Dakle, problemi su počeli kada mi Akcijski centar u Windows 7 prestao raditi kao i Firewall.

Uz pomoć WimMounta sam popravio firewall i koruptiranu datoteku dok mi Akcijski centar i dalje ne radi, (slika1). Pokušao sam razne metode i na kraju sam dva sata skenirao računalo sa Microsoft Safety Scannerom te je on pronašao spomenutog trojanca i nije ga se uspio riješiti. Kao ni avast ni Malwarebytes anti-malware.

Išao sam i ručno po uputama da ugasim proces Backdoor.Win32.IRCBot.fx te iz regitrya uklonim sljedeće:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ XTray.exe
HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN XTray.exe

No nakon šta je Microsoft Safety Scanner obavio posao toga nema iako je rečeno da taj trojanac nije izbrisan.

Pa ako je netko riješio problem oko tog trojanca bio bi zahvalan na savjetu....

http://www.bug.hr/forum/topic/sigurnosni-softver/ultimativna-antivirus-tema-po/12723.aspx?page=637

 javi se tamo.

lp.

Dali si probao iz nekog live linuxa skenirati?

Pravio avira rescue cd?

Probao, ništa avira cd nije riješio...

Tada sam išao na ručno po uputama dole iako tih stavki kod mene nije bilo osim boldane RunOnce. Nakon brisanja tog djela iz rigistya Microsoft Safety Scanner nije više našao i prijavljivioa tragove spomenutog trojanca

    1. Boot your computer into safe mode to close all running processes.
    2. Remember to back up your system before making any changes for future restore job when necessary.
    3. Remove these Backdoor.Win32.IRCBot.fx files:
    %Documents and Settings%\[UserName]\Start Menu\ About.lnk
    %Documents and Settings%\[UserName]\Desktop\Protection Center.lnk
    4. Open Registry Editor to delete the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 'Shell' = '%UserProfile%\Application Data\antispy.exe'
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion
    HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 'Protection Center'
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run '[random string]'
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download 'RunInvalidSignatures' ='1'
    5. It is possibly for Backdoor.Win32.IRCBot.fx to load by hiding within the system WIN.INI file and the strings "run=" and "load=". So you must check carefully in order to thoroughly remove it from your computer.
    6 It is necessary for you t clean the IE temporary files where the original carrier may store.

Iako i dalje mi je onemogućen Akcijski centar u taskbaru u Windowsima, (slika1) no pogledom u njega u control panelu sve je uključeno...(slka2)

  uradi ovako i kopiraj logove da pogledam

Evo ga OTS

http://speedy.sh/xczPp/OTS.Txt

A ovo je log od RKa

http://speedy.sh/CUYZG/RKreport-1.txt

otvori OTS i ovo kopiraj u prazno polje

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-999034565-2869669309-4251437818-1000\] > ->
YN -> HKEY_USERS\S-1-5-21-999034565-2869669309-4251437818-1000\: Main\\"Start Page Redirect Cache_TIMESTAMP" -> BD 86 66 7F 15 9A CB 01 [binary data]
< 64bit-BHO's [HKEY_LOCAL_MACHINE] > -> 64bit-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3706EE7C-3CAD-445D-8A43-03EBC3B75908} [HKLM] -> Reg Error: Key error. [Expat Shield Class]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-999034565-2869669309-4251437818-1000\] > -> HKEY_USERS\S-1-5-21-999034565-2869669309-4251437818-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< 64bit-SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" [HKLM] -> Reg Error: Key error. [WebCheck]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" [HKLM] -> Reg Error: Key error. [WebCheck]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \G\shell\\"" -> [AutoRun]
YN -> \G\shell\AutoRun\command\\"" -> [G:\autorun.exe]
YN -> \H\shell\\"" -> [AutoRun]
YN -> \H\shell\AutoRun\command\\"" -> [H:\setup.exe]
[Registry - Additional Scans - Safe List]
< 64bit-Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> Malwarebytes' Anti-Malware hkey=Reg Error: Value error. key=Reg Error: Value error. -> Reg Error: Value error.
< SafeBoot-Minimal Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
YN -> 81547168.sys -> Driver
YN -> 84877701.sys -> Driver
< 64bit-SafeBoot-Network Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
YN -> hitmanpro36 -> Reg Error: Value error.
YN -> hitmanpro36.sys -> Reg Error: Value error.
< SafeBoot-Network Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
YN -> hitmanpro36 -> Reg Error: Value error.
YN -> hitmanpro36.sys -> Reg Error: Value error.
[Files/Folders - Created Within 30 Days]
NY -> 105cf017 -> C:\Users\Domagoj\AppData\Local\105cf017
NY -> 5 C:\Windows\*.tmp files -> C:\Windows\*.tmp
NY -> 20 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp
NY -> 1 C:\Users\Domagoj\AppData\Local\*.tmp files -> C:\Users\Domagoj\AppData\Local\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> 5 C:\Windows\*.tmp files -> C:\Windows\*.tmp
NY -> 20 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp
NY -> 1 C:\Users\Domagoj\AppData\Local\*.tmp files -> C:\Users\Domagoj\AppData\Local\*.tmp
[Files - No Company Name]
NY -> ParetoLogic Registration3.job -> C:\Windows\tasks\ParetoLogic Registration3.job
NY -> ParetoLogic Update Version3.job -> C:\Windows\tasks\ParetoLogic Update Version3.job
[Alternate Data Streams]
NY -> @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:A1063995
[Purity]
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[CreateRestorePoint]
[Reboot]

-klik na RUN FIX

-log koji dobieš kopiraj

2. skini combofix i spremi na desktop

-isključi antivirus

-pokreni combofix i na sve što traži odgovori potvrdno

-log kopiraj

http://answers.microsoft.com/en-us/windows/forum/windows_7-security/cant-turn-on-action-center-and-power-icons/11f82c05-018d-43b5-9cfa-79c287aac953

Zadnji post govori kako da to popraviš...

Ništa ne govori taj post jer to ne funkcionira!!

OTS

http://speedy.sh/7NWb6/03232012-141030.log

Combofix

http://speedy.sh/K7dT4/ComboFix.txt

Nakon ove zadnje operacije ne radi ni jedna igra, (ni originali ni pirati), mnogi programi...

Veća slika

  SystemLook

64-bit 

skini system look i spremi na desktop, pokreni program i ovo kopiraj u prazno polje

:filefind
afd.sys
:reg
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\afd /s

klik na LOOK

kada scan završi izbacit će log kojeg ćeš kopirati   SystemLook.txt

afd.sys je modificiran i postoji velika vjerojatnost da je inficiran, ako ovaj program pronađe još koju kopiju na računalu, zamjenit ćemo je preko combofix-a

  2. TDSSKiller.exe

skini ovaj program i spremi na desktop

-pokreni program i ako zatraži restart dozvoli

-log se nalazi u c:/ i izgleda otprilike ovako

C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

-log kopiraj

  samo restartiraj računalo i opet će bit sve ok

Systemlook

http://speedy.sh/ZexAq/SystemLook.txt

TDSS

http://speedy.sh/dWMxA/TDSSKiller.2.7.22.0-23.03.2012-15.12.19-log.txt

  pronađi ova dva file-a i uploadaj ih na Jotti's malware scan

rezultate kopiraj

C:\Windows\SysWow64\pdftk.exe
C:\Windows\SysWow64\ptj.exe

pdftk

http://virusscan.jotti.org/en/scanresult/24d360788905d31579db8f6c5eb0284d70187754/515b2201cc33c2f11f44a8e0e1da3bc94e91bcee

ptj

http://virusscan.jotti.org/en/scanresult/7af1ec5fc4471e9f0d7bb19fd075c1b92324682d/ce0a6686335daed05002045abc345536e4cac126

  afd.sys ima odgvarajući md5 , ali zato nema odgovarajući registri unos

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\afd]
"BootFlags"= 0x0000000001 (1)
"DisplayName"="@%systemroot%\system32\drivers\afd.sys,-1000"
"Group"="PNP_TDI"
"ImagePath"="\SystemRoot\system32\drivers\afd.sys"
"Description"="@%systemroot%\system32\drivers\afd.sys,-1000"
"ErrorControl"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"Type"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\afd\Parameters]
(No values found)

[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\afd\Enum]
"0"="Root\LEGACY_AFD\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)

skini ovaj .reg i spremi na desktop

-desni klik mišem na .reg i klik na merge

-restartiraj računalo

2. farbar service scanner 

-skini program i spremi na desktop

-sve označi i klik na scan, kad zavši scan log koji dobiješ kopiraj

FSS.txt

combofix nam više neće trebati, i mislim da bi sad trebalo biti sve ok

kako radi računalo ?

Farbar Service Scanner Version: 01-03-2012
Ran by Domagoj (administrator) on 23-03-2012 at 15:41:22
Running from "C:\Users\Domagoj\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
WAN connected
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

______________-

Inače računalo radi uredno.

A vidio sam da pod servisima nedostaje windows security center servis - slika

Akcijski centar je i dalje onemogućen.

A kada u command promptu odradim sfc /scannow nađe jednu koruptiranu datoteku koju nemože ispravit. Sada sam ga pokrenuo da vidim kako se zove jer sam zaboravio

wscsvc.reg

skini ovaj reg i spremi na desktop, klik na merge

pogledaj u services da li se pojavio security center

Nije....

_______________________

Evo CBS log

http://speedy.sh/P3mvN/CBS.log

Pretty_Peacock.jpg - sada pokazuje ovu datoteku, a znam da je prije bio problem u drugoj!

Total koja si struka?

Našo sam ga pod Security Center! Ali i dalje ne funkcionira Akcijski centar na taskbaru. ALi nema veze ako sve funkcionira....

SLIKA

  pokeni systemlook i ovo kopiraj u prazno polje

:filefind
wscsvc

:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc /s

Evo ga..

http://speedy.sh/xcQhp/SystemLook.txt

  ajmo probat još ovo

ponovo skini wscsvc.reg i spremi na desktop

-desn klik mišem na   wscsvc.reg >>klik na merge

-restart

nakon restarta

-start/search/ u search polje upiši regedit i potvrdi
-pronađi ovaj ključ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc
-desni klik mišem na wscsvc , klik na "Permissions"
-klik na ADD i upiši Everyone >>klik na OK
-sad klik na Everyone
-u premisions panelu označi "Alow" u "Full control" redu

ako ni to ne pomogne

skini ovaj program i spremi na desktop

otvori advanced tab, označi kao na slici, označi restart system when finish i klik na start

javi kako je

možeš izbrisati OTS, combofix i ostale alate koje smo koristili

otvori OTS i klik na clean up

OTS će pobristai sebe i većinu alata, a ako je što ostalo, samo s mišm odvuci u smeće

Ni nakon pokušaja iz zadnjeg posta niema WSC u servisima...

Svejedno puno hvala!

Razmišljo sam o ponovnoj instalaciji Windowsa, ali to ne dolazi u obzir. Ne tako skoro...

Di si ovo pokupija? Da nebi ja slucajno jer mi je ocajna zastita racunala :/

Pojma nemam...

  šteta što zadnji korak nije uspio, a trebao bi....

zanimljivo,prema farbar service scaneru svi servisi su ok ,i ne bi trebalo uopće biti problema s securit centrom

jedno je sigurno, virusa nemaš na računalu    

To je najbitnije.... Hvala....