Infekcija laznim antivirusom

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Evo po preporuci javljam se u Ambulantu.

zak280173 ::Da ne otvaram posebnu temu....
Da li je neko mozda imao problem sa "laznim" antivirusom ?
Pre jedno sat vremena me pozvao brat i pita me sta da radi. Ne znam odakle mu ideja da bih ja znao
Evo sta mi je ispricao.
Dok je surfovao i trazio neki sajt (na Gugletu) u fazonu limunda (dakle, kupujem -- prodajem), kaze da mu se iznenada pojavio prozor i poceo da skenira racunar i to program koji nit je instalirao niti je ikad cuo za njega.
Naravno sad mu je blokirao izlaz na internet (osim na sajt za koji postoji link na prozoru tog "antivirusa") i svi moguci programi koji se nalaze u kompu su mu navodno proglaseni zarazenim i naravno blokirani.
Taj navodni antivirus se zove AvaSoft Profesional Antivirus 3.7.30
Da bih mu pomogao pokusao sam na internetu da mu nadjem resenje pa da mu javim ali ono sto sam nasao mi ne uliva nikakvu nadu da se moze iole lako ratosiljati te stetocine

Zato i pitam jel ima neko mozda iskustva sa tim laznim antivirusom ?

Trenutno sam kod brata pa da vidimosta nam je ciniti....
Da li je potrebno jos neki podatak.... vezano mozda za racunar ili....

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 01 Apr 2013 17:50

Pozdrav,

Za pocetak probaj da ispratis uputstvo i dostavis izvestaje

[Link mogu videti samo ulogovani korisnici]

Opisi malo detaljnije kako se ponasa racunar. Kazes da brauzer radi samo za stranicu, koji brauzer tacno?

Dopuna: 01 Apr 2013 18:31

Ako ne mozes da pokrenes DDS, probaj da ga preimenujes u iexplore.exe pa onda da ga pokrenes...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Pokusao sam da otvorim ovaj DDS fajl ali nema teoretske sanse neda ni kao preimenovanu verziju (iexplor.exe). Da li vrede ovi textualni fajlovi uradjeni u safe modu ? Tu sam uspeo da ih uradim ali neznam da li nesto vrede...

Da jos dodam da buraz na tom kompu koristi mal te ne iskljucivo internet explorer 8 i da koristi telenorov internet (popularnu "flesku" od 3.6Mb/s) nazalost u tom trenutku nije imao ni jedan antivirus instaliran...
I da ne bude zabune, ovo pisem sa drugog kompa.

Evo DDSa

DDS (Ver_2012-11-20.01) - FAT32_x86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by rade at 18:51:17 on 2013-04-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.782 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = [Link mogu videti samo ulogovani korisnici]
uSearch Page = [Link mogu videti samo ulogovani korisnici]
mSearchAssistant = [Link mogu videti samo ulogovani korisnici]
uURLSearchHooks: ICQToolBar: {855F3B16-6D32-4fe6-8A56-BBB695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uURLSearchHooks: SweetIM For Internet Explorer: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - LocalServer32 - <no file>
uURLSearchHooks: <No Name>: - LocalServer32 - <no file>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SWEETIE Class: {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - LocalServer32 - <no file>
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - LocalServer32 - <no file>
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - c:\program files\blekkotb_031\blekkotb_019X.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - <orphaned>
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.2.0.1\AVG Secure Search_toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: SweetIM For Internet Explorer: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - LocalServer32 - <no file>
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - LocalServer32 - <no file>
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: SweetIM For Internet Explorer: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - LocalServer32 - <no file>
TB: ICQToolBar: {855F3B16-6D32-4fe6-8A56-BBB695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.2.0.1\AVG Secure Search_toolbar.dll
TB: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - c:\program files\blekkotb_031\blekkotb_019X.dll
TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - LocalServer32 - <no file>
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - <orphaned>
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - <orphaned>
EB: ICQToolBar: {855F3B16-6D32-4fe6-8A56-BBB695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Facebook Update] "c:\documents and settings\rade\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRunOnce: [2A3623675DEF180300002A35F9351BBA] c:\documents and settings\all users\application data\2a3623675def180300002a35f9351bba\2A3623675DEF180300002A35F9351BBA.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
mRun: [FineReader7NewsReaderPro] "c:\program files\abbyy finereader 7.0 professional edition\AbbyyNewsReader.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [ClocX] c:\program files\clocx\ClocX.exe
mRun: [lxccmon.exe] "c:\program files\lexmark 3300 series\lxccmon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [LXCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCCtime.dll,_RunDLLEntry@16
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Anti-phishing Domain Advisor] "c:\documents and settings\all users\application data\anti-phishing domain advisor\visicom_antiphishing.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Save with Download Manager... - c:\program files\j river\media center\DMDownload.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - LocalServer32 - <no file>
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [Link mogu videti samo ulogovani korisnici]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [Link mogu videti samo ulogovani korisnici]
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - [Link mogu videti samo ulogovani korisnici]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [Link mogu videti samo ulogovani korisnici]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [Link mogu videti samo ulogovani korisnici]
DPF: {73848533-39E1-49F1-9363-28054268C094} - [Link mogu videti samo ulogovani korisnici]
DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} - [Link mogu videti samo ulogovani korisnici]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [Link mogu videti samo ulogovani korisnici]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [Link mogu videti samo ulogovani korisnici]
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - [Link mogu videti samo ulogovani korisnici]
DPF: {A7C346A3-B076-46B3-97F0-D00F6B479451} - [Link mogu videti samo ulogovani korisnici]
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [Link mogu videti samo ulogovani korisnici]
DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} - [Link mogu videti samo ulogovani korisnici]
TCP: Interfaces\{F9237C1C-EEE5-4E59-AE4D-6CF9024074D3} : DHCPNameServer = 192.168.1.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - LocalServer32 - <no file>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\14.2.0\ViProtocol.dll
Name-Space Handler: HTTPS\ZDA - <Clsid value has no data>
Hosts: 127.0.0.1 mpa.one.microsoft.com
.
============= SERVICES / DRIVERS ===============
.
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [2002-9-25 81969]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-11-8 33112]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2003-8-29 11864]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2002-10-16 9458]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2009-6-6 222456]
S2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [2006-1-22 8864]
S2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [2006-1-22 8864]
S2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [2006-1-22 8864]
S2 NNServ;NNServ;"c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart --> c:\program files\newdotnet\nnrun.exe [?]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\nvtvsnd.sys --> c:\windows\system32\drivers\nvtvsnd.sys [?]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2012-2-26 632792]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S2 Tdlpt;Tdlpt;c:\windows\system32\drivers\TDLPT.SYS [2006-1-22 8012]
S2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\14.2.0\ToolbarUpdater.exe [2013-2-20 968880]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-9-2 100480]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [2007-2-27 30336]
S3 PhTVTune;TVFM WDM TVTuner (SAA713x);c:\windows\system32\drivers\PhTVTune.sys [2003-8-29 20352]
S3 usb2vcom;USB Data Cable;c:\windows\system32\drivers\usb2vcom.sys [2009-8-23 22760]
.
=============== File Associations ===============
.
ShellExec: vmidi.exe: open="c:\program files\vanbasco's karaoke player\vmidi.exe"
ShellExec: vmidi.exe: play="c:\program files\vanbasco's karaoke player\vmidi.exe"
.
=============== Created Last 30 ================
.
2013-03-31 14:34:00 -------- d-----w- c:\documents and settings\all users\application data\2A3623675DEF180300002A35F9351BBA
.
==================== Find3M ====================
.
2024-03-21 11:44:18 246272 ----a-w- c:\windows\UNINST16.EXE
2013-02-20 16:56:12 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-01-29 10:01:50 1409 ----a-w- c:\windows\QTFont.for
2004-07-30 09:15:02 12205536 ----a-w- c:\program files\acdsee.exe
2004-01-15 01:40:26 4954024 ----a-w- c:\program files\SetupDl.exe
2004-01-04 21:27:42 4610480 ----a-w- c:\program files\icqpro2003b.exe
.
============= FINISH: 18:51:48.87 ===============


A evo i attacha

[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ok, moraces sledeci alat da pokrenes iz Safe Mode.

Preuzmi ComboFix.

Pokreni ga i isprati uputstva. Ako restartuje racunar, obavezno da se vrati u Safe Mode kako bi mogao da zavrsi.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Na pocetku da se zhvalim na pruzenoj pomoci.

Danas sam se cuo sa bratom da bi se dogovorili kad da svratim da nastavimo sa resavanjem problema (da pokrenemo taj ComboFix). Medjutim, kaze on meni "ej bre, ja to resio " - ja zblaznut... Pitam ga kako i on mi objasni.
Imao je u kompu instaliran neki, ako sam ga dobro razumeo, registri kliner. Pokrenuo ga u sejf modu i ovaj mu izbacio neku listu rezultata kao "losih" on to obrisao i sad mu komp radi bez problema...

Iskreno ja sam i dalje u neverici....

Videcemo sta ce biti narednih dana...

U svakom slucaju, jos jednom da se zahvalim na pruzenoj pomoci.... (a mozda ce jos biti potrebna )

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Svakako bi trebao da postavis nove izvestaje iz Normalnog moda, da bi se uverili da je sve u redu...