Jos jedna zrtva virusa sa fejsa

1

Jos jedna zrtva virusa sa fejsa

offline
  • Pridružio: 20 Avg 2011
  • Poruke: 8

Dobro vece...Malo mi je lakse sto nisam jedina kojoj se ovo desilo. Juce mi je prijatelj na fb poslao poruku Hi i kasnije link, na koji sam naravno GUZ - Glavom U Zid otisla i skinula Flash Player, u tom trenutku mi je McAfree registrovao Trojan virus i restartovao se komp. Uspela sam nakon toga da odem na fb i tad su mi svi prijatelji koji su bili online poceli da salju poruke na chatu, al na srpskom, tipa Cao, sta ima, gde si? A ja njima svima "odgovaram" sa Hi. Odmah sam se izlogovala i od tad ne mogu da udjem na fb stranicu. Otisla sam sa mobilnog i uspela sam da udjem al sam videla u porukama da je nastavio da salje poruku Hi ostalim prijateljima, pa sam stavila na status Obavestenje...medjutim i dalje salje poruke iste sadrzine. Pokusala sam da instaliram antivirus Nod, Avg, Alvira u komp, ali bezuspesno, tako da su sad ostale ikonice koje nece da se izbrisu. Zato trazim pomoc.. Smile Koristim Sbb internet, preko adaptera: Wireless G USB Adapter, TP-LINK, 54.0 Mbps. Sistem 32-bitni windows. Procitala sam uputstvo, ali ne snalazim se najbolje sa techom, ali cu dati sve od sebe!

Izvestaj dds.txt


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Personal Computer at 19:57:10 on 2011-08-20
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.247.38 [GMT 2:00]
.
AV: Avira AntiVir PersonalEdition *Enabled/Outdated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\update.7.1\svchostdriver.exe
C:\WINDOWS\update.5.0\svchost.exe srv
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
"C:\WINDOWS\update.tray-9-0\svchost.exe"
"C:\WINDOWS\update.tray-2-0\svchost.exe"
"C:\WINDOWS\update.tray-8-0\svchost.exe"
C:\WINDOWS\l1rezerv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\update.2\2259.exe
"C:\WINDOWS\update.5.0\svchost.exe" stand
C:\WINDOWS\sysdriver32.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\WINDOWS\update.1\svchost.exe srv
C:\WINDOWS\update.2\2259.exe
"C:\WINDOWS\update.tray-2-0-lnk\svchost.exe" tray 2-0 1
C:\WINDOWS\ufa\ufa.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Personal Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\update.7.1\svchostdriver.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.jdownloader.com/
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.5\youtubedownloaderToolbarIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\bh\BabylonToolbar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.5\youtubedownloaderToolbarIE.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarTlbr.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\4.5\youtubedownloaderToolbarIE.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [BabylonToolbar] "c:\program files\babylontoolbar\babylontoolbar\1.4.19.19\BabylonToolbarsrv.exe" /md I
mRun: [TWCU] "c:\program files\tp-link\tp-link wireless client utility\TWCU.exe" -nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [wxpdrv] c:\windows\services32.exe
mRun: [tray_ico]
mRun: [tray_ico0] c:\windows\update.tray-9-0\svchost.exe
mRun: [tray_ico1] c:\windows\update.tray-2-0\svchost.exe
mRun: [tray_ico2] c:\windows\update.tray-8-0\svchost.exe
mRun: [tray_ico3]
mRun: [tray_ico4]
mRun: [35595.exe] "c:\windows\temp\35595.exe"
mRun: [sysdriver32.exe] "c:\windows\sysdriver32.exe" rezerv
mRun: [sysdriver32_.exe] "c:\windows\sysdriver32_.exe" rezerv
mRun: [3556982.exe] "c:\docume~1\person~1\locals~1\temp\3556982.exe"
mRun: [5389775.exe] "c:\windows\temp\5389775.exe"
mRun: [9239863.exe] "c:\windows\temp\9239863.exe"
mRun: [l1rezerv.exe] "c:\windows\l1rezerv.exe"
mRun: [12839690-loader2.exe] "c:\windows\temp\12839690-loader2.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition premium\avgnt.exe" /min
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\person~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\gprs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.189\SSScheduler.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: avsda.dll
TCP: DhcpNameServer = 89.216.1.30 89.216.1.50
TCP: Interfaces\{C3A01B7C-E8F1-407C-B2A2-3D0C938F65FC} : DhcpNameServer = 89.216.1.30 89.216.1.50
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\Skype4COM.dll
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-12-21 94872]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-6-24 393112]
R2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2011-6-20 371349]
R2 ddservice;ddservice;c:\windows\update.7.1\svchostdriver.exe srv --> c:\windows\update.7.1\svchostdriver.exe srv [?]
R2 srvbtcclient;srvbtcclient;c:\windows\update.5.0\svchost.exe srv --> c:\windows\update.5.0\svchost.exe srv [?]
R2 srviecheck;srviecheck;c:\windows\update.2\2259.exe srv --> c:\windows\update.2\2259.exe srv [?]
R2 srvsysdriver32;srvsysdriver32;c:\windows\sysdriver32.exe srv --> c:\windows\sysdriver32.exe srv [?]
R2 Start BT in service;Start BT in service;c:\program files\ivt corporation\bluesoleil\StartSkysolSvc.exe [2007-12-27 51816]
R2 wxpdrivers;wxpdrivers;c:\windows\update.1\svchost.exe srv --> c:\windows\update.1\svchost.exe srv [?]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2011-6-20 1714176]
S1 avgio;avgio;\??\c:\program files\avira\antivir personaledition premium\avgio.sys --> c:\program files\avira\antivir personaledition premium\avgio.sys [?]
S2 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;"c:\program files\avira\antivir personaledition premium\avmailc.exe" --> c:\program files\avira\antivir personaledition premium\avmailc.exe [?]
S2 AntiVirScheduler;AntiVir PersonalEdition Premium Scheduler;"c:\program files\avira\antivir personaledition premium\sched.exe" --> c:\program files\avira\antivir personaledition premium\sched.exe [?]
S2 AntiVirService;AntiVir PersonalEdition Premium Guard;"c:\program files\avira\antivir personaledition premium\avguard.exe" --> c:\program files\avira\antivir personaledition premium\avguard.exe [?]
S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\windows\temp\avsetup_4e4fac9d\avupgsvc.exe" /tempstart:""c:\windows\temp\avsetup_4e4fac9d\setup.exe" /notempcleanup /crossupgrade" --> c:\windows\temp\avsetup_4e4fac9d\avupgsvc.exe [?]
S2 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;"c:\program files\avira\antivir personaledition premium\avesvc.exe" --> c:\program files\avira\antivir personaledition premium\avesvc.exe [?]
S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]
S3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition premium\avgntflt.sys --> c:\program files\avira\antivir personaledition premium\avgntflt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.189\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.189\McCHSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-08-20 10:31:23 -------- d--h--w- c:\windows\update.tray-8-0-lnk
2011-08-20 10:31:23 -------- d--h--w- c:\windows\update.tray-8-0
2011-08-20 10:10:10 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-08-20 10:09:41 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-08-19 17:39:23 -------- d--h--w- c:\windows\update.tray-2-0-lnk
2011-08-19 17:39:23 -------- d--h--w- c:\windows\update.tray-2-0
2011-08-19 14:19:40 232960 ----a-w- c:\windows\l1rezerv.exe
2011-08-19 14:18:50 -------- d-----w- c:\windows\ufa
2011-08-19 14:18:50 -------- d-----w- c:\windows\rpcminer
2011-08-19 14:18:50 -------- d-----w- c:\windows\phoenix
2011-08-19 14:16:35 -------- d--h--w- c:\windows\update.5.0
2011-08-19 14:15:07 -------- d--h--w- c:\windows\update.2
2011-08-19 14:14:40 246272 ----a-w- c:\windows\unrar.exe
2011-08-19 14:14:38 -------- d--h--w- c:\windows\update.7.1
2011-08-19 14:13:45 258048 ----a-w- c:\windows\sysdriver32_.exe
2011-08-19 14:13:30 258048 ----a-w- c:\windows\sysdriver32.exe
2011-08-19 14:13:03 -------- d-----w- c:\windows\av_ico
2011-08-19 14:11:51 -------- d--h--w- c:\windows\update.1
2011-08-19 14:11:50 -------- d--h--w- c:\windows\update.tray-9-0-lnk
2011-08-19 14:11:50 -------- d--h--w- c:\windows\update.tray-9-0
2011-08-19 14:01:14 1215488 ----a-w- c:\windows\services32.exe
2011-08-01 12:08:25 -------- d-----w- c:\program files\common files\Adobe Systems Shared
2011-07-31 15:39:01 -------- d-----w- c:\program files\GstarCAD2011Professional
.
==================== Find3M ====================
.
2011-06-27 00:53:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-06-20 19:08:59 371349 ----a-w- c:\windows\system32\drivers\BT848.sys
.
============= FINISH: 19:57:44,03 ===============

Attach

mycity.rs/must-login.png

Gmer1

mycity.rs/must-login.png

Gmer2

mycity.rs/must-login.png

Gmer3

mycity.rs/must-login.png

Nadam se da je sve u redu?

offline
  • Fil  Male
  • Legendarni građanin
  • Pridružio: 11 Jun 2009
  • Poruke: 16586

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix;
u prozoru koji se otvori klikni "I Agree".

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 20 Avg 2011
  • Poruke: 8

Napisano: 20 Avg 2011 22:48

Imam ikonicu Avira, McAfree u taskbaru, ali sam danas izbrisala iz Control Panela, tako da ih tamo vise nema. Eset nod antivirus 4.2 sam pokusala preko Start da isljucim al se pojavi "The application failed to initialize property (0x000012d). Click on Ok to terminate the application." Kad sam kliknula na Ok nista se nije pokazalo.A danas sam pokusala par puta da izbrisem Eset i nije htelo. Pokrenula sam ComboFix, neko vreme je skenirao i prikazao neko obavestenje i nestao. Potrazila sam u Local C izvestaj, al se pojavilo u medjuvremenu prozorce "Warning! ComboFix has detected folowing real time scanner(s) to be active. Avira Profesional i Eset nod32 anivirus. ... Please disable these scanners before clicking Ok" Tako da ja jos nisam kliknula Ok, stoji mi prozorce i sta sad da radim?

Dopuna: 20 Avg 2011 22:53

A da, a kad kliknem na bilo koju ikonicu na taskbaru od ta tri antivirusa, pojavi mi se crveno prozorce gde pise
"Enhanced protection mode
Attention! Antivir operates under enhaced protection mode. This is a temporary measure necessary for immediate response to the threat from virus. No action is required from you."

offline
  • Fil  Male
  • Legendarni građanin
  • Pridružio: 11 Jun 2009
  • Poruke: 16586

Arrow Deinstaliraj oba antivirusa (Avira i Nod) preko Control Panela, Add/Remove programs apleta.



Ukoliko deinstalacija bude neuspešna, uradi sledeće:

Arrow Potrebno je da uđeš u Safe Mode With Networking, po ovome uputstvu:
http://www.mycity.rs/Uputstva/Kako-uci-u-Safe-Mode-2.html

Arrow Nakon što uđeš u Safe Mode, uklonićemo oba antivirusa koja imaš na računaru:

- Za uklanjanje Avire, preuzmi softver sa sledećeg linka:
http://dl.antivir.de/down/windows/registrycleaner_en.zip

- Za uklanjanje Noda, preuzmi softver sa sledećeg linka:
http://www.nod32.nl/download/tool/nod32removal.exe



Arrow Po završetku deinstalacije ovih antivirusa, opet preuzmi i pokreni Combofix po već datom uputstvu i priloži neophodan izveštaj (log).

offline
  • Pridružio: 20 Avg 2011
  • Poruke: 8

Napisano: 21 Avg 2011 1:08

Uradila sam Safe mode with Networking, prethodno sam skinula oba fajla za virus. Komp je bio par sekundi u Safe mode i onda se restartovao i vratio u normalan. Medjutim ikonice su i dalje tu i crveno obavestenje..da li da ipak zapocnem Combofix? Pokusala sam bila prosli put i opet mi je izaslo upozorenje da radim na sopstvenu odgovornost, tj.da su antivirusi tu.

Dopuna: 21 Avg 2011 1:20

Zbunjuje me iz prosle poruke "uklonicemo", to znaci vi, ne ja? Smile Izvinite, rekla sam da se ne razumem bas najbolje..ali zelim da ocistim komp, pre dva meseca sam obarala sistem...ako treba, ponovo cu. Sad

Dopuna: 21 Avg 2011 1:41

Eset je izbrisan, Combofix me obavestava da je ostala Avira, ali nju ne mogu nigde da nadjem, ni u Control Panel, ni u Start..jedino ikonica na taskbaru koja nista ne znaci...

offline
  • Fil  Male
  • Legendarni građanin
  • Pridružio: 11 Jun 2009
  • Poruke: 16586

Pozdrav,

Možeš li mi detaljno objasniti šta se sve izdešavalo na računaru? Konkretno sledeće:

- Da li ti se računar ponaša stabilno u Safe Modu? Napisala si da se restartovao posle 3 sekunde. Da li je to bilo odmah po startovanju Safe Moda ili po pokretanju nekog od alata za uklanjanje antivirusa? Da li se računar restartuje uvek kada uđeš u Safe Mode?

- Da ne bi bilo zabune, ti zapravo uklanjaš antiviruse sa alatima koje ti dam da preuzmeš (dao sam linkove) Smile

Dakle, Eset si obrisala sa alatom koji sam ti dao iz Normalnog moda?
Da li si pokušala obrisati Aviru sa programom koji sam ti dao u prethodnoj poruci?

offline
  • Pridružio: 20 Avg 2011
  • Poruke: 8

Eset sam uklonila preko Control panela u Normalnom modu.

Nakon toga sam restartovala komp, nije se odmah prikazao Windows Advanced options, nego sam morala da izaberem boot: floppy, nesto sa brojevima, cdrom nesto.., cdrom nesto jos.. i network. Izabrala sam to sa brojevima i nakon toga se pojavio Safe mode. Otvorio windows i restartovao za 3 sekunde i vratio u Normalan mod.

Onda sam usla u Normalan mod i sa linka koji sam skinula za Aviru usla u RegCleaner.exe izabrala opciju Scan..pronasao je 47 objekata i to sam izbrisala, izaslo je obavestenje da vise nema key. Pokrenula Combofix i opet je detektovao Aviru.

Restartovala sam da ponovo udjem u Safe mode, ovaj put sam se zadrzala minut, toliko da sam uspela da otvorim RegCleaner.exe, kliknem Scan i onda je izaslo prozorce da nije pronadjen nijedan key. Combofix je opet objavio Aviru.

offline
  • Fil  Male
  • Legendarni građanin
  • Pridružio: 11 Jun 2009
  • Poruke: 16586

S obzirom da si koristila Avirin RegCleaner.exe, ignoriši poruku koju ti Combofix daje o prisustvu Avire.

Dakle, pokreni Combofix prema već datom uputstvu i bez obzira što može iskočiti obaveštenje "Warning! ComboFix has detected folowing real time scanner(s) to be active. Avira Profesional. Please disable these scanners before clicking Ok", ti ipak klikni na dugme OK.

Po završetku, naravno, okači izveštaj.

offline
  • Pridružio: 20 Avg 2011
  • Poruke: 8

Evo izvestaja Combofix. A za Aviru, Windows Security Alerts je postavio obavestece "maybe out of date"


ComboFix 11-08-21.01 - Personal Computer 21.08.2011 12:29:15.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.247.119 [GMT 2:00]
Running from: c:\documents and settings\Personal Computer\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *Enabled/Outdated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\PERSON~1\LOCALS~1\Temp\3556982.exe
c:\program files\RelevantKnowledge
c:\windows\btc_client_iplist.txt
c:\windows\front_ip_list.txt
c:\windows\geoiplist
c:\windows\geoiplist.rar
c:\windows\iecheck_iplist.txt
c:\windows\info1
c:\windows\iplist.txt
c:\windows\l1rezerv.exe
c:\windows\loader2.exe_ok
c:\windows\phoenix
c:\windows\phoenix.rar
c:\windows\phoenix\kernels\phatk\__init__.py
c:\windows\phoenix\kernels\phatk\__init__.pyc
c:\windows\phoenix\kernels\phatk\BFIPatcher.py
c:\windows\phoenix\kernels\phatk\kernel.cl
c:\windows\phoenix\kernels\poclbm\__init__.py
c:\windows\phoenix\kernels\poclbm\__init__.pyc
c:\windows\phoenix\kernels\poclbm\BFIPatcher.py
c:\windows\phoenix\kernels\poclbm\kernel.cl
c:\windows\phoenix\phoenix.exe
c:\windows\proc_list1.log
c:\windows\rpcminer
c:\windows\rpcminer.rar
c:\windows\rpcminer\bitcoinminercuda_10.cubin
c:\windows\rpcminer\bitcoinminercuda_11.cubin
c:\windows\rpcminer\bitcoinminercuda_20.cubin
c:\windows\rpcminer\bitcoinmineropencl.cl
c:\windows\rpcminer\cudart32_32_16.dll
c:\windows\rpcminer\curllib.dll
c:\windows\rpcminer\libeay32.dll
c:\windows\rpcminer\libsasl.dll
c:\windows\rpcminer\openldap.dll
c:\windows\rpcminer\rpcminer-4way.exe
c:\windows\rpcminer\rpcminer-cpu.exe
c:\windows\rpcminer\rpcminer-cuda.exe
c:\windows\rpcminer\rpcminer-opencl.exe
c:\windows\rpcminer\ssleay32.dll
c:\windows\services32.exe
c:\windows\sysdriver32.exe
c:\windows\sysdriver32_.exe
c:\windows\system32\drivers\etc\HSTS~1
c:\windows\TEMP\12839690-loader2.exe
c:\windows\TEMP\35595.exe
c:\windows\TEMP\9239863.exe
c:\windows\ufa.rar
c:\windows\update.1
c:\windows\update.1\svchost.exe
c:\windows\update.2
c:\windows\update.2\2259.exe
c:\windows\update.2\svchost.exe
c:\windows\update.5.0
c:\windows\update.5.0\svchost.exe
c:\windows\update.tray-2-0\svchost.exe
c:\windows\update.tray-8-0\svchost.exe
c:\windows\update.tray-9-0\svchost.exe
c:\windows\winlog-dirs.txt
c:\windows\winlog-ids.txt
c:\windows\winsetupapi.log
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SRVBTCCLIENT
-------\Legacy_SRVIECHECK
-------\Legacy_SRVSYSDRIVER32
-------\Legacy_WXPDRIVERS
-------\Service_srvbtcclient
-------\Service_srviecheck
-------\Service_srvsysdriver32
-------\Service_wxpdrivers
.
.
((((((((((((((((((((((((( Files Created from 2011-07-21 to 2011-08-21 )))))))))))))))))))))))))))))))
.
.
2011-08-20 10:31 . 2011-08-21 10:36 -------- d--h--w- c:\windows\update.tray-8-0
2011-08-20 10:31 . 2011-08-20 10:31 -------- d--h--w- c:\windows\update.tray-8-0-lnk
2011-08-20 10:27 . 2007-08-09 11:04 40768 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-08-20 10:27 . 2007-07-18 12:22 21312 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-08-20 10:27 . 2007-09-07 10:05 62016 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-20 10:10 . 2011-08-20 10:10 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-20 10:09 . 2011-08-20 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-19 17:39 . 2011-08-21 10:36 -------- d--h--w- c:\windows\update.tray-2-0
2011-08-19 17:39 . 2011-08-19 17:39 -------- d--h--w- c:\windows\update.tray-2-0-lnk
2011-08-19 14:18 . 2011-08-19 14:18 -------- d-----w- c:\windows\ufa
2011-08-19 14:14 . 2011-08-19 14:18 246272 ----a-w- c:\windows\unrar.exe
2011-08-19 14:14 . 2011-08-19 14:14 -------- d--h--w- c:\windows\update.7.1
2011-08-19 14:13 . 2011-08-20 10:32 -------- d-----w- c:\windows\av_ico
2011-08-19 14:11 . 2011-08-21 10:36 -------- d--h--w- c:\windows\update.tray-9-0
2011-08-19 14:11 . 2011-08-19 14:11 -------- d--h--w- c:\windows\update.tray-9-0-lnk
2011-08-01 12:11 . 2011-08-01 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2011-08-01 12:08 . 2011-08-01 12:08 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2011-07-31 15:39 . 2011-07-31 15:43 -------- d-----w- c:\program files\GstarCAD2011Professional
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-27 00:53 . 2011-06-27 00:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-06-20 19:08 . 2011-06-20 19:08 371349 ----a-w- c:\windows\system32\drivers\BT848.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-06-24 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BabylonToolbar"="c:\program files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe" [2010-11-07 286720]
"TWCU"="c:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2010-05-21 561263]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-06-24 534880]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
c:\documents and settings\Personal Computer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\gprs.exe [2007-12-27 43608]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.189\SSScheduler.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [12/21/2010 3:04 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2010 1:47 PM 94872]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [6/24/2011 5:30 PM 393112]
R2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\drivers\BT848.sys [6/20/2011 9:08 PM 371349]
R2 ddservice;ddservice;c:\windows\update.7.1\svchostdriver.exe srv --> c:\windows\update.7.1\svchostdriver.exe srv [?]
R2 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [12/27/2007 3:39 PM 51816]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [6/20/2011 1:28 PM 1714176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.jdownloader.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: avsda.dll
TCP: DhcpNameServer = 89.216.1.30 89.216.1.50
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-wxpdrv - c:\windows\services32.exe
HKLM-Run-tray_ico - (no file)
HKLM-Run-tray_ico0 - c:\windows\update.tray-9-0\svchost.exe
HKLM-Run-tray_ico1 - c:\windows\update.tray-2-0\svchost.exe
HKLM-Run-tray_ico2 - c:\windows\update.tray-8-0\svchost.exe
HKLM-Run-tray_ico3 - (no file)
HKLM-Run-tray_ico4 - (no file)
HKLM-Run-l1rezerv.exe - c:\windows\l1rezerv.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-08-21 12:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1292)
c:\windows\system32\avsda.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\windows\update.7.1\svchostdriver.exe
c:\windows\update.7.1\svchostdriver.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RunDll32.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe
c:\program files\Skype\Phone\Skype.exe
.
**************************************************************************
.
Completion time: 2011-08-21 12:47:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-21 10:47
.
Pre-Run: 28.362.817.536 bytes free
Post-Run: 29.362.511.872 bytes free
.
- - End Of File - - 439CD9495A1E49AB7B73C3FAA6D9914A

offline
  • Fil  Male
  • Legendarni građanin
  • Pridružio: 11 Jun 2009
  • Poruke: 16586

Arrow Otvoriti Notepad i iskopirati sledeci tekst:

Folder::
c:\windows\update.tray-8-0
c:\windows\update.tray-8-0-lnk
c:\windows\update.tray-2-0
c:\windows\update.tray-2-0-lnk
c:\windows\ufa
c:\windows\update.7.1
c:\windows\av_ico
c:\windows\update.tray-9-0
c:\windows\update.tray-9-0-lnk
c:\program files\Application Updater\

File::
c:\windows\unrar.exe

Driver::
Application Updater
ddservice


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


Arrow Preuzmi instalaciju za program Malwarebytes Anti-Malware sa sledećeg linka:
http://www.besttechie.net/tools/mbam-setup.exe

Dvoklikom pokreni instalaciju - na samom kraju procesa, proveri da su obeležene opcije:
Update Malwarebytes' Anti-Malware;
Launch Malwarebytes Anti-Malware;

a zatim klikni Finish.

Nakon završenog ažuriranja program će se pokrenuti.

Izaberi opciju Perform Quick Scan i klikni Scan.

Po završetku procesa klikni OK, Show Results: u listi detektovanog malware-a, obeleži sve stavke i klikni Remove Selected.

Po završetku procesa, logfile će se otvoriti u Notepad-u; iskopiraj ga u temu na forumu.
Ukoliko program zatraži restart kako bi se završio proces čišćenja, obavezno ga dozvoliti.

Napomena: ako dođe do restarta na kraju procesa čišćenja, logfile će biti dostupan na Logs kartici (obeleži ga i klikni Open).

Ko je trenutno na forumu
 

Ukupno su 772 korisnika na forumu :: 6 registrovanih, 0 sakrivenih i 766 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: bobomicek, darios, dok80, Georgius, Istman, Shilok