Poslao: 26 Sep 2012 11:52
|
offline
- krauterbox
- Novi MyCity građanin
- Pridružio: 13 Jan 2012
- Poruke: 18
|
U suštini moj problem je isti kao i onaj koji se sada nalazi u arhivi, a imao ga je korisnik Ivan:
Citat:Interesuje me kako izbrisati virus sa racunara koji napada samo usb i to tako da sve foldere pretvori u shortcut.
Kad otvorim "My Computer" vidi se da je pun Flesh (ko sto i stvarno jeste bio pre nego sto se zarazio kompjuter), al ja te foldere nemogu da otvorim jer folder pretvara u shortcut.
S tim, što ne znam sada kako, pri jednom skeniranju (a ubijte sada više ne znam ni čime sam ga skenirao, jer se sanjim mučim više dana) pokazano mi je da se radi o win32:Dropper-gen.
Ako je ikako moguće pomozite.
|
|
|
|
|
Poslao: 26 Sep 2012 21:16
|
offline
- krauterbox
- Novi MyCity građanin
- Pridružio: 13 Jan 2012
- Poruke: 18
|
TwinHeadedEagle ::Pozdrav
Isprati uputstva za otvaranje teme mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html i u skladu sa tim postavi odgovarajuce logove u ovoj temi.
TwinHeadedEagle(AMF Tim)
O.K. (i naravno izvinjavam se)
Evo
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by GAVRIC at 14:07:04 on 2012-09-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1159 [GMT 2:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
C:\Program Files\WGA Remover\wgaremover.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Xmarks\IE Extension\xmarkssync.exe
C:\Program Files\WinSplit Revolution\WinSplit.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MC shield\MCShield\mcshieldrtm.exe
svchost.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WinSplit Revolution\WinSplitDrvr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://home.sweetim.com/?crg=3.1010000.10011&barid={962C7EAB-ED34-11E1-9582-00016CE13569}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: BFlix Class: {0c9f4179-6ce2-4c6a-a3e5-67ff3592a12e} - c:\program files\bflix\BFlix.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Idea2 SidebarBrowserMonitor Class: {45ad732c-2ce2-4666-b366-b2214ad57a49} - c:\program files\desktop sidebar\sbhelp.dll
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: MailRuBHO Class: {8984b388-a5bb-4df7-b274-77b879e179db} - c:\program files\mail.ru\sputnik\MailRuSputnik.dll
BHO: DataMngr: {9d717f81-9148-4f12-8568-69135f087db0} - c:\progra~1\wi371a~1\datamngr\BROWSE~1.DLL
BHO: DealPly: {a6174f27-1fff-e1d6-a93f-ba48ad5dd448} - c:\program files\dealply\DealPlyIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SweetPacks Browser Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: SweetPacks Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
uRun: [Xmarks] c:\program files\xmarks\ie extension\xmarkssync.exe -q
uRun: [Google Update] "c:\documents and settings\gavric\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Winsplit] c:\program files\winsplit revolution\WinSplit.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MCShield Monitor] c:\program files\mc shield\mcshield\mcshieldrtm.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [DATAMNGR] c:\progra~1\wi371a~1\datamngr\DATAMN~1.EXE
mRun: [WGA Remover] "c:\program files\wga remover\wgaremover.exe" -silent
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector10\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector10" updatewithcreateonce "software\cyberlink\powerdirector\10.0"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [ROC_roc_ssl_v12] "c:\program files\avg secure search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Sweetpacks Communicator] c:\program files\sweetim\communicator\SweetPacksUpdateManager.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with &Media Finder - c:\program files\media finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09FE188B-6E85-479e-9411-51FB2220DF80} - {45AD732C-2CE2-4666-B366-B2214AD57A49} - c:\program files\desktop sidebar\sbhelp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CCB1AE79-03AA-44BD-992F-4463497F52E2} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
AppInit_DLLs: c:\progra~1\wi371a~1\datamngr\datamngr.dll c:\progra~1\wi371a~1\datamngr\IEBHO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\gavric\application data\mozilla\firefox\profiles\ocec6wih.default\
FF - prefs.js: browser.search.defaulturl - hxxp://go.mail.ru/search?fr=fftb&utf8in&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\windows ilivid toolbar\datamngr\firefoxextension\components\DataMngrHlpFF3.dll
FF - plugin: c:\documents and settings\gavric\application data\mozilla\firefox\profiles\ocec6wih.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\gavric\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\picasa\picasa3\npPicasa3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
---- FIREFOX POLICIES ----
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
============= SERVICES / DRIVERS ===============
.
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-4-15 146312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-2 250288]
S3 AIDA64Driver;FinalWire AIDA64 Kernel Driver;\??\c:\program files\finalwire\aida64 extreme edition\kerneld.x32 --> c:\program files\finalwire\aida64 extreme edition\kerneld.x32 [?]
S3 cpuz135;cpuz135;\??\c:\program files\new folder (3)\pcwiz_x32.sys --> c:\program files\new folder (3)\pcwiz_x32.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 114144]
S3 ujiwodu3;AVZ-SG Kernel Driver;c:\windows\system32\drivers\ujiwodu3.sys [2012-9-26 10240]
S3 utiwodu3;AVZ Kernel Driver;c:\windows\system32\drivers\utiwodu3.sys [2012-9-26 7168]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
.txt=Word Reader-TXT
.
=============== Created Last 30 ================
.
2012-09-26 12:06:24 607260 ------r- c:\program files\dds.scr
2012-09-26 09:25:21 -------- d-----w- c:\documents and settings\all users\application data\MCShield
2012-09-26 09:24:20 -------- d-----w- c:\program files\MC shield
2012-09-26 09:12:41 10240 ----a-w- c:\windows\system32\drivers\ujiwodu3.sys
2012-09-26 09:08:06 7168 ----a-w- c:\windows\system32\drivers\utiwodu3.sys
2012-09-26 09:06:42 -------- d-----w- c:\program files\AVZ tool
2012-09-25 17:40:00 81984 ----a-w- c:\windows\system32\bdod.bin
2012-09-25 17:12:43 -------- d-----w- c:\documents and settings\gavric\application data\BitDefender
2012-09-25 17:12:17 -------- d-----w- c:\documents and settings\all users\application data\BitDefender
2012-09-25 17:10:49 -------- d-----w- c:\program files\common files\BitDefender
2012-09-25 17:03:23 -------- d-----w- c:\program files\bitdefender
2012-09-25 12:45:44 -------- d-----w- c:\program files\blekkotb_031
2012-09-24 11:56:34 -------- d-----w- c:\documents and settings\gavric\application data\YourFileDownloader
2012-09-24 11:10:47 -------- d-----w- c:\documents and settings\gavric\application data\DriverCure
2012-09-24 11:10:46 -------- d-----w- c:\documents and settings\gavric\application data\SpeedyPC Software
2012-09-24 11:10:31 -------- d-----w- c:\documents and settings\all users\application data\SpeedyPC Software
2012-09-24 09:01:30 -------- d-----w- c:\windows\system32\NtmsData
2012-09-23 07:36:41 -------- d-sh--r- c:\documents and settings\gavric\M-500-7469-9976-4678
2012-09-08 08:05:00 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-07 22:21:59 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-09-07 22:21:59 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-09-07 22:21:59 18912 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2012-09-02 12:14:51 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-09-02 09:31:50 -------- d-----w- c:\windows\pss
2012-09-02 09:20:19 -------- d-----w- c:\program files\CCleaner
2012-09-01 18:10:57 -------- d-----w- c:\documents and settings\gavric\application data\Malwarebytes
2012-09-01 18:10:45 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-09-01 16:17:14 -------- d-----w- c:\program files\IObit
.
==================== Find3M ====================
.
2012-09-25 17:39:51 146312 ----a-w- c:\windows\system32\drivers\bdfm.sys
2012-09-21 13:58:39 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-21 13:58:39 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-08 08:03:30 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-08 08:03:28 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-08 08:03:27 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-19 19:44:30 893936 ----a-w- c:\program files\jxpiinstall.exe
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-05 18:58:11 301855 ----a-w- c:\program files\ImageResizer.exe
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-04-12 20:11:42 369152 ----a-w- c:\program files\half_open_limit_fix_4.2.exe
2012-03-10 20:32:33 1380864 ----a-w- c:\program files\tvs.exe
2012-03-04 23:15:52 15036792 ----a-w- c:\program files\Dropbox 1.2.52.exe
2012-03-04 23:06:12 4959152 ----a-w- c:\program files\TeamViewer_Setup.exe
2012-03-04 22:48:03 339560 ----a-w- c:\program files\PatchMyPC.exe
.
============= FINISH: 14:09:37.15 ===============
mycity.rs/must-login.png
(al' nisam znao gdje da ga tražim /da bi ga prikačio/ pa sam i njega isto kopirao)
gmer1
mycity.rs/must-login.png
gmer2
mycity.rs/must-login.png
gmer3
mycity.rs/must-login.png
- Brzina mi je 2560/256 kb/s
- problem se pojavio prije nekih 7 dana
- u momentu upada virusa koristio sam Avast, sada sam prešao na BitDefender.
- Avast mi je u posljednjih 7 dana stalno signalizirao o nekakvim njegovim blokadama razno-raznih napasnika.
- jedino što sam pokušao bilo je skeniranje Avast-om, SlimCleaner-om, CCleaner-om, IObit Malware Fighter-om i još nekim programom koji je jedini i otkrio da se radi o win32:Dropper-gen-u .., ali ebga bio je platni.
Unaprijed hvala!
|
|
|
|
Poslao: 26 Sep 2012 21:49
|
offline
- TwinHeadedEagle
- Anti Malware Fighter
Rank 2
- Pridružio: 09 Avg 2011
- Poruke: 15879
- Gde živiš: Beograd
|
Pozdrav, krauterbox
U toku rešavanja slučaja, molio bih te da se pridržavas sledećeg:
Detaljno čitati moja uputstva ( ili uputstva kolega koji će me zamenjivati) i raditi isključivo po njima;
Ne tražiti istovremeno pomoć na drugom mestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budeš dobio uputstvo;
Obavezno prijavi ukoliko neka od predloženih procedura nije protekla kako je navedeno;
U toku intervencije ne koristiti USB memorijske uređaje, dok to ne budem zatražio;
Uvek kopiraj ceo izveštaj u poruku, bez da ga attach-uješ, ukoliko nije tako zatraženo;
Ukoliko ne odgovorim u roku od 24h, osveži temu novim post-om;
Ukoliko se ne javiš u roku od 5 dana, zatvorićemo slučaj.
Za vise informacija o pravilima Ambulante MyCity foruma: LINK
Preuzmi sUBs-ov ComboFix sa sljedeće adrese na Desktop:
Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati fajl, odaberi Desktop i klikni Save.
Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix;
u prozoru koji se otvori klikni "I Agree".
U toku rada, ComboFix će:provjeriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.
Iskopiraj izvještaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obilježeni tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.
Napomena:Izvještaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primjetiš da izvještaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje fajla C:\ComboFix.txt uz poruku.
|
|
|
|
Poslao: 27 Sep 2012 00:15
|
offline
- krauterbox
- Novi MyCity građanin
- Pridružio: 13 Jan 2012
- Poruke: 18
|
Napisano: 27 Sep 2012 0:01
Vozdra!
Odkud krauterbox :-) (đe me nađe?)
Jedno samo pitanje koliko u prosjeku Combo to odrađuje ... trenutno je stao (i stoji skoro pa 10 min) na nešto malo više od polovine?
Dopuna: 27 Sep 2012 0:15
E izvinjavam se - na ovom forumu sam stvarno krauterbox, a na Vojnom forumu sam prijavljen kao apostata (zbunio me avatar Julijana apostate) - ne zamjeri svega ti!
|
|
|
|
Poslao: 27 Sep 2012 08:56
|
offline
- TwinHeadedEagle
- Anti Malware Fighter
Rank 2
- Pridružio: 09 Avg 2011
- Poruke: 15879
- Gde živiš: Beograd
|
Obrisi staru ikonicu ComboFix-a i preuzmi novu na Desktop sa ove adrese:
BleepingComputer
Zatim klikni na Start --> Run, kopiraj pazljivo sledeci tekst
"%userprofile%\desktop\ComboFix.exe" /KillAll /StepDel
Pritisni OK i ComboFix ce zapoceti sa skeniranjem.
|
|
|
|
Poslao: 27 Sep 2012 21:04
|
offline
- krauterbox
- Novi MyCity građanin
- Pridružio: 13 Jan 2012
- Poruke: 18
|
Evo ga Comb-ov izvještaj
ComboFix 12-09-27.03 - GAVRIC 09/27/2012 19:54:07.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1305 [GMT 2:00]
Running from: c:\documents and settings\GAVRIC\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\Setup.exe
c:\documents and settings\All Users\Application Data\TEMP\{E8C64028-08E5-4BF0-B1C0-DBAAC6A77DF1}\PostBuild.exe
c:\documents and settings\GAVRIC\WINDOWS
c:\program files\BFlix\BFLIx.dll
c:\program files\DealPly
c:\program files\DealPly\DealPly.crx
c:\program files\DealPly\DealPlyIE.dll
c:\program files\DealPly\DealPlyUpdate.exe
c:\program files\DealPly\DealPlyUpdate.log
c:\program files\DealPly\DealPlyUpdateRun.exe
c:\program files\DealPly\icon.ico
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\program files\Open
c:\program files\Open\AddPics-2.3.1.oxt
c:\program files\Open\BookmarksMenu-0.6.2.oxt
c:\program files\Open\dict_ru-RU.oxt
c:\program files\Open\HistoryMaster-1.1.1.oxt
c:\program files\Open\java\jre-windows-i586.exe
c:\program files\Open\licenses\license_en-US.html
c:\program files\Open\licenses\license_en-US.txt
c:\program files\Open\OOo_3.3.0_Win_x86_install-wJRE_en-US.exe
c:\program files\Open\OOoTranslit_0.4.0.oxt
c:\program files\Open\openofficeorg1.cab
c:\program files\Open\openofficeorg33.msi
c:\program files\Open\oracle-pdfimport.oxt
c:\program files\Open\readmes\readme_en-US.html
c:\program files\Open\readmes\readme_en-US.txt
c:\program files\Open\redist\vcredist_x64.exe
c:\program files\Open\redist\vcredist_x86.exe
c:\program files\Open\setup.exe
c:\program files\Open\setup.ini
C:\Thumbs.db
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\drivers\tcpip.copy
c:\windows\system32\Thumbs.db
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-27 to 2012-09-27 )))))))))))))))))))))))))))))))
.
.
2012-09-26 12:26 . 2012-09-26 12:26 302592 ----a-w- c:\program files\ef77w71i.exe
2012-09-26 12:06 . 2012-09-26 12:06 607260 ------r- c:\program files\dds.scr
2012-09-26 09:25 . 2012-09-27 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\MCShield
2012-09-26 09:24 . 2012-09-26 09:25 -------- d-----w- c:\program files\MC shield
2012-09-26 09:12 . 2012-09-26 09:12 10240 ----a-w- c:\windows\system32\drivers\ujiwodu3.sys
2012-09-26 09:08 . 2012-09-26 09:12 7168 ----a-w- c:\windows\system32\drivers\utiwodu3.sys
2012-09-26 09:06 . 2012-09-26 09:07 -------- d-----w- c:\program files\AVZ tool
2012-09-25 17:40 . 2012-09-27 00:32 81984 ----a-w- c:\windows\system32\bdod.bin
2012-09-23 07:36 . 2012-09-24 12:05 -------- d-sh--r- c:\documents and settings\GAVRIC\M-500-7469-9976-4678
2012-09-08 08:05 . 2012-09-08 08:05 -------- d-----w- c:\program files\Common Files\Java
2012-09-08 08:05 . 2012-09-08 08:03 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-02 12:14 . 2012-09-02 12:14 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-09-02 09:20 . 2012-09-02 09:21 -------- d-----w- c:\program files\CCleaner
2012-09-01 18:10 . 2012-09-01 18:10 -------- d-----w- c:\documents and settings\GAVRIC\Application Data\Malwarebytes
2012-09-01 18:10 . 2012-09-01 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-09-01 16:17 . 2012-09-25 12:58 -------- d-----w- c:\program files\IObit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-25 17:39 . 2009-04-15 13:13 146312 ----a-w- c:\windows\system32\drivers\bdfm.sys
2012-09-21 13:58 . 2012-05-02 18:31 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-21 13:58 . 2011-12-31 00:11 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-08 08:03 . 2012-01-01 20:13 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-08 08:03 . 2012-08-19 19:50 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-08 08:03 . 2012-01-01 20:13 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-28 15:14 . 2004-08-03 22:56 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-03 22:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-03 22:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-03 20:59 385024 ----a-w- c:\windows\system32\html.iec
2012-08-19 19:44 . 2012-04-19 20:30 893936 ----a-w- c:\program files\jxpiinstall.exe
2012-07-06 13:58 . 2004-08-03 22:56 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-05 18:58 . 2012-07-05 18:58 301855 ----a-w- c:\program files\ImageResizer.exe
2012-07-04 14:05 . 2011-12-30 18:34 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2004-08-03 21:17 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-04-12 20:11 . 2012-04-12 20:11 369152 ----a-w- c:\program files\half_open_limit_fix_4.2.exe
2012-03-10 20:32 . 2012-03-10 20:32 1380864 ----a-w- c:\program files\tvs.exe
2012-03-04 23:15 . 2012-03-04 23:15 15036792 ----a-w- c:\program files\Dropbox 1.2.52.exe
2012-03-04 23:06 . 2012-03-04 23:05 4959152 ----a-w- c:\program files\TeamViewer_Setup.exe
2012-03-04 22:48 . 2012-03-04 22:48 339560 ----a-w- c:\program files\PatchMyPC.exe
2012-09-07 22:22 . 2012-09-07 22:21 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-04-12 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2012-07-04 13:03 1310040 ----a-r- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2012-07-04 1310040]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2012-07-04 1310040]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xmarks"="c:\program files\Xmarks\IE Extension\xmarkssync.exe" [2012-03-07 1122848]
"Winsplit"="c:\program files\WinSplit Revolution\WinSplit.exe" [2011-04-12 3951616]
"MCShield Monitor"="c:\program files\MC shield\MCShield\mcshieldrtm.exe" [2012-06-22 603648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"WGA Remover"="c:\program files\WGA Remover\wgaremover.exe" [2012-01-12 920576]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" [2010-09-17 222504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2012-05-29 115032]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Sweetpacks Communicator"="c:\program files\SweetIM\Communicator\SweetPacksUpdateManager.exe" [2012-08-15 231768]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2012-09-25 782336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^GAVRIC^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\GAVRIC\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\blekkotb]
reg.exe delete HKCU\Software\AppDataLow\Software\blekkotb [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\blekkotb_DATA_FOLDER]
rmdir [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\blekkotb_INSTALL_FOLDER]
rmdir [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\blekkotb_XP]
reg.exe delete HKCU\Software\blekkotb [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boxoft Tools]
2010-12-15 15:21 514048 ----a-w- c:\documents and settings\All Users\Application Data\Boxtools\Boxofttoolbox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
2006-07-13 05:22 57344 ----a-w- c:\program files\Lexmark 1200 Series\lxczbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGet2]
2012-07-15 16:54 9106664 ----a-w- c:\documents and settings\GAVRIC\Local Settings\Application Data\MediaGet2\mediaget.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-08-03 11:49 13892200 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-08-03 11:49 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-10-13 08:27 17351304 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPanel]
2011-08-02 14:38 2248704 ----a-w- c:\program files\Vtune\TBPANEL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-05-14 19:34 880496 ----a-w- d:\d disk\LUKIN FOLDER\igra\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-10-10 05:28 36352 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\d disk\\LUKIN FOLDER\\igra\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Mail.Ru\\Sputnik\\SputnikHelper.exe"=
"c:\\Program Files\\Mail.Ru\\Sputnik\\SputnikFlashPlayer.exe"=
"c:\\Program Files\\Readon Technology\\Readon TV Movie Radio Player 7.5.0.0\\internettv.exe"=
"c:\\Documents and Settings\\GAVRIC\\Local Settings\\Application Data\\MediaGet2\\mediaget.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\SweetIM\\Communicator\\SweetPacksUpdateManager.exe"=
.
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [4/15/2009 3:13 PM 146312]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/2/2012 8:31 PM 250288]
S3 AIDA64Driver;FinalWire AIDA64 Kernel Driver;\??\c:\program files\FinalWire\AIDA64 Extreme Edition\kerneld.x32 --> c:\program files\FinalWire\AIDA64 Extreme Edition\kerneld.x32 [?]
S3 cpuz135;cpuz135;\??\c:\program files\New Folder (3)\pcwiz_x32.sys --> c:\program files\New Folder (3)\pcwiz_x32.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 2:30 PM 114144]
S3 ujiwodu3;AVZ-SG Kernel Driver;c:\windows\system32\drivers\ujiwodu3.sys [9/26/2012 11:12 AM 10240]
S3 utiwodu3;AVZ Kernel Driver;c:\windows\system32\drivers\utiwodu3.sys [9/26/2012 11:08 AM 7168]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 13:58]
.
2012-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 15:57]
.
2012-09-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-562591055-725345543-1003Core.job
- c:\documents and settings\GAVRIC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-17 06:14]
.
2012-09-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-562591055-725345543-1003UA.job
- c:\documents and settings\GAVRIC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-17 06:14]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://home.sweetim.com/?crg=3.1010000.10011&barid={962C7EAB-ED34-11E1-9582-00016CE13569}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\GAVRIC\Application Data\Mozilla\Firefox\Profiles\ocec6wih.default\
FF - prefs.js: browser.search.defaulturl - hxxp://go.mail.ru/search?fr=fftb&utf8in&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
.
------- File Associations -------
.
.txt=Word Reader-TXT
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ROC_roc_ssl_v12 - c:\program files\AVG Secure Search\ROC_roc_ssl_v12.exe
MSConfigStartUp-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2012-09-27 20:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AIDA64Driver]
"ImagePath"="\??\c:\program files\FinalWire\AIDA64 Extreme Edition\kerneld.x32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1460)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\progra~1\MICROS~2\Office12\GR99D3~1.DLL
c:\windows\system32\mslbui.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\progra~1\WI371A~1\Datamngr\DATAMN~1.EXE
c:\program files\WinSplit Revolution\WinSplitDrvr32.exe
.
**************************************************************************
.
Completion time: 2012-09-27 20:57:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-27 18:57
.
Pre-Run: 36,774,146,048 bytes free
Post-Run: 36,800,970,752 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9AA4A95DD9F23549EFA094A199A518B1
|
|
|
|
Poslao: 28 Sep 2012 13:41
|
offline
- TwinHeadedEagle
- Anti Malware Fighter
Rank 2
- Pridružio: 09 Avg 2011
- Poruke: 15879
- Gde živiš: Beograd
|
Korak 1.
Preuzmi program SystemLook sa ovog ili ovog linka na Desktop;
Dvoklikom pokreni SystemLook;
- U beli okvir prozora iskopirati sledeći tekst:
:dir
c:\documents and settings\GAVRIC\M-500-7469-9976-4678
Klikni taster Look;
Po završetku rada programa priloži uz poruku file SystemLook.txt koji će se nalaziti na Desktop-u korišćenjem opcije Prikači Fajl.
Korak 2.
Idi u Start -> Control Panel -> Add or Remove Programs i deinstaliraj sledece programe ukoliko ih ne koristis:
iLivid
Internet Explorer Toolbar 4.6 by SweetPacks
Mail.Ru ??????? 2.4.0.508
SweetIM for Messenger 3.7
uTorrentControl2 Toolbar
|
|
|
|
Poslao: 28 Sep 2012 19:44
|
offline
- krauterbox
- Novi MyCity građanin
- Pridružio: 13 Jan 2012
- Poruke: 18
|
- SystemLook je radio maximalno 3 sec i izbacio je ovo dole (nije bilo na desktopu, nego se otvorio Notepad prozor - tako da sam ga samo kopirao):
SystemLook 30.07.11 by jpshortstuff
Log created at 19:18 on 28/09/2012 by GAVRIC
Administrator - Elevation successful
========== dir ==========
c:\documents and settings\GAVRIC\M-500-7469-9976-4678 - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
-= EOF =-
- izbrisao sam sve programe koje si tražio
|
|
|
|
Poslao: 28 Sep 2012 21:17
|
offline
- TwinHeadedEagle
- Anti Malware Fighter
Rank 2
- Pridružio: 09 Avg 2011
- Poruke: 15879
- Gde živiš: Beograd
|
Korak 1.
Preuzmi "Xplode"-ov AdwCleaner i sacuvaj ga na Desktop
Dvoklikom pokreni program i klikni na dugme [Search] .
Kada program zavrsi analizu otvorice notepad (AdwCleaner[R1].txt) sa izvestajem.
Sacuvaj taj notepad na Desktop i okaci ga uz poruku koristeci opciju "Prikaci fajl"
Napomena: Izvestaj ce takodje biti sacuvan na C:\AdwCleaner[R1].txt
Korak 2.
Kakvo je sada stanje sistema?
|
|
|
|