XP embedded, explorer puca pri boot-u

[mister Mrva]

Dakle XPe sistem, pri dizanju dodje do desktopa, prikaze samo taskbar bez ikona na dekstopu i posle 10-ak sekundi izbaci "Explorer.exe referenced memory... Memory could not be read". Onda ga pokrenem iz Task Managera i sve radi posle bez problema. Problem je sto je je ovo totalno ogoljen win, nema event viewer, ComboFix ne mogu da pokrenem, kao ni MalwareBytes itd. Neka pametna ideja ili da ga koljem :trust:

 

[spock1]

Mozes li da pokrenes malwarebytes iz safe mode. Znaci restartujes, klikces F8, zatim izaberes Safe Mode.

 

[mister Mrva]

Nisam stigao da probam sa safe modom, ali moracu definitivno, mada je vrlo moguce da jednostavno ne radi na XPe. ComboFix se pokrene ali onda u cmd promptu javi nesto tipa ATTRIB is not recognizable command ili tako nesto.

 

[spock1]

Ako imas XP 32. radi i jedno i drugo. Odakle si skinuo Combofix? Iskljucio si AV pre pokretanja Combofixa?

 

[mister Mrva]

Bleeping computer i normalno iskljucio AV. Skoro sam siguran da je virus, gomilu strana na netu nece da otvori, a hosts fajl je prazan.

I da, ni malwarebytes ni Avast free koje sam instalirao kako bih skenirao sistem sada ne mogu da deinstaliram.

Evo i slike procesa, ne vidim nista sumnjivo



Problem je sto mi nije trenutno racunar dostupan, kacim se preko TeamViewer-a, jedino nocu mogu da mu licno prstupim i da se zezam sa njim.

Evo ga HJThis log ima par zanimljivih stavki

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:54:40 AM, on 11/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SEC\MagicInfo Pro\StreamServer.exe
D:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.samsung.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.samsung.com/
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
[B]O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rsvpsp.dll' missing[/B]
O14 - IERESET.INF: START_PAGE_URL=http://www.samsung.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://camera.beograd.com/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{07297815-450A-4B32-BCD3-91A679F42880}: NameServer = 192.168.2.1
[B]O20 - Winlogon Notify: SSOExec - C:\WINDOWS\temp\sso\ssoexec.dll (file missing)[/B]
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: Terminal Services Session Directory (Tssdis) - Unknown owner - C:\WINDOWS\System32\tssdis.exe (file missing)
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 3253 bytes

A security task manager je nasao ovaj sumnjivi proces

 

[mister Mrva]

Spybot nije uradio nista ali je Stinger odmah detektovao da su ovaj dll iz Security task manager-a svchost zarazeni conficker-om, dll je obrisao ali sasvchostom nije uradio nista. Bar znam sta je pa mogu da se zezam dalje.

 

[spock1]

Deinstaliraj Spybot i ugasi Avast.

Pokreni Combofix sa desktopa http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Obrisi staru ikonicu ako je imas.

Zakaci mi log fajl kad zavrsi skeniranje.

 

[mister Mrva]

ComboFix ne moze da se pokrene ni iz safe moda. Ovo dobijam



Zamenio sam u safe modu svchost.exe kopijom sa druge masine, posle toga se win digao bez pucanja explorera, uspeo da otvorim par strana koje IE nije hteo ranije da otvori. Stinger vise ne detektuje nista, videcemo kako ce se dalje ponasati sistem.