MyCity » Ambulanta -> Arhiva Ambulante » Infekcija cryptolockerom

Infekcija cryptolockerom

Napisano na dan: 3.12.2015

Strana:
1
2

Infekcija cryptolockerom

Sledeća strana

Pagination

Zaključano

Strana:
1
2

Brksi Poslao: 03 Dec 2015 12:57 Idi na vrh
offline Brksi Ex KGB officer Pridružio: 18 Jul 2003 Poruke: 4204 Gde živiš: U zlatnom kavezu	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Mislim da je u pitanju tesla verzija, jer je nakacio "vvv" na sve ekstenzije. Ono sto je interesantno je da zrtva ne dobija prozor za otkup dekripcije. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-12-2015 Ran by Star (administrator) on SUPERB (03-12-2015 12:40:34) Running from C:\Documents and Settings\Star\Desktop Loaded Profiles: Star (Available Profiles: Star) Platform: Microsoft Windows XP Professional Service Pack 2 (X86) Language: English (United States) Internet Explorer Version 8 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe () C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe (Microsoft Corporation) C:\PROGRA~1\MICROS~4\MSSQL\Binn\sqlservr.exe (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe (TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe (Vivotek Inc.) C:\Program Files\Vivotek\ST3402\Launcher_VV.exe (Vivotek Inc.) C:\Program Files\Vivotek\ST3402\Monitor_VV.exe (TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\TeamViewer.exe (TeamViewer GmbH) C:\Program Files\TeamViewer\Version6\tv_w32.exe (Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE (Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe (Inprise Corporation) C:\Program Files\InterBase Corp\InterBase\Bin\ibguard.exe (Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe (Inprise Corporation) C:\Program Files\InterBase Corp\InterBase\Bin\ibserver.exe (Microsoft Corporation) C:\Program Files\Messenger\msmsgs.exe (Technology Nexus AB) C:\Program Files\Personal\bin\Personal.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [16120832 2006-04-04] (Realtek Semiconductor Corp.) HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit HKLM\...\Run: [InterBase Guardian] => C:\Program Files\InterBase Corp\InterBase\Bin\ibguard.exe [22016 2000-06-23] (Inprise Corporation) HKU\S-1-5-21-1614895754-1645522239-1177238915-1003\...\Run: [Skype] => C:\Program Files\Skype\\Phone\Skype.exe [26100520 2010-03-09] (Skype Technologies S.A.) HKU\S-1-5-21-1614895754-1645522239-1177238915-1003\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2007-10-13] (Google Inc.) HKU\S-1-5-21-1614895754-1645522239-1177238915-1003\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1694208 2004-10-13] (Microsoft Corporation) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal.lnk [2014-02-10] ShortcutTarget: Personal.lnk -> C:\Program Files\Personal\bin\Personal.exe (Technology Nexus AB) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk [2006-09-11] ShortcutTarget: Service Manager.lnk -> C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Token Manager.lnk [2015-12-02] ShortcutTarget: Token Manager.lnk -> C:\WINDOWS\Installer\{B4B92B76-0DA6-4113-81F1-7B9B03CF9C3D}\_832A49388BF5A28D13058D.exe () ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{7DBDD600-0C27-43D0-B7F7-9EAA95BA378A}: [DhcpNameServer] 89.216.1.40 89.216.1.50 Tcpip\..\Interfaces\{A53427C2-5701-4A90-91B9-63C1C2B879B7}: [DhcpNameServer] 192.168.1.1 Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\S-1-5-21-1614895754-1645522239-1177238915-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-1614895754-1645522239-1177238915-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.rs/ HKU\S-1-5-21-1614895754-1645522239-1177238915-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-1614895754-1645522239-1177238915-1003\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKU\S-1-5-21-1614895754-1645522239-1177238915-1003 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2724386 SearchScopes: HKU\S-1-5-21-1614895754-1645522239-1177238915-1003 -> {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = hxxp://mystart.incredimail.com//?search={searchTerms}&loc=search_box&a=1eyoKotVvkz BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14] (Adobe Systems Incorporated) BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12] (Microsoft Corporation) BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-02-22] (Oracle Corporation) BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-22] (Google Inc.) BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll => No File BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-02-22] (Oracle Corporation) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-22] (Google Inc.) Toolbar: HKU\S-1-5-21-1614895754-1645522239-1177238915-1003 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-09-22] (Google Inc.) DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {45830FF9-D9E6-4F41-86ED-B266933D8E90} hxxp://192.168.1.6/RtspVaPgDec.cab DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} hxxps://10.1.1.1/DLL/FSINT.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1322846224921 DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8BA2FE8E-8506-11D4-BFE2-CB5FED326646} hxxps://veplat-int.aikbanka.co.yu/DLL/SAWZip.dll DPF: {A42DDE4E-DF36-4592-83B6-CCA28E770ABD} hxxps://veplat-int.aikbanka.co.yu/DLL/EbankingWWW.dll DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E772C6B1-C3D6-4251-990B-1511D7822722} hxxps://10.1.1.1/DLL/EBCSCC2b.dll DPF: {EA5E79E5-3E25-46DA-A519-F8FC52B66ADC} hxxps://veplat-int.aikbanka.co.yu/DLL/EBCCDC.dll Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-12] (Microsoft Corporation) Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.dll [2006-01-24] (Microsoft Corporation) Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2010-03-09] (Skype Technologies) FireFox: ======== FF ProfilePath: C:\Documents and Settings\Star\Application Data\Mozilla\Firefox\Profiles\a89500tu.default FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_296.dll [2015-01-26] () FF Plugin: @java.com/DTPlugin,version=10.15.2 -> C:\WINDOWS\system32\npDeployJava1.dll [2013-02-22] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.15.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-02-22] (Oracle Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2007-11-07] (Microsoft Corporation) FF Plugin: @se.nexus/Personal -> C:\Program Files\Personal\bin\np_prsnl.dll [2014-02-10] (Technology Nexus AB) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.) FF Plugin HKU\S-1-5-21-1614895754-1645522239-1177238915-1003: @adobe.com/Acrobat,version=5.1 -> C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll [2002-08-11] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-1614895754-1645522239-1177238915-1003: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll [No File] FF SearchPlugin: C:\Documents and Settings\Star\Application Data\Mozilla\Firefox\Profiles\a89500tu.default\searchplugins\MyStart Search.xml [2012-10-05] FF Extension: IncrediMail MediaBar 2 - C:\Documents and Settings\Star\Application Data\Mozilla\Firefox\Profiles\a89500tu.default\extensions\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} [2015-12-02] [not signed] Chrome: ======= CHR StartupUrls: Default -> "hxxp://www.google.com/" CHR DefaultSearchURL: Default -> hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\46.0.2490.86\PepperFlash\pepflashplayer.dll () CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\46.0.2490.86\ppGoogleNaClPluginChrome.dll => No File CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\46.0.2490.86\pdf.dll => No File CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.) CHR Plugin: (MicrosoftÂ® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation) CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.)) CHR Plugin: (MicrosoftÂ® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation) CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll => No File CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_149.dll => No File CHR Profile: C:\Documents and Settings\Star\Local Settings\Application Data\Google\Chrome\User Data\Default CHR Extension: (Google Drive) - C:\Documents and Settings\Star\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22] CHR Extension: (YouTube) - C:\Documents and Settings\Star\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25] CHR Extension: (Google Search) - C:\Documents and Settings\Star\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28] CHR Extension: (Google Docs Offline) - C:\Documents and Settings\Star\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-19] CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Star\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-25] CHR Extension: (Gmail) - C:\Documents and Settings\Star\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-01] ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 BlueSoleil Hid Service; C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe [110592 2005-04-06] () [File not signed] S3 idsvc; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [864256 2007-10-11] (Microsoft Corporation) [File not signed] R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [170912 2013-02-22] (Oracle Corporation) R2 MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [7520337 2002-12-17] (Microsoft Corporation) [File not signed] S3 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [66112 2002-12-17] (Microsoft Corporation) [File not signed] S4 NetTcpPortSharing; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [122880 2007-10-11] (Microsoft Corporation) [File not signed] S3 SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.exe [311872 2002-12-17] (Microsoft Corporation) [File not signed] R2 Vivotek_ST3402; C:\Program Files\Vivotek\ST3402\Launcher_VV.exe [430080 2007-04-19] (Vivotek Inc.) [File not signed] S2 aswUpdSv; "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" [X] S2 AVG Anti-Spyware Guard; C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R1 AmdK8; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [36352 2005-03-09] (Advanced Micro Devices) R3 BlueletAudio; C:\WINDOWS\System32\DRIVERS\blueletaudio.sys [20480 2005-05-31] (IVT Corporation) [File not signed] R3 BT; C:\WINDOWS\System32\DRIVERS\btnetdrv.sys [10804 2005-04-30] (IVT Corporation) [File not signed] S3 Btcsrusb; C:\WINDOWS\System32\Drivers\btcusb.sys [23000 2005-05-31] (IVT Corporation) [File not signed] R3 BTHidEnum; C:\WINDOWS\System32\DRIVERS\vbtenum.sys [11860 2005-04-30] () [File not signed] R0 BTHidMgr; C:\WINDOWS\System32\Drivers\BTHidMgr.sys [28271 2005-04-30] (IVT Corporation) [File not signed] R3 Cap713x; C:\WINDOWS\System32\DRIVERS\Cap713x.sys [686080 2005-05-04] (Philips Semiconductors GmbH) [File not signed] S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation) S3 cmeu0wdm; C:\WINDOWS\System32\DRIVERS\cmeu0wdm.sys [40857 2002-09-13] (OMNIKEY AG) R0 m5288; C:\WINDOWS\System32\drivers\m5288.sys [210304 2005-12-23] (ULi Electronics Inc.) S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation) S3 netModUSBlfService; C:\WINDOWS\System32\drivers\nMUSBlf.sys [20896 2001-11-13] (INTRACOM S.A.) [File not signed] S3 netModUSBService; C:\WINDOWS\System32\drivers\nMUSB.sys [45768 2001-11-28] (Intracom S.A.) [File not signed] S3 OMNUSB; C:\WINDOWS\System32\DRIVERS\sccmusbm.sys [23936 2001-08-17] (OMNIKEY AG) R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation) S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-07-17] () S3 SONYPVU1; C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation) S3 ssm_bus; C:\WINDOWS\System32\DRIVERS\ssm_bus.sys [58320 2005-08-30] (MCCI) S3 ssm_mdfl; C:\WINDOWS\System32\DRIVERS\ssm_mdfl.sys [8336 2005-08-30] (MCCI) S3 ssm_mdm; C:\WINDOWS\System32\DRIVERS\ssm_mdm.sys [94000 2005-08-30] (MCCI) S3 ULI5261XP; C:\WINDOWS\System32\DRIVERS\ULILAN51.SYS [28672 2005-03-22] (ULi Electronics Inc.) R3 VComm; C:\WINDOWS\System32\DRIVERS\VComm.sys [61312 2004-10-19] (IVT Corporation) [File not signed] R3 VcommMgr; C:\WINDOWS\System32\Drivers\VcommMgr.sys [82148 2005-03-25] (IVT Corporation) [File not signed] S3 vmfilter303; C:\WINDOWS\System32\drivers\vmfilter303.sys [428160 2006-04-25] (Vimicro Corporation) S3 ZSMC303; C:\WINDOWS\System32\Drivers\usbVM303.sys [392122 2006-12-01] (Vimicro Corporation) S1 AVG Anti-Spyware Driver; \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys [X] S1 AvgAsCln; System32\DRIVERS\AvgAsCln.sys [X] S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS [X] S4 IntelIde; no ImagePath S3 NTACCESS; \??\D:\NTACCESS.sys [X] S3 SetupNTGLM7X; \??\D:\NTGLM7X.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-12-03 12:40 - 2015-12-03 12:40 - 00018207 _____ C:\Documents and Settings\Star\Desktop\FRST.txt 2015-12-03 12:40 - 2015-12-03 12:40 - 00000000 ____D C:\FRST 2015-12-03 12:39 - 2015-12-03 12:39 - 01721344 _____ (Farbar) C:\Documents and Settings\Star\Desktop\FRST.exe 2015-12-03 12:31 - 2001-08-17 13:48 - 00012160 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mouhid.sys 2015-12-03 12:31 - 2001-08-17 13:48 - 00012160 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mouhid.sys 2015-12-03 12:30 - 2004-08-04 00:56 - 00021504 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidserv.dll 2015-12-03 12:30 - 2004-08-04 00:56 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\system32\hidserv.dll 2015-12-03 12:30 - 2001-08-17 14:02 - 00009600 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidusb.sys 2015-12-03 12:30 - 2001-08-17 14:02 - 00009600 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hidusb.sys 2015-12-03 03:40 - 2015-12-03 03:40 - 00000000 ____D C:\Program Files\Runtime Software 2015-12-03 03:40 - 2015-12-03 03:40 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Runtime Software 2015-12-03 03:31 - 2015-12-03 03:27 - 00000044 _____ C:\RestoreVolumeShadowCopyWindowsXP.bat 2015-12-03 03:31 - 2015-12-03 03:27 - 00000044 _____ C:\RestoreVolumeShadowCopyWindowsXP (1).bat 2015-12-03 03:10 - 2015-12-03 03:10 - 00000000 ____D C:\Documents and Settings\Star\Local Settings\Application Data\www.shadowexplorer.com 2015-12-03 03:06 - 2015-12-03 04:10 - 00000000 ____D C:\Documents and Settings\Star\Application Data\www.shadowexplorer.com 2015-12-03 03:03 - 2015-12-03 03:03 - 00159232 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2015-12-03 03:03 - 2015-12-03 03:03 - 00000000 ____D C:\WINDOWS\system32\XPSViewer 2015-12-03 03:03 - 2015-12-03 03:03 - 00000000 ____D C:\Program Files\Reference Assemblies 2015-12-03 03:02 - 2006-06-29 13:07 - 00014048 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsg2.dll 2015-12-03 02:59 - 2015-12-03 02:59 - 00000000 __HDC C:\WINDOWS\$NtUninstallWIC$ 2015-12-03 02:59 - 2015-12-03 02:59 - 00000000 ____D C:\Program Files\MSXML 6.0 2015-12-03 02:47 - 2015-12-03 02:47 - 00000000 ____D C:\ShadowExplorer-0.9-portable 2015-12-02 10:27 - 2015-12-02 10:27 - 03452054 _____ C:\Documents and Settings\Star\Desktop\Howto_RESTORE_FILES.bmp 2015-12-02 10:27 - 2015-12-02 10:27 - 00007676 _____ C:\Documents and Settings\Star\Desktop\Howto_RESTORE_FILES.html 2015-12-02 10:27 - 2015-12-02 10:27 - 00002584 _____ C:\Documents and Settings\Star\Desktop\Howto_RESTORE_FILES.txt 2015-12-02 09:49 - 2015-12-02 09:49 - 00000253 _____ C:\Documents and Settings\Star\My Documents\recover_file_vkbkmmulw.txt 2015-12-02 09:49 - 2015-12-02 09:48 - 00413184 _____ (Cyotek Ltd) C:\Documents and Settings\Star\Application Data\vrepl-a.exe ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-12-03 12:40 - 2013-03-02 12:30 - 00000000 ____D C:\Documents and Settings\Star\Local Settings\temp 2015-12-03 12:40 - 2006-09-06 16:17 - 00000000 ____D C:\WINDOWS 2015-12-03 12:35 - 2010-01-28 15:27 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 2015-12-03 12:31 - 2010-02-10 14:51 - 00000000 ____D C:\Documents and Settings\Star\Application Data\Skype 2015-12-03 12:31 - 2006-09-09 13:47 - 00081191 _____ C:\WINDOWS\system32\nvapps.xml 2015-12-03 12:31 - 2006-09-06 16:17 - 00000000 RSHDC C:\WINDOWS\system32\dllcache 2015-12-03 12:30 - 2010-01-28 15:27 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 2015-12-03 12:30 - 2006-09-06 16:17 - 00000000 ___HD C:\WINDOWS\inf 2015-12-03 12:30 - 2006-09-06 14:38 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2015-12-03 12:30 - 2001-08-23 20:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl 2015-12-03 10:47 - 2012-10-24 19:17 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2015-12-03 10:47 - 2006-09-06 14:40 - 00000178 ___SH C:\Documents and Settings\Star\ntuser.ini 2015-12-03 10:47 - 2006-09-06 14:38 - 00032602 _____ C:\WINDOWS\SchedLgU.Txt 2015-12-03 10:46 - 2006-09-09 15:48 - 00003812 _____ C:\WINDOWS\ModemLog_Intracom NetMod USB ver 3.02.txt 2015-12-03 08:34 - 2006-09-06 14:40 - 00000000 ____D C:\Documents and Settings\Star 2015-12-03 08:24 - 2013-03-02 13:37 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2015-12-03 07:07 - 2006-09-06 16:24 - 00267008 _____ C:\WINDOWS\system32\FNTCACHE.DAT 2015-12-03 04:02 - 2015-01-09 12:26 - 00000000 ____D C:\TRIO2015 2015-12-03 03:06 - 2006-09-06 14:42 - 00068520 _____ C:\Documents and Settings\Star\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2015-12-03 03:03 - 2013-06-25 15:48 - 00000000 ____D C:\Program Files\MSBuild 2015-12-03 03:03 - 2006-09-06 16:26 - 00550088 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2015-12-03 03:02 - 2006-09-06 16:17 - 00000000 ____D C:\WINDOWS\system32\spool 2015-12-02 18:21 - 2001-08-23 20:00 - 00000253 _____ C:\WINDOWS\system.ini 2015-12-02 18:19 - 2006-09-06 14:40 - 00000000 ___RD C:\Documents and Settings\Star\My Documents 2015-12-02 16:35 - 2008-12-24 12:30 - 00000000 ____D C:\trio 2015-12-02 16:29 - 2010-01-14 13:45 - 00000000 ____D C:\TRIO2010 2015-12-02 16:25 - 2011-01-25 08:58 - 00000000 ____D C:\TRIO2011 2015-12-02 16:23 - 2012-01-16 10:49 - 00000000 ____D C:\TRIO2012 2015-12-02 16:20 - 2013-01-24 10:09 - 00000000 ____D C:\TRIO2013 2015-12-02 16:16 - 2014-01-06 11:22 - 00000000 ____D C:\TRIO2014 2015-12-02 16:01 - 2006-09-06 14:40 - 00001747 _____ C:\Documents and Settings\Star\Desktop\Command Prompt.lnk 2015-12-02 10:57 - 2007-02-16 17:42 - 00000000 __SHD C:\WINDOWS\CSC 2015-12-02 10:18 - 2015-06-30 11:04 - 00090542 _____ C:\WINDOWS\Minidump\Mini063015-01.dmp.vvv 2015-12-02 10:18 - 2014-01-16 11:28 - 00000494 _____ C:\WINDOWS\ZAB.DBF.vvv 2015-12-02 10:18 - 2013-11-12 07:32 - 00090542 _____ C:\WINDOWS\Minidump\Mini111213-01.dmp.vvv 2015-12-02 10:18 - 2013-08-12 06:30 - 00090542 _____ C:\WINDOWS\Minidump\Mini081213-01.dmp.vvv 2015-12-02 10:18 - 2011-11-28 15:50 - 00090542 _____ C:\WINDOWS\Minidump\Mini112811-01.dmp.vvv 2015-12-02 10:18 - 2011-03-04 07:44 - 00090542 _____ C:\WINDOWS\Minidump\Mini030411-01.dmp.vvv 2015-12-02 10:18 - 2010-11-17 14:28 - 00000526 _____ C:\WINDOWS\PUT.DBF.vvv 2015-12-02 10:18 - 2010-04-19 17:55 - 00090542 _____ C:\WINDOWS\Minidump\Mini041910-01.dmp.vvv 2015-12-02 10:18 - 2009-09-22 06:02 - 00090542 _____ C:\WINDOWS\Minidump\Mini092209-01.dmp.vvv 2015-12-02 10:18 - 2009-02-12 22:20 - 00006046 _____ C:\WINDOWS\system32\IE8Eula.rtf.vvv 2015-12-02 10:18 - 2008-09-06 08:43 - 00002798 _____ C:\WINDOWS\ModemLog_Bluetooth LAP Modem.txt.vvv 2015-12-02 10:18 - 2008-09-06 08:43 - 00002798 _____ C:\WINDOWS\ModemLog_Bluetooth LAP Modem #2.txt.vvv 2015-12-02 10:18 - 2008-02-13 01:49 - 00090542 _____ C:\WINDOWS\Minidump\Mini021308-01.dmp.vvv 2015-12-02 10:18 - 2007-03-23 15:18 - 00443806 _____ C:\WINDOWS\ntbtlog.txt.vvv 2015-12-02 10:18 - 2007-03-22 08:47 - 00090542 _____ C:\WINDOWS\Minidump\Mini032207-01.dmp.vvv 2015-12-02 10:18 - 2007-03-09 17:17 - 00098734 _____ C:\WINDOWS\Minidump\Mini030907-01.dmp.vvv 2015-12-02 10:18 - 2007-01-04 19:43 - 00098734 _____ C:\WINDOWS\Minidump\Mini010407-01.dmp.vvv 2015-12-02 10:18 - 2006-09-25 07:58 - 00090542 _____ C:\WINDOWS\Minidump\Mini092506-01.dmp.vvv 2015-12-02 10:18 - 2006-09-06 16:24 - 00767054 _____ C:\WINDOWS\setuplog.txt.vvv 2015-12-02 10:18 - 2006-09-06 16:23 - 00897454 _____ C:\WINDOWS\system32\config\system.sav.vvv 2015-12-02 10:18 - 2006-09-06 16:23 - 00659886 _____ C:\WINDOWS\system32\config\software.sav.vvv 2015-12-02 10:18 - 2006-09-06 16:23 - 00094638 _____ C:\WINDOWS\system32\config\default.sav.vvv 2015-12-02 10:18 - 2006-09-06 14:34 - 00001262 _____ C:\WINDOWS\OEWABLog.txt.vvv 2015-12-02 10:18 - 2004-07-17 10:38 - 00957406 _____ C:\WINDOWS\system32\instcat.sql.vvv 2015-12-02 10:18 - 2001-08-23 20:00 - 00001070 _____ C:\WINDOWS\system32\Drivers\gmreadme.txt.vvv 2015-12-02 10:18 - 2001-08-23 12:00 - 00057198 _____ C:\WINDOWS\system32\eula.txt.vvv 2015-12-02 10:17 - 2011-03-08 19:42 - 00001454 _____ C:\WINDOWS\IE4 Error Log.txt.vvv 2015-12-02 10:17 - 2010-10-28 09:42 - 00000430 _____ C:\WINDOWS\99.txt.vvv 2015-12-02 10:17 - 2007-07-06 15:08 - 00000000 ____D C:\Program Files\WinRAR 2015-12-02 10:17 - 2006-09-19 11:11 - 00000000 ____D C:\Program Files\Mobihel4 2015-12-02 10:17 - 2006-09-06 15:40 - 00000000 ____D C:\Program Files\Winamp 2015-12-02 10:17 - 2006-09-06 14:31 - 00000000 ____D C:\Program Files\Outlook Express 2015-12-02 10:17 - 2001-08-23 20:00 - 00083374 _____ C:\WINDOWS\clock.avi.vvv 2015-12-02 10:13 - 2011-12-03 07:36 - 00000000 ____D C:\Program Files\Microsoft CAPICOM 2.1.0.2 2015-12-02 10:08 - 2011-09-01 11:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\GameXN 2015-12-02 10:06 - 2015-08-25 09:31 - 00000000 ____D C:\trio2015rez 2015-12-02 10:05 - 2012-09-29 13:12 - 00000000 ____D C:\TRIO2012kop 2015-12-02 10:04 - 2012-12-24 12:34 - 00031150 _____ C:\TEMP.xls.vvv 2015-12-02 10:04 - 2012-04-04 11:13 - 00005470 _____ C:\TEMP.DBF.vvv 2015-12-02 10:04 - 2009-01-05 13:54 - 00005518 _____ C:\SpisakSW.txt.vvv 2015-12-02 10:04 - 2008-12-24 12:42 - 00000000 ____D C:\trio2 2015-12-02 10:04 - 2006-10-20 07:30 - 00000000 ____D C:\Transfer 2015-12-02 10:03 - 2013-03-02 13:21 - 00002782 _____ C:\rapport.txt.vvv 2015-12-02 10:03 - 2013-03-02 12:19 - 00000000 ____D C:\Qoobox 2015-12-02 10:03 - 2008-12-24 13:11 - 00006110 _____ C:\PLS.prn.PDF.vvv 2015-12-02 10:03 - 2008-08-19 09:58 - 15445758 _____ C:\PrismaProFullBackup.zip.vvv 2015-12-02 10:03 - 2007-04-30 21:11 - 00660558 _____ C:\Pavle 4.jpg.vvv 2015-12-02 10:03 - 2007-04-30 21:07 - 00676302 _____ C:\Pavle 3.jpg.vvv 2015-12-02 10:03 - 2007-04-30 21:04 - 00779006 _____ C:\Pavle 2.jpg.vvv 2015-12-02 10:03 - 2007-04-30 20:59 - 00581598 _____ C:\Pavle 1.jpg.vvv 2015-12-02 10:03 - 2006-09-11 14:20 - 00000000 ____D C:\rob 2015-12-02 10:03 - 2006-09-09 14:18 - 00922030 _____ C:\podaci.mdb.vvv 2015-12-02 10:02 - 2015-10-29 10:43 - 00059454 _____ C:\Documents and Settings\Star\My Documents\un.docx.vvv 2015-12-02 10:02 - 2015-05-25 14:31 - 00011854 _____ C:\Documents and Settings\Star\My Documents\REPUBLIKA SRBIJA.docx sekretarijat za privredu.docx.vvv 2015-12-02 10:02 - 2015-05-22 07:37 - 00025262 _____ C:\Documents and Settings\Star\My Documents\Otpremnica 15-300K-0004633.pdf.vvv 2015-12-02 10:02 - 2014-04-15 12:47 - 00000000 ____D C:\Documents and Settings\Star\My Documents\Mobihel5 2015-12-02 10:02 - 2013-08-22 17:51 - 00000990 _____ C:\Documents and Settings\Star\My Documents\spider.sav.vvv 2015-12-02 10:02 - 2013-07-02 08:58 - 00013518 _____ C:\Documents and Settings\Star\My Documents\resenje o okazu ugovora o radu.docx.vvv 2015-12-02 10:02 - 2012-11-13 10:08 - 00022446 _____ C:\Documents and Settings\Star\My Documents\SPORAZUM O PRESTANKU R.ODNOSA.doc.vvv 2015-12-02 10:02 - 2012-07-21 12:44 - 00199598 _____ C:\Documents and Settings\Star\My Documents\Porudžbenica 0907 -2307 2012(2).xls.vvv 2015-12-02 10:02 - 2012-04-05 12:08 - 00000000 ____D C:\kasamREZ 2015-12-02 10:02 - 2011-07-04 12:55 - 00018654 _____ C:\Documents and Settings\Star\My Documents\VELIKA LETNJA AKCIJA.odt.vvv 2015-12-02 10:02 - 2011-05-24 08:24 - 00020398 _____ C:\Documents and Settings\Star\My Documents\Potreban radnik u.doc.vvv 2015-12-02 10:02 - 2011-03-01 14:28 - 00022446 _____ C:\Documents and Settings\Star\My Documents\za skolu.doc.vvv 2015-12-02 10:02 - 2011-01-11 14:32 - 00022446 _____ C:\Documents and Settings\Star\My Documents\OBRAZAC ZA ZADUZENJA.xls.vvv 2015-12-02 10:02 - 2010-10-27 09:45 - 00020398 _____ C:\Documents and Settings\Star\My Documents\ZAHTEV1.doc.vvv 2015-12-02 10:02 - 2010-10-27 09:27 - 00020398 _____ C:\Documents and Settings\Star\My Documents\ZAHTEV.doc.vvv 2015-12-02 10:02 - 2010-09-30 09:02 - 00021934 _____ C:\Documents and Settings\Star\My Documents\SLOBODA JE NASA NAJSKUPLJA REC.doc.vvv 2015-12-02 10:02 - 2010-07-15 11:45 - 00022446 _____ C:\Documents and Settings\Star\My Documents\RESENJE O OTKAZU UGOVORA O RADU TEHNOLOSKI.doc.vvv 2015-12-02 10:02 - 2010-06-28 17:26 - 00022446 _____ C:\Documents and Settings\Star\My Documents\resenje o otkazu.doc.vvv 2015-12-02 10:02 - 2010-05-13 06:57 - 00021934 _____ C:\Documents and Settings\Star\My Documents\PORUKA ZA SAVA KOVACEVIC JOGURT 11.05.2010..doc.vvv 2015-12-02 10:02 - 2010-03-23 13:31 - 00021934 _____ C:\Documents and Settings\Star\My Documents\PONUDA ZA INVEJ 23.03.2010..doc.vvv 2015-12-02 10:02 - 2010-03-09 14:49 - 00021422 _____ C:\Documents and Settings\Star\My Documents\pordzbina master zvezda 09.03.2010.doc.vvv 2015-12-02 10:02 - 2010-03-03 11:48 - 00021422 _____ C:\Documents and Settings\Star\My Documents\punomoc za izvod za niksic.doc.vvv 2015-12-02 10:02 - 2010-02-12 12:01 - 00000000 ____D C:\Documents and Settings\Star\My Documents\UNICREDIT IZVODI 2015-12-02 10:02 - 2009-06-20 08:48 - 00000000 ____D C:\kasam 2015-12-02 10:02 - 2009-03-30 12:32 - 00020910 _____ C:\Documents and Settings\Star\My Documents\TRIOPLAS4 zahtev za hipo minus.doc.vvv 2015-12-02 10:02 - 2009-02-12 10:22 - 00021422 _____ C:\Documents and Settings\Star\My Documents\TRIOPLAS3.doc.vvv 2015-12-02 10:02 - 2008-12-23 11:57 - 00021422 _____ C:\Documents and Settings\Star\My Documents\TRIOPLAS3 knjizno.doc.vvv 2015-12-02 10:02 - 2008-12-10 15:39 - 00256942 _____ C:\MIPA CENOVNIK 08.12.xls.vvv 2015-12-02 10:02 - 2008-12-09 10:50 - 00020910 _____ C:\Documents and Settings\Star\My Documents\TRIO EXPORT julin.doc.vvv 2015-12-02 10:02 - 2008-12-08 13:37 - 00022958 _____ C:\Documents and Settings\Star\My Documents\TRIOPLAst ugovor.doc.vvv 2015-12-02 10:02 - 2008-10-17 12:05 - 00024494 _____ C:\Documents and Settings\Star\My Documents\U G O V O R o pozajmici osnivacas.doc.vvv 2015-12-02 10:02 - 2008-09-04 13:48 - 00021422 _____ C:\Documents and Settings\Star\My Documents\ZAHTEVI ZA PROMETE BANAKA.doc.vvv 2015-12-02 10:02 - 2008-08-05 21:40 - 00022958 _____ C:\Documents and Settings\Star\My Documents\UGOVOR DOZIVOTNOM IZDRZAVANJU.doc.vvv 2015-12-02 10:02 - 2008-08-05 11:55 - 00020398 _____ C:\Documents and Settings\Star\My Documents\TRIOPLAS telekom.doc.vvv 2015-12-02 10:02 - 2008-07-22 12:30 - 00022446 _____ C:\Documents and Settings\Star\My Documents\PREDUGOVOR O KUPOPRODAJI.doc.vvv 2015-12-02 10:02 - 2008-06-25 15:19 - 00019886 _____ C:\Documents and Settings\Star\My Documents\PONUDA ZA POLIESTARSKI PREMAZ U PRAHU ZA KMS.xls.vvv 2015-12-02 10:02 - 2008-05-20 19:59 - 00043950 _____ C:\Documents and Settings\Star\My Documents\Zvonko farba.doc.vvv 2015-12-02 10:02 - 2008-05-12 09:27 - 00023982 _____ C:\Documents and Settings\Star\My Documents\POPISNA LISTA GOTOVIH PROIZVODA 31.doc.vvv 2015-12-02 10:02 - 2008-04-29 11:07 - 00021422 _____ C:\Documents and Settings\Star\My Documents\PRAVILNIK O ORGANIZACIJI I SISTEMATIZACIJI.doc.vvv 2015-12-02 10:02 - 2008-04-29 10:04 - 00020398 _____ C:\Documents and Settings\Star\My Documents\TRIOPLAS2.doc.vvv 2015-12-02 10:02 - 2008-04-29 09:50 - 00028078 _____ C:\Documents and Settings\Star\My Documents\Z A P I S N I K o bezbednosti rada.doc.vvv 2015-12-02 10:02 - 2008-04-24 10:15 - 00022958 _____ C:\Documents and Settings\Star\My Documents\UGOVOR O PRIVREMENIM I POVREMENIM POSLOVIMA.doc.vvv 2015-12-02 10:02 - 2008-04-07 16:25 - 00000000 ____D C:\HOMEPLAN 2015-12-02 10:02 - 2008-03-24 10:19 - 00021934 _____ C:\Documents and Settings\Star\My Documents\POLIMER PLUS dopis 23.03.08..doc.vvv 2015-12-02 10:02 - 2008-02-25 10:04 - 00021422 _____ C:\Documents and Settings\Star\My Documents\TRIOPLAS1.doc.vvv 2015-12-02 10:02 - 2008-02-22 13:37 - 00021422 _____ C:\Documents and Settings\Star\My Documents\TRIOPLAST ugovor o pozajmici.doc.vvv 2015-12-02 10:02 - 2008-02-22 12:57 - 00022446 _____ C:\Documents and Settings\Star\My Documents\TRIOPLAST.doc.vvv 2015-12-02 10:02 - 2008-01-23 12:04 - 00020910 _____ C:\Documents and Settings\Star\My Documents\REPUBLIKA SRBIJA.doc.vvv 2015-12-02 10:02 - 2007-12-17 14:28 - 00020910 _____ C:\Documents and Settings\Star\My Documents\TELEKOM SRBIJA.doc.vvv 2015-12-02 10:02 - 2007-12-10 10:48 - 00020398 _____ C:\Documents and Settings\Star\My Documents\SOCIETE GENERAL YUGOSLAV BANK.doc.vvv 2015-12-02 10:02 - 2007-11-27 10:44 - 00000000 ____D C:\Documents and Settings\Star\My Documents\Sara&Lena&Carna SLIKE 2015-12-02 10:02 - 2007-11-08 12:21 - 00020398 _____ C:\Documents and Settings\Star\My Documents\potvrda za gezu 2.doc.vvv 2015-12-02 10:02 - 2007-06-28 15:10 - 00020398 _____ C:\Documents and Settings\Star\My Documents\OGLAS ZA IZDAVANJE LOKALA.doc.vvv 2015-12-02 10:02 - 2007-02-05 15:35 - 00022446 _____ C:\Documents and Settings\Star\My Documents\OBRAZAC ZA RAZDUZENJA.xls 2015-12-02 10:02 - 2007-02-05 11:50 - 00028590 _____ C:\Documents and Settings\Star\My Documents\UGOVOR O PREUZIMANJU DUGA predlog vital 2.doc.vvv 2015-12-02 10:02 - 2007-02-05 11:13 - 00027054 _____ C:\Documents and Settings\Star\My Documents\UGOVOR O PREUZIMANJU DUGA predlog vital.doc.vvv 2015-12-02 10:02 - 2006-09-11 12:54 - 00000910 _____ C:\Documents and Settings\Star\My Documents\UBACIVANJEPARTNERA.sql.vvv 2015-12-02 10:02 - 2006-09-11 11:29 - 00001342 _____ C:\Documents and Settings\Star\My Documents\ubacivanjeartikala.sql.vvv 2015-12-02 10:02 - 2006-09-09 14:18 - 00000000 ____D C:\instalacija kase 2015-12-02 10:02 - 2006-09-06 14:40 - 00000000 ___RD C:\Documents and Settings\Star\My Documents\My Pictures 2015-12-02 10:01 - 2014-12-24 14:47 - 00125854 _____ C:\Documents and Settings\Star\My Documents\Izjava o prebijanji - kompezacija (1).pdf.vvv 2015-12-02 10:01 - 2010-04-01 12:52 - 00000000 ____D C:\Documents and Settings\Star\My Documents\Merge Database 2015-12-02 10:01 - 2009-04-13 10:28 - 00020910 _____ C:\Documents and Settings\Star\My Documents\INVEJ1kecap.doc.vvv 2015-12-02 10:01 - 2009-03-18 09:42 - 00022446 _____ C:\Documents and Settings\Star\My Documents\HIPLEKS.doc.vvv 2015-12-02 10:01 - 2009-01-13 12:22 - 00021934 _____ C:\Documents and Settings\Star\My Documents\I N V E N T A R 31.doc.vvv 2015-12-02 10:01 - 2008-12-05 10:18 - 00020910 _____ C:\Documents and Settings\Star\My Documents\INVEJ vital.doc.vvv 2015-12-02 10:01 - 2008-10-13 07:46 - 00020398 _____ C:\Documents and Settings\Star\My Documents\IZDAJE S1.doc.vvv 2015-12-02 10:01 - 2008-10-13 07:43 - 00020398 _____ C:\Documents and Settings\Star\My Documents\IZDAJE SE.doc.vvv 2015-12-02 10:01 - 2008-10-03 09:48 - 00022446 _____ C:\Documents and Settings\Star\My Documents\Gdin Nadj Caba subotica.doc.vvv 2015-12-02 10:01 - 2008-06-09 13:29 - 00020910 _____ C:\Documents and Settings\Star\My Documents\INVEJ.doc.vvv 2015-12-02 10:01 - 2008-05-21 12:59 - 00020910 _____ C:\Documents and Settings\Star\My Documents\INSPEKTOR RADA.doc.vvv 2015-12-02 10:01 - 2007-12-17 13:38 - 00022958 _____ C:\Documents and Settings\Star\My Documents\kompenzacija trio zvono sss.doc.vvv 2015-12-02 10:01 - 2007-12-17 13:30 - 00022446 _____ C:\Documents and Settings\Star\My Documents\IZJAVA O KOMPENZACIJI trio sss.doc.vvv 2015-12-02 10:01 - 2007-12-13 12:59 - 00021934 _____ C:\Documents and Settings\Star\My Documents\IZJAVA O KOMPENZACIJI 15.doc.vvv 2015-12-02 10:01 - 2006-09-12 18:42 - 00000000 ___RD C:\Documents and Settings\Star\My Documents\Firma 2015-12-02 09:58 - 2014-01-10 14:31 - 00134638 _____ C:\Documents and Settings\Star\My Documents\!!S.prn.pdf.vvv 2015-12-02 09:58 - 2013-09-26 06:58 - 00061822 _____ C:\Documents and Settings\Star\My Documents\250216000011577017_2013103.pdf.vvv 2015-12-02 09:58 - 2011-02-19 10:11 - 00020398 _____ C:\Documents and Settings\Star\My Documents\DEKLARACIJA.doc.vvv 2015-12-02 09:58 - 2010-04-09 14:28 - 00021934 _____ C:\Documents and Settings\Star\My Documents\DOPIS ZA RESINEX.doc.vvv 2015-12-02 09:58 - 2009-04-10 18:29 - 00021422 _____ C:\Documents and Settings\Star\My Documents\BELI LUK I LIMUN.doc.vvv 2015-12-02 09:58 - 2009-03-31 08:08 - 00000590 _____ C:\Documents and Settings\Star\My Documents\ATT00024.txt.vvv 2015-12-02 09:58 - 2008-12-11 10:31 - 00021422 _____ C:\Documents and Settings\Star\My Documents\Clanovi privrdenog drustva sa ogranicenom odgovornoscu.doc.vvv 2015-12-02 09:58 - 2008-10-01 15:12 - 00511502 _____ C:\Documents and Settings\Star\Local Settings\TempSSBG.png.vvv 2015-12-02 09:58 - 2008-04-29 12:03 - 00020910 _____ C:\Documents and Settings\Star\My Documents\BRIXOL.doc.vvv 2015-12-02 09:58 - 2008-04-21 09:28 - 00021934 _____ C:\Documents and Settings\Star\My Documents\ALBUS.doc.vvv 2015-12-02 09:58 - 2008-03-10 10:03 - 00021422 _____ C:\Documents and Settings\Star\My Documents\AIK BANK2 eskont.doc.vvv 2015-12-02 09:58 - 2008-02-04 14:05 - 00020398 _____ C:\Documents and Settings\Star\My Documents\AIK BANK1.doc.vvv 2015-12-02 09:58 - 2008-01-15 14:29 - 00021934 _____ C:\Documents and Settings\Star\My Documents\AIK BANKA.doc.vvv 2015-12-02 09:58 - 2007-12-19 09:47 - 00021934 _____ C:\Documents and Settings\Star\My Documents\C E S I J A.doc.vvv 2015-12-02 09:58 - 2006-12-23 19:02 - 00029614 _____ C:\Documents and Settings\Star\My Documents\ALBUS ponuda za boce.doc.vvv 2015-12-02 09:58 - 2006-09-11 10:42 - 00001278 _____ C:\Documents and Settings\Star\My Documents\ciscenjebaze.sql.vvv 2015-12-02 09:53 - 2015-06-13 12:19 - 00000000 ____D C:\Documents and Settings\Star\Desktop\trio znak 2015-12-02 09:53 - 2015-03-05 14:13 - 00000000 ____D C:\Documents and Settings\Star\Desktop\MAJA IZVOZ 2015-12-02 09:53 - 2014-10-27 13:30 - 00001246 _____ C:\Documents and Settings\Star\Desktop\ZvonkoSkuban1.crt 2015-12-02 09:53 - 2012-10-29 13:19 - 00000000 ___RD C:\Documents and Settings\Star\Desktop\TRIO EXPORT-IMPORT 2015-12-02 09:53 - 2012-07-17 11:50 - 50639278 _____ C:\Documents and Settings\Star\Desktop\PersonalEbank.mdb.vvv 2015-12-02 09:53 - 2012-07-09 14:24 - 03548286 _____ C:\Documents and Settings\Star\Desktop\video nadzor - CCTV.pdf 2015-12-02 09:53 - 2012-03-27 12:50 - 00000000 ____D C:\Documents and Settings\Star\Desktop\VITEX TEHNICKE KARAKTERISTIKE ROBE 2015-12-02 09:53 - 2011-01-31 10:06 - 00002606 _____ C:\Documents and Settings\Star\Desktop\ZvonkoSkuban.txt.vvv 2015-12-02 09:53 - 2010-04-01 13:21 - 01607902 _____ C:\Documents and Settings\Star\Desktop\uputstvo_za_instalaciju_i_koriscenje_FX_aplikacije.pdf.vvv 2015-12-02 09:53 - 2009-07-12 08:56 - 00000000 ____D C:\Documents and Settings\Star\Desktop\www.masterbc.co.rs 2015-12-02 09:53 - 2007-05-23 11:40 - 00043438 _____ C:\Documents and Settings\Star\Desktop\POSLOVNI PLAN SOG.doc.vvv 2015-12-02 09:52 - 2007-05-29 15:38 - 00000000 ____D C:\Documents and Settings\Star\Desktop\HELIOS 2015-12-02 09:51 - 2015-05-06 18:18 - 00000000 ____D C:\Documents and Settings\Star\Desktop\Dr Gifing 2015-12-02 09:51 - 2012-07-17 11:49 - 00369070 _____ C:\Documents and Settings\Star\Desktop\Eimenik.mdb.vvv 2015-12-02 09:50 - 2015-11-02 15:31 - 00003662 _____ C:\Documents and Settings\Star\Desktop\bednzo.jpg.vvv 2015-12-02 09:50 - 2007-11-22 12:49 - 00000000 ____D C:\Documents and Settings\Star\Desktop\AKCIJA 2015-12-02 09:49 - 2013-03-02 12:41 - 00014222 _____ C:\ComboFix.txt.vvv 2015-12-02 09:49 - 2010-11-17 14:27 - 00001086 _____ C:\BOJE.DBF.vvv 2015-12-02 09:49 - 2009-05-18 11:44 - 00132142 _____ C:\!!S.prn#1.PDF.vvv 2015-12-02 09:49 - 2008-12-23 14:58 - 00131550 _____ C:\!!S.prn.PDF.vvv 2015-12-02 09:49 - 2008-12-19 11:04 - 00155054 _____ C:\Cenovnik DUPONT DINARSKI 2008.doc.vvv 2015-12-02 09:49 - 2008-08-14 09:09 - 00000000 ____D C:\ColorQuickPro dupont 2015-12-02 07:21 - 2006-09-06 16:17 - 00000000 ____D C:\WINDOWS\system32\ias 2015-11-30 07:32 - 2013-02-16 18:45 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service 2015-11-19 13:12 - 2008-12-23 14:58 - 00002837 _____ C:\!!S.prn 2015-11-12 08:36 - 2013-02-16 18:57 - 00001847 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk ==================== Files in the root of some directories ======= 2015-12-02 09:49 - 2015-12-02 09:48 - 0413184 _____ (Cyotek Ltd) C:\Documents and Settings\Star\Application Data\vrepl-a.exe 2006-10-31 12:05 - 2012-07-17 11:49 - 0008704 _____ () C:\Documents and Settings\Star\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2007-01-11 13:04 - 2007-01-11 13:04 - 0000127 _____ () C:\Documents and Settings\Star\Local Settings\Application Data\fusioncache.dat Files to move or delete: ==================== C:\Documents and Settings\Star\CommCtl32.dll Some files in TEMP: ==================== C:\Documents and Settings\Star\Local Settings\temp\wusetup.exE ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End of FRST.txt ============================ https://www.mycity.rs/must-login.png

Profil

magna86 Poslao: 03 Dec 2015 14:45 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pozdrav, Uh ... zeznuto. Zapatio si najnoviju varijantu TeslaCrypt, .vvv ransomware, osma modifikacija ovog malware-a. Jos se istrazuje ova varijanta ... Nema GUI za otkup ali imas uputstva koje je malware ostavio gde se govori kako izvrsiti dekripciju fajlova. 2015-12-02 10:27 - 2015-12-02 10:27 - 03452054 _____ C:\Documents and Settings\Star\Desktop\Howto_RESTORE_FILES.bmp -slika 2015-12-02 10:27 - 2015-12-02 10:27 - 00007676 _____ C:\Documents and Settings\Star\Desktop\Howto_RESTORE_FILES.html -web stranica 2015-12-02 10:27 - 2015-12-02 10:27 - 00002584 _____ C:\Documents and Settings\Star\Desktop\Howto_RESTORE_FILES.txt - notepad Ono sto ja mogu da uradim jeste da pratim desavanja za .vvv TC varijantu i cim nesto saznam mogu da osvezim ovu temu. Tek su krenule prijave, jedan si od prvih dokumentovanih. Ono sto ti mozes da uradis ...Molim te posalji mi sledeci .txt file putem ove forme da pogledam. C:\Documents and Settings\Star\Desktop\Howto_RESTORE_FILES.txt http://www.mycity.rs/ambulanta-upload.php Isto tako, ako imas droper (izvor infekcije, sam izvrsi fajl koji je instalirao malware na racunar, neki link, sajt...sta god), bilo bi pozeljno da ga uloadujes. Bilo kakav info je dobrodosao. Ako mozes da se setis sta je skidano sa interneta, instalirano pre nego sto je infekcija pocela..? Iako je nov malware, stara pravila vaze, svi podatci su kriptovani, postoji nekolicina dekript alata ali trenutno ne postoji dekripcija za tvoju varijantu. Ali ne znaci da nece biti. Ako se pojavi, ja cu bump-ovati ovu temu. Info: 0. http://www.bleepingcomputer.com/virus-removal/tesl.....nformation Citat:Can be decrypted? Can only be decrypted if victim was able to capture the key being sent to the server at the time of encryptionProbaj ovaj program, vidi hoce li sta reci? http://www.telerik.com/fiddler 1. http://www.bleepingcomputer.com/virus-removal/tesl.....on#decrypt 2. http://www.bleepingcomputer.com/news/security/new-.....ted-files/ 3. .vvv modifikacija: https://www.virustotal.com/en/file/b5aaa7e03eb4b34.....448985557/ Clanak nisam azurirao neko vreme, ali slicna pravila vaze: http://www.mycity.rs/MyCity-Laboratorija/Informaci.....ima-P.html Ukratko, ne mogu ti pomoci. Fajlovi su kriptovani, sve sto nosi particiono slovo, malware skenira i kriptuje (.vvv). Sam malware je u principu prosto ukloniti, svaki bolji AV i AM program ga markira (Malwarebytes .npr bi trebao biti azuriran da lovi ovu varijantu.) ali dekripcija nad fajlovima ostaje. Znaj, ako uklonis malware, svaka nada za dekripcijom preko autora (prinuda) nestaje.

Profil

Brksi Poslao: 03 Dec 2015 15:16 Idi na vrh
offline Brksi Ex KGB officer Pridružio: 18 Jul 2003 Poruke: 4204 Gde živiš: U zlatnom kavezu	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Briga me za prinudu. Ja sam mislio da izbacim infekciju a da onda da sa shadow explorerom promam da spasim koliko toliko fajlova a kriptovane da obrisem........

Profil

magna86 Poslao: 03 Dec 2015 15:21 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Shadow Explorer je bio mator trik da se povuku fajlovi pre dekripcije. Ubrzo, pisci malware-a su pokrili taj propust. Na zalost ... Gledaj, polymorphic file infektori je drugi najgori tip malware-a koji neki koristik moze da ima. Na prvom mestu su upravo ove ransomware varijante. Nema goreg od ovoga... Ogromne pare pisci zaradjuju, toliko velika steta nastaje da ih FBI proganja. Da bi dekripcija postojala, potrebno je imati primerak dropera, pa videti na koji nacin funkcionise. Ako se kljuc nalazi na tamo nekom serveru, jedini nacin da se taj server konfiskuje.

Profil

Brksi Poslao: 03 Dec 2015 16:43 Idi na vrh
offline Brksi Ex KGB officer Pridružio: 18 Jul 2003 Poruke: 4204 Gde živiš: U zlatnom kavezu	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Napisano: 03 Dec 2015 15:24 Sta je bolje srusiti sistem ili dezinfikovati? Dopuna: 03 Dec 2015 16:10 komp zarazen mailom, mislim da je jos u sistemu. Fajlovi uploadovani Dopuna: 03 Dec 2015 16:43 Mislim da sam nasao dropper, spakovan u doc.rar fajlu. Da li da ga uploadujem?

Profil

magna86 Poslao: 03 Dec 2015 19:02 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Odgovorio sam ti na PP jer to sam prvo procitao. Naravno, format. Molim te uploaduj primerak. Kasnije veceras cu naci vremena da testiram te ako se ispostavi da je to installer samog malware-a, prijavicu ljudima koji analiziraju ransom primerke te mozda ubrzamo i stvaranje decript alata, izvor kljuca ili neku trecu stvar.

Profil

Brksi Poslao: 03 Dec 2015 19:51 Idi na vrh
offline Brksi Ex KGB officer Pridružio: 18 Jul 2003 Poruke: 4204 Gde živiš: U zlatnom kavezu	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Okacen fajl. Nazalost ne smem da srusim sistem............

Profil

magna86 Poslao: 03 Dec 2015 20:21 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Svaka cast, doc jeste droper. Prijavicu ovaj primerak odmah ljudima pa ti javljam dalja uputstva.

Profil

Brksi Poslao: 08 Dec 2015 23:27 Idi na vrh
offline Brksi Ex KGB officer Pridružio: 18 Jul 2003 Poruke: 4204 Gde živiš: U zlatnom kavezu	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Napisano: 08 Dec 2015 23:20 prica sa cryptolockerom dobila tragi-komican ishod. Ja naime uspem da deaktiviram virus, ali naravno ne i da dekriptujem fajlove. Uz nad ljdske napore pokusavam da objasnim da je bitno da fajlovi ostanu, jer oni su tu samo ih treba dekriptovati. Na sta on kaze vazi vazi i trazi komp nazad. Ja kazem da bi bilo dobro da se kriptovani fajlovi skupe na jedno mesto i stave pod lozinku, a da se win obori. On na to kaze ne sme da rusi sistem i mora da vidi s knjigovodjom da spase neke fajlove ja mu dam komp nazad. I posle 24h trazim mu da preko teamviewera udjem da uzmem jos neki fajl....... Kad ono medjutim lik ubacio tj neko mu ubacio avasta i skenirao mu komp i avast zbog duplih ekstenzija sve njegove sifrovane fajlove (slike, poslovna dokumenta) obrise........... ne da sam popizdeoooooooooooooo Dopuna: 08 Dec 2015 23:27 ali sve jednu bumonite temu ako nesto bude........

Profil

magna86 Poslao: 10 Dec 2015 15:16 Idi na vrh
offline magna86 Anti Malware Fighter Rank 2 Pridružio: 21 Jun 2008 Poruke: 6103	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Brksi, ja u logovima nisam video aktivan malware. Po svemu sudeci, malware je izvrsen a ComboFix (koji je pokretan dan ranije pre otvaranje ove teme) ili MBAM ga je uklonio jer ovaj malware koristi stare fazone ali je steta naravno ostala. Mozda je avast dirao neke konfiguracione ostatke... Tragova PUPa ima ... Ja pratim desavanja na polju malware-a non-stop. To mi je u okviru hobi-posla. Cim se pojavi nesto kao dekripcija (ako se pojavi) bices obavesten i bice poruka u MCLab. Primerak koji si obezbedio pravi obican registry kljuc (Run reg. kljuc) sa ciljem da izvrsi obican izvrsi file. Takve lokacije se standardno nadziru i tesko sta tu ostane zivo duzeg vremena pored neke zastite. Sto se tice avast!-a, sve sto je detektovano moze da se vrati nazad iz quarantina (ako sam quarantine nije ispraznjen).

Profil

29 Dec 2015 12:48

TwinHeadedEagle

Zaključavanje topica

Razlog: Odgovoreno je, dalja diskusija nema svrhu

MyCity » Ambulanta -> Arhiva Ambulante » Infekcija cryptolockerom

Ko je trenutno na forumu

Ukupno su 960 korisnika na forumu :: 36 registrovanih, 5 sakrivenih i 919 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: babaroga, bigfoot, cifra, darkangel, Darko8, Dimitrije Paunovic, Dimitrise93, Djokislav, drimer, esx66, HrcAk47, janbo, Kibice, Koca Popovic, krkalon, Kubovac, ladro, Lazarus, loon123, Mi lao shu, milanovic, mushroom, operniki, ozzy, pacika, Panter, raptorsi, Srle993, Trpe Grozni, vasa.93, Vlada1389, vladetije, vladulns, yufighter, šumar bk2, 79693

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by