|
Poslao: 27 Dec 2011 21:25
|
offline
- Brksi
- Ex KGB officer
- Pridružio: 18 Jul 2003
- Poruke: 4204
- Gde živiš: U zlatnom kavezu
|
Moj problem je opisan ovde
http://www.mycity.rs/Pretrazivaci-Web-mail-Web-por.....de_28.html
dakle to se desava u svim browserima..... jedino od dodataka sto se petlja sa flash playerom freemake video converter i njega kad disableujem isto je.
Nakon bezuspesnog downgarade-a f playera, i ponovnog vracanja nove verzije sa firefox-om je jos gore, zapucava kad udjem na poker i odbija neke video streaminge.
Kaspersky nije vristao.
Pokusao sam da reinstaliram chrome al nista.
Kada sam skenirao sa dds-om, file-ovi dds i attach.txt iako su se uredno poojavili kao notepad nisu bili sacuvani na desktopu niti sam mogao da ih pronadjem pretragom. Morao sam da ih rucno sacuvam na desk.
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Windows\System32\XSrvSetup.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
"C:\Program Files\Common Files\microsoft shared\DAO\svchost.exe"
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\EventGhost\EventGhost.exe
C:\Program Files\The Bat!\thebat.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=rjmse&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20111107&user_guid=09FF9CE0F65B4D3EA01B7331BE7B307A&machine_id=4a12327ffea1cfe7e21bb071421c28e6&browser=IE&os=win&os_version=6.1-x86-SP1
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm
mSearchAssistant = hxxp://start.facemoods.com/?a=mse&s={searchTerms}&f=4
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [WinFast Schedule] c:\program files\winfast\wfdtv\WFWIZ.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Trillian] c:\program files\trillian\trillian.exe
uRun: [RocketDock.exe] c:\program files\rocketdock\RocketDock.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [NUSB3MON] "c:\program files\nec electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [avp] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"
mRun: [WinFastDTV] c:\program files\winfast\wfdtv\DTVSchdl.exe
mRun: [Windows LSASS Service] c:\program files\common files\microsoft shared\dao\svchost.exe
mRun: [<NO NAME>]
StartupFolder: c:\users\brksi\appdata\roaming\micros~1\windows\startm~1\programs\startup\eventg~1.lnk - c:\program files\eventghost\EventGhost.exe
StartupFolder: c:\users\brksi\appdata\roaming\micros~1\windows\startm~1\programs\startup\thebat.lnk - c:\program files\the bat!\thebat.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Dodaj u zaštitu od reklama - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C80C14BA-E8AF-48B5-8723-278AAA931E92} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\brksi\appdata\roaming\mozilla\firefox\profiles\6y3231ka.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - component: c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\nppl3260.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\nprpjplug.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\brksi\appdata\local\google\google earth\plugin\npgeplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2011-3-20 18984]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-8-5 233024]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2010-4-22 22104]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2006-1-13 15872]
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2011/06/16 14:23:02];c:\program files\cyberlink\powerdvd11\common\navfilter\000.fcl [2011-5-20 77296]
R2 AVP;Kaspersky Anti-Virus usluga;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-7-1 352976]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2011-3-20 68136]
R2 JMB36X;JMB36X;c:\windows\system32\XSrvSetup.exe [2011-3-20 72304]
R2 ntk_PowerDVD;ntk_PowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\ntk_PowerDVD.sys [2011-6-16 71664]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-10-14 381248]
R3 FastNIC;PCI/CardBus 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\FastNIC.sys [2011-2-1 38853]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19984]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-11-20 58880]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-11-20 137728]
R3 WFLR6654;WinFast TV2000 XP Expert (FM1216MK3);c:\windows\system32\drivers\wfeaglxt.sys [2011-3-20 433920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-27 136176]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-27 136176]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 112640]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2011-4-21 33712]
S3 WatAdminSvc;Usluga tehnologije aktivacije operativnog sistema Windows;c:\windows\system32\wat\WatAdminSvc.exe [2011-3-20 1343400]
S4 ABBYY.Licensing.FineReader.Corporate.10.0;ABBYY FineReader 10 CE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\ce\NetworkLicenseServer.exe [2009-12-19 814344]
S4 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\CLHNServiceForPowerDVD.exe [2011-6-16 83240]
S4 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSMonitorService.exe [2011-6-16 70952]
S4 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSServer.exe [2011-6-16 312616]
.
=============== Created Last 30 ================
.
2071-07-25 08:13:30 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
2011-12-23 16:01:57 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2011-12-23 16:01:57 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2011-12-23 16:01:57 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2011-12-23 16:01:57 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2011-12-16 21:35:35 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-16 21:35:30 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-12-16 21:35:17 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-16 21:35:16 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-16 21:35:06 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-16 21:35:05 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 15:13:47 -------- d-----w- c:\users\brksi\appdata\roaming\GetRightToGo
2011-12-13 17:34:48 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2011-12-10 21:40:26 -------- d-----w- c:\program files\VUGames
2011-12-09 13:12:50 -------- d-----w- c:\program files\common files\Common Share
2011-12-09 13:12:49 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-12-09 13:12:49 -------- d-----w- c:\program files\OJOsoft
.
==================== Find3M ====================
.
2011-12-27 09:56:20 17488 ----a-w- c:\windows\gdrv.sys
2011-12-24 20:10:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-14 22:54:52 321856 ----a-w- c:\windows\system32\nvStreaming.exe
2011-09-29 16:03:04 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 18:09:40,58 ===============
https://www.mycity.rs/must-login.png
https://www.mycity.rs/must-login.png
https://www.mycity.rs/must-login.png
https://www.mycity.rs/must-login.png
|
|
|
|
|
|
|
Poslao: 27 Dec 2011 22:48
|
offline
- Sass Drake
- Anti Malware Fighter
Rank 2
- Pridružio: 26 Avg 2010
- Poruke: 10622
- Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building
|
Preuzmi The Avenger na Desktop.
Raspakuj arhivu u neki folder
Dvoklikom pokreni avenger.exe
Iskopiraj tekst koji se nalazi unutar Kod polja u (beli) prozor programa:
Files to delete:
c:\program files\common files\microsoft shared\dao\svchost.exe
Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Windows LSASS Service
Klikni Execute, a zatim Yes u sledeća dva prozora koji će se otvoriti
Kompjuter će se restartovati (u određenim slučajevima: dva puta) i započeti će proces čišćenja/skeniranja
Kada proces bude završen, logfile C:\avenger.txt će se otvoriti u Notepad-u
Iskopiraj sadržaj dobijenog loga u temu na forumu.
|
|
|
|
|
|
|
Poslao: 28 Dec 2011 12:05
|
offline
- Brksi
- Ex KGB officer
- Pridružio: 18 Jul 2003
- Poruke: 4204
- Gde živiš: U zlatnom kavezu
|
Napisano: 27 Dec 2011 23:27
iyvini u krevetu sam. Nastavicemo sutra. DAO SVCHOST.EXE je legitiman
Dopuna: 28 Dec 2011 12:01
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windows LSASS Service" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Dopuna: 28 Dec 2011 12:05
To se odnosilo na dao koji je legitiman......... i sad dok sam kacio izvestaj puko ff..........
|
|
|
|
|
|
|
|
|
|
|
Poslao: 28 Dec 2011 20:03
|
offline
- Sass Drake
- Anti Malware Fighter
Rank 2
- Pridružio: 26 Avg 2010
- Poruke: 10622
- Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building
|
Ups, tek sada vidjeh da si kopirao samo pola skripte za Avenger i stoga program koji si odlučio da ne brišeš se više neće pokretati zajedno sa Windows-om.
Šta taj "C:\Program Files\Common Files\microsoft shared\DAO\svchost.exe" radi i čemu služi kad kažeš da je legitiman?
Za problem koji imaš sa browserima otvori temu u http://www.mycity.rs/Windows.
|
|
|
|
|
|
|
Poslao: 29 Dec 2011 17:57
|
offline
- Brksi
- Ex KGB officer
- Pridružio: 18 Jul 2003
- Poruke: 4204
- Gde živiš: U zlatnom kavezu
|
Pucanje ff-a i sve drugo osim pokera, reseno je reinstalacijom ff-a.
Moguce je da zynga ima neki problem sa najnovijom verzijom flash playera, jer je menu u linuxu verzija flasha starija. Mada ne znam kako neko ima problem neko ne.
U svakom slucaju hvala na trudu veliko je olaksanje saznanje da nemas infeciju.
|
|
|
|
|
|
