimo, ali nije lose da ostane, jer moze nekad da zatreba, nikad se ne zna.

Svaka cast..