b.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Napisano: 22 Nov 2009 14:52

Vec neko vreme bas nisam zadovoljan radom nekih programa, kao sto su playeri, Winows Movie Maker i sl.

WMM je bas problematican, jer sta god da pokusam od video zapisa da ubacim u WMM, tog trenutka program bude oboren.

Danas je poceo i Win. explorer da pada, ostavi prazan desktop i onda se povrati, ali bez zapocetih projekata.

U task Manageru mi se poceo pojavljivati ovaj b.exe proces i to moi je bio signal da stvarno nestone stima.

Nisam nicim pokusavao da resimproblem, jer poucen iskustvom, kada sam preduzmem mere, izgubim jedan dan zivota u reinstalu.

Koristim ADSL konekciju 1024/128

evo DDS loga


DDS (Ver_09-10-26.01) - NTFSx86
Run by Sasa at 14:40:02,75 on ned 22.11.2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.31 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Sasa\LOCALS~1\Temp\b.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sasa\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = [Link mogu videti samo ulogovani korisnici]
mSearchAssistant = [Link mogu videti samo ulogovani korisnici]
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
BHO: Windows Live pomagac za prijavljivanje: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MailBlocker] c:\docume~1\sasa\locals~1\temp\b.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 7.0\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {00000055-9980-0010-8000-00AA00389B71} - [Link mogu videti samo ulogovani korisnici]
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - [Link mogu videti samo ulogovani korisnici]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [Link mogu videti samo ulogovani korisnici]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [Link mogu videti samo ulogovani korisnici]
TCP: {84B44AC7-3B90-4EA3-B5E2-010AC6BE1868} = 89.216.49.4
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sasa\applic~1\mozilla\firefox\profiles\2qy5w2se.default\
FF - prefs.js: browser.search.defaulturl - [Link mogu videti samo ulogovani korisnici]
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 amdfix;amdfix;c:\windows\system32\drivers\amdfix.sys [2009-6-9 4108]

=============== Created Last 30 ================

2009-11-22 11:06:08 248324 ----a-w- c:\windows\system32\msxml71.dll
2009-11-22 10:58:18 0 d-----w- c:\docume~1\sasa\applic~1\AVS4YOU
2009-11-22 10:57:40 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-11-22 10:55:07 0 d-----w- c:\program files\common files\AVSMedia
2009-11-22 10:49:49 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-11-22 10:49:49 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-11-22 10:49:47 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-11-22 10:49:45 0 d-----w- c:\program files\AVS4YOU
2009-11-22 08:45:11 0 ----a-w- C:\demo.avi
2009-11-22 01:09:54 0 d-----w- c:\docume~1\sasa\applic~1\MyNotesKeeper
2009-11-22 01:09:29 0 d-----w- c:\program files\MyNotesKeeper
2009-11-21 22:08:40 0 d-----w- C:\tmp
2009-11-21 22:04:22 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2009-11-21 22:04:20 84480 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-21 22:04:17 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-11-21 21:54:29 61 ----a-w- C:\avone.ini
2009-11-21 21:36:01 31 ----a-w- c:\windows\system32\wdsdtdsini.dll
2009-11-21 21:29:07 0 d-----w- C:\AVOneExport
2009-11-21 21:29:04 0 d-----w- c:\program files\avsysinfo
2009-11-21 21:25:09 0 d-----w- c:\docume~1\sasa\applic~1\GetRightToGo
2009-11-21 21:21:50 0 d-----w- c:\program files\Easy Real Converter
2009-11-21 20:01:03 0 d-----w- c:\program files\common files\xing shared
2009-11-16 16:03:03 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-12 16:35:01 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-12 16:34:33 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-12 15:52:05 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-11-12 15:52:05 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-11-12 15:51:38 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2009-11-12 15:51:38 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-11-12 15:51:28 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2009-11-12 15:51:28 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-11-12 15:51:25 16384 -c--a-w- c:\windows\system32\dllcache\ipsink.ax
2009-11-12 15:51:25 16384 ----a-w- c:\windows\system32\ipsink.ax
2009-11-12 15:51:18 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2009-11-12 15:51:18 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-11-12 15:51:08 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-11-12 15:51:08 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-11-12 15:50:58 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2009-11-12 15:50:58 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-11-12 15:50:39 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2009-11-12 15:50:39 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-11-12 15:49:16 91136 -c--a-w- c:\windows\system32\dllcache\kswdmcap.ax
2009-11-12 15:49:16 91136 ----a-w- c:\windows\system32\kswdmcap.ax
2009-11-12 15:49:15 61952 -c--a-w- c:\windows\system32\dllcache\kstvtune.ax
2009-11-12 15:49:15 61952 ----a-w- c:\windows\system32\kstvtune.ax
2009-11-12 15:49:13 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-11-12 15:49:13 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-11-12 15:49:12 43008 -c--a-w- c:\windows\system32\dllcache\ksxbar.ax
2009-11-12 15:49:12 43008 ----a-w- c:\windows\system32\ksxbar.ax
2009-11-12 15:45:59 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
2009-11-12 15:44:08 7064 ----a-w- c:\windows\system32\WMVCORE.lib
2009-11-10 17:44:09 0 d-----w- c:\program files\DFX
2009-11-07 12:06:27 0 d-----w- c:\program files\Total Video Converter
2009-10-30 16:19:26 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-30 15:48:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-30 15:22:14 1470 ----a-w- c:\windows\system32\tmp.reg
2009-10-28 02:30:19 56 ---ha-w- c:\windows\system32\ezsidmv.dat

==================== Find3M ====================

2009-11-22 13:40:11 77088 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-22 13:39:16 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-22 13:15:15 876832 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-22 10:14:25 768 --sha-w- C:\xjcjovma.sys
2009-11-22 01:30:07 86948 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-16 07:11:44 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-16 07:11:44 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-12 21:04:51 34308 ----a-w- c:\docume~1\alluse~1\applic~1\mazuki.dll
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:13:26 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 14:42:06,15 ===============



[Link mogu videti samo ulogovani korisnici]

Dopuna: 22 Nov 2009 15:04

Na pola skeniranja GMER-om mi se restartovao racunar, jel treba sve od pocetka?

Dopuna: 22 Nov 2009 15:40

Ponovio sam proceduru i opet mi se posle nekog vremena restartovao racunar.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav.

Imaš u uputstvu Kako otvoriti temu u Ambulanti uputstvo za program RootRepeal pa isprati proceduru.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Evo saljem izbvestaj RootRepeal
[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Korak 1.

Preuzmi AVZ Antiviral Toolkit sa sledeceg linka :

[Link mogu videti samo ulogovani korisnici]

Raspakuj arhivu u neki folder (uputstvo), a zatim:

Pokreni fajl koji se zove avz (uocite da postoji jos jedan fajl sa tim nazivom koji nije izvrsni vec je internet shortcut)
U meniju izaberi File>Standard Scripts;

U prozoru koji se otvori stikliraj opciju 2 i klikni Execute Selected Scripts;
Klikni Yes;

Po zavrsetku skeniranja dobices obavestenje Script Executed ;

Izadji iz programa i otvori folder gde je raspakovan program;

Otvori folder log i uploaduj fajl virusinfo_syscheck.zip na forum;

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Evo loga

[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Korak 2.

Pokreni ponovo AVZ Antiviral Toolkit

Izaberi File>Custom Scripts;
U prozor koji se otvori kopiraj sledece :

begin
  SearchRootkit(true, true);
  SetAVZGuardStatus(True);
  QuarantineFile('C:\xjcjovma.sys');
  QuarantineFile('c:\docume~1\sasa\locals~1\temp\b.exe');
  TerminateProcessByName('c:\docume~1\sasa\locals~1\temp\b.exe');
  DeleteFile('c:\docume~1\sasa\locals~1\temp\b.exe');
  DeleteFile('C:\xjcjovma.sys');
  DeleteFile('C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job');
  BC_ImportDeletedList;
  BC_Activate;
  ExecuteSysClean;
  RebootWindows(true);
end.

Zatim klikni Run...Da bismo videli rezultate obrade skripte neophodno je da ponovis samo skeniranje sa AVZ alatom opisano u Koraku 1, i ponovo nam uploadujes virusinfo_syscheck.zip

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nesto ne stima. Prijavljuje mi

Error: Not enough actual parameters at position 4:17

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Da pokušamo još jednom uz male modifikacije...


Korak 2.

Pokreni ponovo AVZ Antiviral Toolkit

Izaberi File>Custom Scripts;
U prozor koji se otvori kopiraj sledece :

begin
  SearchRootkit(true, true);
  SetAVZGuardStatus(True);
  QuarantineFile('C:\xjcjovma.sys','');
  QuarantineFile('c:\docume~1\sasa\locals~1\temp\b.exe','');
  TerminateProcessByName('c:\docume~1\sasa\locals~1\temp\b.exe');
  DeleteFile('c:\docume~1\sasa\locals~1\temp\b.exe');
  DeleteFile('C:\xjcjovma.sys');
  DeleteFile('C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job');
  BC_ImportDeletedList;
  BC_Activate;
  ExecuteSysClean;
  RebootWindows(true);
end.

Zatim klikni Run...Da bismo videli rezultate obrade skripte neophodno je da ponovis samo skeniranje sa AVZ alatom opisano u Koraku 1, i ponovo nam uploadujes virusinfo_syscheck.zip

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Evo paketa
[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Izvini na čekanju...


Pronađi file pod nazivom PAVCL.COM, nalazi se na sledećoj lokaciji...


C:\Program Files\ACE Mega CoDecS Pack\Anti-Virus\Quick Remove\PAVCL.COM


Taj file mi upload_uj preko sledećeg linka...

[Link mogu videti samo ulogovani korisnici]