EXE file u startap mapi [win7]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Imam čudan file u startup mapi u profilu

C:\Users\MOJ_USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
ne mogu ga povezati niti sa ijednim programom koji imam na kompu...
prije sam ga obrisao, ali se vratio
i ima ime mog korisničkog profila na windowsima

izgleda ovako
prntscr.com/7nlmp8

skenirao sam ga sa malwareBytsom i windows defenderom
ništa nisu prijavili

jel to legitiman file ili neki trojan/virus?
hvala

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Isprati uputstvo za otvaranje teme i postavi tražene izvještaje.

http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

Takođe, uploaduj taj fajl na VirusTotal i postavi rezultate skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:28-06-2015 01
Ran by wolf (administrator) on WOLF-PC on 01-07-2015 19:55:50
Running from C:\Users\wolf\Desktop
Loaded Profiles: wolf (Available Profiles: wolf)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Opera)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: geekstogo.com/forum/topic/335081-frst-t.....scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Comodo) C:\Program Files (x86)\Comodo\Chromodo\chromodo_updater.exe
(Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe
(Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe
(Google Inc.) C:\Users\wolf\AppData\Local\Google\Update\GoogleUpdate.exe
() C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wolf.exe
(Skillbrains) C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe
(Option) C:\Users\wolf\Documents\Option --prog-files\GlobeTrotter Connect\GlobeTrotter Connect.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe
(Opera Software) C:\Opera DEV\32.0.1910.0\opera.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TinyWall Controller] => C:\Program Files (x86)\TinyWall\TinyWall.exe [653560 2015-01-06] (Károly Pados)
HKLM-x32\...\Run: [Lightshot] => C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe [226560 2014-11-18] ()
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\Run: [Google Update] => C:\Users\wolf\AppData\Local\Google\Update\GoogleUpdate.exe [107848 2015-05-09] (Google Inc.)
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\Run: [start] => C:\ProgramData\start.exe
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\Policies\Explorer: [NoAutorun] 1
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\MountPoints2: {404f1e6f-f186-11e4-a356-c9b4e6a50cf9} - E:\setup.exe AUTORUN=1
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\MountPoints2: {be08091d-f184-11e4-9eed-806e6f6e6963} - D:\Setup.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\web'n'walk Manager.lnk [2015-05-03]
ShortcutTarget: web'n'walk Manager.lnk -> C:\Program Files (x86)\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe (T-Mobile)
Startup: C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wolf.exe [2015-06-15] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = msn.com/?ocid=iehp
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 212.247.156.66 8.8.8.8
Tcpip\..\Interfaces\{437864FB-B43E-48AA-BDF4-AAFFF37BA8EC}: [DhcpNameServer] 212.247.156.66 8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\wolf\AppData\Roaming\Mozilla\Firefox\Profiles\aytevgn3.default
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin HKU\S-1-5-21-2967622084-3744315601-1004692077-1000: @tools.google.com/Google Update;version=3 -> C:\Users\wolf\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-12] (Google Inc.)
FF Plugin HKU\S-1-5-21-2967622084-3744315601-1004692077-1000: @tools.google.com/Google Update;version=9 -> C:\Users\wolf\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-12] (Google Inc.)

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-09]
CHR Extension: (Magic Actions for YouTube™) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\abjcfabbhafbcdfjoecdgepllmpfceif [2015-05-09]
CHR Extension: (Data Compression Proxy) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajfiodhbiellfpcjjedhmmmpeeaebmep [2015-05-09]
CHR Extension: (Google Docs) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-09]
CHR Extension: (Google Drive) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-09]
CHR Extension: (YouTube) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-09]
CHR Extension: (Google Search) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-09]
CHR Extension: (Google Sheets) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-09]
CHR Extension: (Image Autosizer) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbbmeeflfcjnbeelhinbnlmdjmekfhbm [2015-05-09]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-09]
CHR Extension: (Bookmark Checker) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnboppjpcdnckcklbmjmdahfkpmgglec [2015-06-05]
CHR Extension: (Ghostery) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2015-05-09]
CHR Extension: (SmoothScroll) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbokbjkabcmbfdlbddjidfmibcpneigj [2015-05-09]
CHR Extension: (Google Wallet) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-09]
CHR Extension: (Data Saver (Beta)) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\pfmgfdlgomnbgkofeojodiodmgpgmkac [2015-05-24]
CHR Extension: (Gmail) - C:\Users\wolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-09]

Opera:
=======
OPR Extension: (Ghostery) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\bbkekonodcdmedgffkkbgmnnekbainbg [2015-06-24]
OPR Extension: (vux777) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\bgjcegonlhkkclkkglpgjmgnigefhkak [2015-06-24]
OPR Extension: (vux777) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\cdceehkohlgmkeijedfpbhhlifdigpdl [2015-06-28]
OPR Extension: (Quick History) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\hmnhfgcahjdhfocnolfkmfadlieleijj [2015-06-27]
OPR Extension: (vux777) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\kkhiaiofhmjgbaiolieglhacifpfdick [2015-06-28]
OPR Extension: (vux777) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\lcoemcffdmjaaomkchpjkmjfkljagidm [2015-06-24]
OPR Extension: (vux777) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\lmmhflhfcljkioicbckchnpfiffcjkjp [2015-06-26]
OPR Extension: (vux777) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\mhckaeojpndkpchffabjhnkeiildpjhg [2015-06-24]
OPR Extension: (SmoothScroll) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\nbokbjkabcmbfdlbddjidfmibcpneigj [2015-06-24]
OPR Extension: (Magic Actions for YouTube™) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\nlffnljnicbkfhnlomjhjlebndachaka [2015-06-24]
OPR Extension: (BS-Harou (Martin Kadlec)) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\nncgmpcdlilgbepbfpeidpjlcdfhmcfp [2015-06-24]
OPR Extension: (vux777) - C:\Users\wolf\AppData\Roaming\Opera Software\Opera Stable\Extensions\ofpknbbbohcgomapfgcgadleckdagikj [2015-06-24]
OPR Extension: (vux777) - C:\Users\wolf\Desktop\FINALE\SESSIONS\V7 Sessions v1.4 RADNI NOVI [2015-06-08]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ChromodoUpdater; C:\Program Files (x86)\Comodo\Chromodo\chromodo_updater.exe [1995448 2015-05-18] (Comodo)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 TinyWall; C:\Program Files (x86)\TinyWall\TinyWall.exe [653560 2015-01-06] (Károly Pados)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 GT72NDISIPXP; C:\Windows\System32\DRIVERS\Gt51Ip.sys [130048 2009-06-11] (Option N.V.)
R3 GT72UBUS; C:\Windows\System32\DRIVERS\gt72ubus.sys [86528 2009-06-11] (Option N.V.)
R3 GTPTSER; C:\Windows\System32\DRIVERS\gtptser.sys [10496 2009-06-11] (Option N.V.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-01 19:55 - 2015-07-01 19:56 - 00011661 _____ C:\Users\wolf\Desktop\FRST.txt
2015-07-01 19:55 - 2015-07-01 19:55 - 00036342 _____ C:\Users\wolf\AppData\Local\recently-used.xbel
2015-07-01 19:51 - 2015-07-01 19:53 - 00000000 ____D C:\Users\wolf\Desktop\New Folder (4)
2015-07-01 19:32 - 2015-07-01 19:55 - 00000000 ____D C:\FRST
2015-07-01 19:29 - 2015-07-01 19:29 - 02112512 _____ (Farbar) C:\Users\wolf\Desktop\FRST64.exe
2015-07-01 19:26 - 2015-07-01 19:26 - 00000000 ____D C:\Windows\pss
2015-06-30 15:29 - 2015-06-30 15:31 - 00000000 ____D C:\Users\wolf\Desktop\New Folder (2)
2015-06-30 12:43 - 2015-06-30 12:43 - 00305929 _____ C:\Users\wolf\Desktop\V7 Stash 0.9.6 raw.nex
2015-06-30 07:42 - 2015-07-01 10:59 - 00000112 _____ C:\Windows\setupact.log
2015-06-30 07:42 - 2015-06-30 07:42 - 00000526 _____ C:\Windows\PFRO.log
2015-06-30 07:42 - 2015-06-30 07:42 - 00000000 _____ C:\Windows\setuperr.log
2015-06-29 22:04 - 2015-07-01 12:57 - 00000000 ____D C:\Program Files (x86)\Vivaldi
2015-06-29 22:04 - 2015-06-29 22:04 - 00000000 ____D C:\Users\wolf\AppData\Local\Vivaldi
2015-06-29 22:04 - 2015-06-29 22:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vivaldi
2015-06-28 22:35 - 2015-06-28 22:35 - 00000000 ____D C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad++
2015-06-28 22:35 - 2015-06-28 22:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++
2015-06-28 17:07 - 2015-07-01 15:02 - 00000000 ____D C:\Opera Beta
2015-06-28 17:05 - 2015-06-28 17:05 - 00135680 _____ C:\Users\wolf\Desktop\V7_notes.json
2015-06-28 12:02 - 2015-06-28 19:37 - 00000000 ____D C:\Users\wolf\Desktop\bookmarks tests
2015-06-28 11:50 - 2015-06-28 11:50 - 00110146 _____ C:\Users\wolf\Desktop\V7 Bookmarks TEST .nex
2015-06-28 11:37 - 2015-06-28 11:37 - 00000000 ____D C:\Users\wolf\Desktop\V7 Bookmarks v2.0 _raw
2015-06-27 23:15 - 2015-06-27 23:15 - 00000000 ____D C:\Users\wolf\Desktop\New folder
2015-06-27 10:02 - 2015-06-27 10:02 - 00744791 _____ C:\Users\wolf\Desktop\Opera_bookmarks (1).html
2015-06-26 20:24 - 2015-06-26 20:24 - 00000000 ____D C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GitHub, Inc
2015-06-26 20:23 - 2015-06-28 23:50 - 00000000 ____D C:\Users\wolf\AppData\Local\atom
2015-06-26 20:23 - 2015-06-26 20:24 - 00000000 ____D C:\Users\wolf\AppData\Local\SquirrelTemp
2015-06-26 08:44 - 2015-06-27 10:11 - 08085903 _____ C:\Users\wolf\Desktop\O_BKM 14k.html
2015-06-26 08:44 - 2015-06-26 08:44 - 00740638 _____ C:\Users\wolf\Desktop\Opera_bookmarks.html
2015-06-25 16:25 - 2015-06-25 16:25 - 00000000 ____D C:\Users\wolf\Desktop\gifs
2015-06-24 12:55 - 2015-07-01 12:55 - 00000000 ____D C:\Program Files (x86)\Opera
2015-06-24 12:55 - 2015-06-24 12:55 - 00003816 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1435143304
2015-06-24 12:55 - 2015-06-24 12:55 - 00001139 _____ C:\Users\Public\Desktop\Opera.lnk
2015-06-24 12:55 - 2015-06-24 12:55 - 00001139 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2015-06-24 12:55 - 2015-06-24 12:55 - 00000000 ____D C:\Users\wolf\AppData\Roaming\Opera Software
2015-06-23 16:48 - 2015-06-23 16:48 - 00000000 ____D C:\Users\wolf\Desktop\WOLF-PC 23.6.2015. 16.47.20
2015-06-19 18:25 - 2015-06-19 18:24 - 07129306 _____ C:\Users\wolf\Desktop\video-theme-fireplace.zip
2015-06-18 12:51 - 2015-06-18 12:51 - 00000902 _____ C:\Users\wolf\Desktop\dev.lnk
2015-06-18 12:46 - 2015-06-30 15:31 - 00000000 ____D C:\Opera DEV
2015-06-17 12:53 - 2015-06-17 12:53 - 00000000 ____D C:\Users\wolf\Desktop\img TABS BCKUP
2015-06-16 12:32 - 2015-06-16 12:32 - 00000911 _____ C:\Users\wolf\Desktop\beta.lnk
2015-06-15 18:33 - 2015-07-01 01:14 - 00000000 ____D C:\Users\wolf\AppData\Roaming\qBittorrent
2015-06-15 18:33 - 2015-06-15 18:33 - 00000000 ____D C:\Users\wolf\AppData\Local\qBittorrent
2015-06-15 18:33 - 2015-06-15 18:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qBittorrent
2015-06-15 18:33 - 2015-06-15 18:33 - 00000000 ____D C:\Program Files (x86)\qBittorrent
2015-06-15 18:09 - 2015-06-16 10:16 - 00000000 ____D C:\Users\wolf\Desktop\v7 backup
2015-06-15 17:37 - 2015-07-01 18:53 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-15 17:36 - 2015-07-01 18:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-15 17:36 - 2015-07-01 18:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-15 17:36 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-15 17:36 - 2015-06-18 08:41 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-15 17:36 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-15 17:36 - 2015-06-15 17:36 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-15 17:32 - 2015-06-15 17:33 - 00000000 ____D C:\Users\wolf\AppData\Roaming\vlc
2015-06-15 17:32 - 2015-06-15 17:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2015-06-15 17:32 - 2015-06-15 17:32 - 00000000 ____D C:\Program Files (x86)\VideoLAN
2015-06-15 17:22 - 2015-06-15 17:45 - 00000000 __SHD C:\ProgramData\WOLF-PC
2015-06-14 19:26 - 2015-06-24 12:46 - 00000000 ____D C:\Windows\Minidump
2015-06-11 12:26 - 2015-06-11 12:26 - 00004558 _____ C:\Users\wolf\AppData\Roaming\CamStudio.cfg
2015-06-11 12:26 - 2015-06-11 12:26 - 00000408 _____ C:\Users\wolf\AppData\Roaming\CamShapes.ini
2015-06-11 12:26 - 2015-06-11 12:26 - 00000408 _____ C:\Users\wolf\AppData\Roaming\CamLayout.ini
2015-06-11 12:26 - 2015-06-11 12:26 - 00000073 _____ C:\Users\wolf\AppData\Roaming\Camdata.ini
2015-06-11 12:19 - 2015-06-11 12:24 - 00000000 ____D C:\Users\wolf\Documents\My CamStudio Temp Files
2015-06-11 12:16 - 2015-06-11 12:16 - 00000096 _____ C:\Users\wolf\AppData\Roaming\version2.xml
2015-06-11 12:15 - 2015-06-11 12:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CamStudio 2.7
2015-06-11 12:15 - 2015-06-11 12:15 - 00000000 ____D C:\Program Files\CamStudio 2.7
2015-06-10 14:25 - 2015-06-15 18:10 - 00000000 ____D C:\Users\wolf\Desktop\video
2015-06-06 12:30 - 2015-06-06 12:30 - 00000000 ____D C:\Users\wolf\AppData\Local\Nicke_Manarin
2015-06-06 11:43 - 2015-06-07 10:09 - 00000143 _____ C:\Users\wolf\AppData\Roaming\licecap.ini
2015-06-06 11:43 - 2015-06-06 11:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LICEcap

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-01 19:55 - 2015-05-03 13:42 - 00000000 ____D C:\Users\wolf\Desktop\ikone moje i ostalo
2015-07-01 19:41 - 2015-05-03 13:11 - 00466388 _____ C:\Windows\WindowsUpdate.log
2015-07-01 19:28 - 2015-05-30 23:20 - 00000000 ____D C:\Users\wolf\AppData\Roaming\Skype
2015-07-01 19:17 - 2015-05-04 14:39 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-01 19:16 - 2015-05-09 13:05 - 00000948 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-01 19:16 - 2015-05-09 13:05 - 00000944 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-01 19:07 - 2015-05-03 14:46 - 00000386 _____ C:\Windows\Tasks\update-sys.job
2015-07-01 19:03 - 2015-05-09 17:51 - 00000954 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2967622084-3744315601-1004692077-1000UA.job
2015-07-01 19:03 - 2015-05-09 17:51 - 00000902 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2967622084-3744315601-1004692077-1000Core.job
2015-07-01 18:07 - 2015-05-03 14:46 - 00000386 _____ C:\Windows\Tasks\update-S-1-5-21-2967622084-3744315601-1004692077-1000.job
2015-07-01 14:59 - 2015-05-03 13:42 - 00000000 ____D C:\Users\wolf\Desktop\neke ext
2015-07-01 11:08 - 2009-07-14 07:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-01 11:07 - 2009-07-14 06:45 - 00021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-01 11:07 - 2009-07-14 06:45 - 00021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-01 10:59 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-01 00:10 - 2015-05-03 13:38 - 00000000 ____D C:\Users\wolf\AppData\Local\GlobeTrotter Connect
2015-06-29 22:13 - 2015-05-03 13:15 - 00000000 ____D C:\Users\wolf
2015-06-28 22:35 - 2015-05-03 14:12 - 00000000 ____D C:\Users\wolf\AppData\Roaming\Notepad++
2015-06-28 22:35 - 2015-05-03 14:12 - 00000000 ____D C:\Program Files (x86)\Notepad++
2015-06-28 01:18 - 2015-05-04 14:39 - 00000892 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2015-06-24 12:55 - 2015-05-03 13:41 - 00000000 ____D C:\Users\wolf\AppData\Local\Opera Software
2015-06-24 12:52 - 2015-05-03 13:15 - 00001447 _____ C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-06-24 12:52 - 2015-05-03 13:15 - 00001413 _____ C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-06-15 18:13 - 2015-05-03 13:42 - 00000000 ____D C:\Users\wolf\Desktop\dev
2015-06-15 17:45 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\Web
2015-06-12 18:58 - 2015-05-09 17:51 - 00003922 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2967622084-3744315601-1004692077-1000UA
2015-06-12 18:58 - 2015-05-09 17:51 - 00003526 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2967622084-3744315601-1004692077-1000Core
2015-06-11 12:14 - 2009-07-14 05:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-06-10 17:18 - 2015-05-03 13:42 - 00000000 ____D C:\Users\wolf\Desktop\FINALE

==================== Files in the root of some directories =======

2015-06-11 12:26 - 2015-06-11 12:26 - 0000073 _____ () C:\Users\wolf\AppData\Roaming\Camdata.ini
2015-06-11 12:26 - 2015-06-11 12:26 - 0000408 _____ () C:\Users\wolf\AppData\Roaming\CamLayout.ini
2015-06-11 12:26 - 2015-06-11 12:26 - 0000408 _____ () C:\Users\wolf\AppData\Roaming\CamShapes.ini
2015-06-11 12:26 - 2015-06-11 12:26 - 0004558 _____ () C:\Users\wolf\AppData\Roaming\CamStudio.cfg
2015-06-06 11:43 - 2015-06-07 10:09 - 0000143 _____ () C:\Users\wolf\AppData\Roaming\licecap.ini
2015-06-11 12:16 - 2015-06-11 12:16 - 0000096 _____ () C:\Users\wolf\AppData\Roaming\version2.xml
2015-07-01 19:55 - 2015-07-01 19:55 - 0036342 _____ () C:\Users\wolf\AppData\Local\recently-used.xbel
2015-05-03 14:46 - 2015-05-03 14:46 - 0000003 _____ () C:\Users\wolf\AppData\Local\updater.log
2015-05-03 14:46 - 2015-05-03 14:46 - 0000424 _____ () C:\Users\wolf\AppData\Local\UserProducts.xml

Some files in TEMP:
====================
C:\Users\wolf\AppData\Local\Temp\SkypeSetup.exe
C:\Users\wolf\AppData\Local\Temp\xmlUpdater.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-06-24 17:15

==================== End of log ============================
mycity.rs/must-login.png





VIRUS TOTAL:
file nisam uplodao potpuno, već mi je prikazao analizu od prethodno analiziranog file (prepozno ga je)
ovo je report
virustotal.com/en/file/03d44309951b2e9...../analysis/

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Da li si ti lično instalirao developer verziju Chromea i da li si ti instalirao vux777 i Quick History ekstenzije za Operu?





Otvori Notepad i iskopiraj sljedeći tekst koji se nalazi unutar Kod polja.

HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\Run: [start] => C:\ProgramData\start.exe
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\MountPoints2: {404f1e6f-f186-11e4-a356-c9b4e6a50cf9} - E:\setup.exe AUTORUN=1
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\MountPoints2: {be08091d-f184-11e4-9eed-806e6f6e6963} - D:\Setup.exe
Startup: C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wolf.exe [2015-06-15] ()

C:\ProgramData\start.exe
C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wolf.exe

EmptyTemp:


U okviru Notepad-a klikni na File --> Save As
Fajl nazovi Fixlist i sačuvaj na Desktop
Dvoklikom ponovo pokreni FRST.exe
Klikni na Fix i sačekaj dok program ne završi.
Ukoliko program zatraži restart računara, omogući mu da to nesmetano obavi.
Nakon završetka rada, otvoriće se fixlog.txt, sa sadržajem koji treba da kopiraš u temu.
Takođe, na Desktop-u će se nalaziti (fixlog.txt).

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Sass Drake ::

Da li si ti lično instalirao developer verziju Chromea i da li si ti instalirao vux777 i Quick History ekstenzije za Operu?



da, to sam ja instalirao (lokalne extenszije sa HDDa)
**************************

prvi puta prije 7 dana mislim da sam sumnjao na uTorrent i nekakve advere koje je tiho instalirao u nadogradnji
maknio sam ga, al sad nisma siguran dali je od njega ili nečeg drugog
ovo sam bio maknio
C:\ProgramData\start.exe

a ovo mi je od USB sticka
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\MountPoints2: {404f1e6f-f186-11e4-a356-c9b4e6a50cf9} - E:\setup.exe AUTORUN=1

jel to samo reg ključ jer ja ga ne vidim na sticku ? (prikaziva mi sve skrivene fajlove)

jel ovo nešto opasno ili ...?

-------------------------------------------
Fix result of Farbar Recovery Scan Tool (x64) Version:28-06-2015 01
Ran by wolf at 2015-07-01 21:48:14 Run:1
Running from C:\Users\wolf\Desktop
Loaded Profiles: wolf (Available Profiles: wolf)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\Run: [start] => C:\ProgramData\start.exe
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\MountPoints2: {404f1e6f-f186-11e4-a356-c9b4e6a50cf9} - E:\setup.exe AUTORUN=1
HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\...\MountPoints2: {be08091d-f184-11e4-9eed-806e6f6e6963} - D:\Setup.exe
Startup: C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wolf.exe [2015-06-15] ()

C:\ProgramData\start.exe
C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wolf.exe

EmptyTemp:
*****************

HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\Software\Microsoft\Windows\CurrentVersion\Run\\start => value removed successfully
"HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{404f1e6f-f186-11e4-a356-c9b4e6a50cf9}" => key removed successfully
HKCR\CLSID\{404f1e6f-f186-11e4-a356-c9b4e6a50cf9} => key not found.
"HKU\S-1-5-21-2967622084-3744315601-1004692077-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{be08091d-f184-11e4-9eed-806e6f6e6963}" => key removed successfully
HKCR\CLSID\{be08091d-f184-11e4-9eed-806e6f6e6963} => key not found.
C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wolf.exe => moved successfully.
"C:\ProgramData\start.exe" => File/Folder not found.
"C:\Users\wolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wolf.exe" => File/Folder not found.
EmptyTemp: => 72.2 MB temporary data Removed.


The system needed a reboot..

==== End of Fixlog 21:48:21 ====

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Preuzmi Malwarebytes Anti-Rootkit (MBAR) sa sledeceg linka i sacuvaj ga na Desktop.

Dvoklikom pokreni MBAR () na ikonicu programa:
- Klikni OK na sledecem prozoru da bi dozvolio raspakivanje u zaseban mbar folder na desktop-u;
- mbar.exe ce biti startovan. Na nekim sistemima to moze da potraje nekoliko dodatnih sekundi, te pricekati pokretanje.;
- U uvodnom prozoru klikni dugme Next ukoliko si saglasan;


• Na 'Update Database' prozoru klik na dugme Update da bi preuzeo sveze definicije. Kada se ispise poruka 'Success: Database was successfully updated' klik na dugme Next;
• Pod sekcijom 'Scan Targets' proveri da su sve opcije stiklirane, te klikni na dugme Scan;

Obavestenje: sa nekim infekcijama moze se desiti da se prikaze neka od sledecih poruka:
- 'Could not load protection driver' => u tom slucaju klikni OK.
- 'Could not load DDA driver' => klikni Yes na to obavestenje da bi dozvolio ucitavanje nakon restarta. Dozvoli restart i nastavi sa ostatkom instrukcija posle restarta.




>> Ukoliko malware nije detektovan, klik na Exit dugme da zatvoris program. U sledecu poruku postavi mbar-log-year-month-day (sat-minuti-sekundi).txt i system-log.txt izveštaje.

>> Ukoliko su infekcija/e pronadjene, proveriti da li je obelezena opcija 'Create Restore Point' i klikni na dugme Cleanup! da bi uklonili pretnje.
- Procedura uklanjanje malware-a (scheduled) ce biti zakazana po restartu, bice prikazano obavestenje u pop-up prozoru. Klikni dugme Yes i sistem bi trebao da se restartuje i da zavrsi proceduru ciscenja.



Obavestenje! samo ukoliko je RootKit detektovan: - postaraj se da pokrenes fixdamage.exe alat koji se nalazi u mbar folderu, \Plugins\fixdamage.exe:
- Dvoklikom pokreni fixdamage, u crnom prozoru koji se otvori (command prompt) ukucaj Y (Y stoji za Yes) da bi nastavio izvrsenje, pricekati da alat odradi sve popravke ...
- Kada vidis poruku 'press any key to exit' popravka je kompletirana. Pritisnuti bilo koju tipku na tastaturi da bi se prozor zatvorio. Restartovati sistem.




Sledeci izvestaji ce biti formirani u mbar folderu.
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Iskopiraj sadrzaj mbar log-a u poruku a system log okaci uz poruku koristeci opciju Prikači fajl.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Malwarebytes Anti-Rootkit BETA 1.09.1.1004
malwarebytes.org

Database version:
main: v2015.07.01.04
rootkit: v2015.06.30.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
wolf :: WOLF-PC [administrator]

1.7.2015. 22:31:41
mbar-log-2015-07-01 (22-31-41).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 342066
Time elapsed: 9 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

To bilo to onda.





Spakuj u ZIP, RAR ili 7Z arhivu sljedeći folder:

C:\FRST\Quarantine

i pošalji ga preko sljedećeg linka:

http://www.mycity.rs/ambulanta-upload.php


Javi kada to uradiš i sačekaj dalja uputstva.





• Sledeća procedura će implementirati završno čišćenje.

Preuzmi "Xplode"-ov DelFix alat i snimi ga na Desktop.
Dvoklikom pokreni alat i štikliraj kućice ispred sledećih opcija;

Remove disinfection tools
Create registry backup
Purge System Restore

Klikni na dugme Run i pričekaj trenutak dok alat ne završi svoj rad.
Od ovog trenutka, svi korišćeni alati u ovoj temi bi trebali biti obrisani.
Alat će takođe formirati izveštaj za tebe. (C:\DelFix.txt)

Alat će snimiti i zdravo stanje registy-ja i napraviti backup koristeci integrisan program "ERUNT" u %windir%\ERUNT\DelFix
Alat briše stare system restore tačke i pravi novu, svežu tačku nakon čišćenja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

file je uplodan
......

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Odradi i drugi korak ako već nisi.

Pozdrav.