Infekcija laznim antivirusom

Infekcija laznim antivirusom

offline
  • Pridružio: 18 Jun 2005
  • Poruke: 573
  • Gde živiš: Springfild

Evo po preporuci Smile javljam se u Ambulantu.

zak280173 ::Da ne otvaram posebnu temu....
Da li je neko mozda imao problem sa "laznim" antivirusom ?
Pre jedno sat vremena me pozvao brat i pita me sta da radi. Ne znam odakle mu ideja da bih ja znao Bebee Dol
Evo sta mi je ispricao.
Dok je surfovao i trazio neki sajt (na Gugletu) u fazonu limunda (dakle, kupujem -- prodajem), kaze da mu se iznenada pojavio prozor i poceo da skenira racunar i to program koji nit je instalirao niti je ikad cuo za njega.
Naravno sad mu je blokirao izlaz na internet (osim na sajt za koji postoji link na prozoru tog "antivirusa") i svi moguci programi koji se nalaze u kompu su mu navodno proglaseni zarazenim i naravno blokirani.
Taj navodni antivirus se zove AvaSoft Profesional Antivirus 3.7.30
Da bih mu pomogao pokusao sam na internetu da mu nadjem resenje pa da mu javim ali ono sto sam nasao mi ne uliva nikakvu nadu da se moze iole lako ratosiljati te stetocine Shocked

Zato i pitam jel ima neko mozda iskustva sa tim laznim antivirusom ?


Trenutno sam kod brata pa da vidimosta nam je ciniti....
Da li je potrebno jos neki podatak.... vezano mozda za racunar ili....

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Napisano: 01 Apr 2013 17:50

Pozdrav,

Za pocetak probaj da ispratis uputstvo i dostavis izvestaje

http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

Opisi malo detaljnije kako se ponasa racunar. Kazes da brauzer radi samo za stranicu, koji brauzer tacno?

Dopuna: 01 Apr 2013 18:31

Ako ne mozes da pokrenes DDS, probaj da ga preimenujes u iexplore.exe pa onda da ga pokrenes...

offline
  • Pridružio: 18 Jun 2005
  • Poruke: 573
  • Gde živiš: Springfild

Pokusao sam da otvorim ovaj DDS fajl ali nema teoretske sanse Evil or Very Mad neda ni kao preimenovanu verziju (iexplor.exe). Da li vrede ovi textualni fajlovi uradjeni u safe modu ? Tu sam uspeo da ih uradim ali neznam da li nesto vrede...

Da jos dodam da buraz na tom kompu koristi mal te ne iskljucivo internet explorer 8 i da koristi telenorov internet (popularnu "flesku" od 3.6Mb/s) nazalost u tom trenutku nije imao ni jedan antivirus instaliran... Bebee Dol
I da ne bude zabune, ovo pisem sa drugog kompa.

Evo DDSa

DDS (Ver_2012-11-20.01) - FAT32_x86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by rade at 18:51:17 on 2013-04-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.782 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://search.msn.at/spbasic.htm
uSearch Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: ICQToolBar: {855F3B16-6D32-4fe6-8A56-BBB695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uURLSearchHooks: SweetIM For Internet Explorer: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - LocalServer32 - <no file>
uURLSearchHooks: <No Name>: - LocalServer32 - <no file>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SWEETIE Class: {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - LocalServer32 - <no file>
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - LocalServer32 - <no file>
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - c:\program files\blekkotb_031\blekkotb_019X.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - <orphaned>
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.2.0.1\AVG Secure Search_toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: SweetIM For Internet Explorer: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - LocalServer32 - <no file>
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - LocalServer32 - <no file>
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: SweetIM For Internet Explorer: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - LocalServer32 - <no file>
TB: ICQToolBar: {855F3B16-6D32-4fe6-8A56-BBB695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.2.0.1\AVG Secure Search_toolbar.dll
TB: blekko search bar: {8769adce-dba5-48e9-afb5-67b12cdf2e61} - c:\program files\blekkotb_031\blekkotb_019X.dll
TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - LocalServer32 - <no file>
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - <orphaned>
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - <orphaned>
EB: ICQToolBar: {855F3B16-6D32-4fe6-8A56-BBB695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Facebook Update] "c:\documents and settings\rade\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRunOnce: [2A3623675DEF180300002A35F9351BBA] c:\documents and settings\all users\application data\2a3623675def180300002a35f9351bba\2A3623675DEF180300002A35F9351BBA.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
mRun: [FineReader7NewsReaderPro] "c:\program files\abbyy finereader 7.0 professional edition\AbbyyNewsReader.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [ClocX] c:\program files\clocx\ClocX.exe
mRun: [lxccmon.exe] "c:\program files\lexmark 3300 series\lxccmon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [LXCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCCtime.dll,_RunDLLEntry@16
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Anti-phishing Domain Advisor] "c:\documents and settings\all users\application data\anti-phishing domain advisor\visicom_antiphishing.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Save with Download Manager... - c:\program files\j river\media center\DMDownload.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - LocalServer32 - <no file>
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://online.deltabanka.co.yu/RetailDLL/FSINT.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234140205804
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238313872356
DPF: {73848533-39E1-49F1-9363-28054268C094} - hxxps://online.bancaintesabeograd.com/RetailDLL/FSINT9.dll
DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} - hxxps://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
DPF: {A7C346A3-B076-46B3-97F0-D00F6B479451} - hxxps://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} - hxxp://www.euras.com/euras/EIS/plugin/euras.cab
TCP: Interfaces\{F9237C1C-EEE5-4E59-AE4D-6CF9024074D3} : DHCPNameServer = 192.168.1.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - LocalServer32 - <no file>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\14.2.0\ViProtocol.dll
Name-Space Handler: HTTPS\ZDA - <Clsid value has no data>
Hosts: 127.0.0.1 mpa.one.microsoft.com
.
============= SERVICES / DRIVERS ===============
.
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [2002-9-25 81969]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-11-8 33112]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2003-8-29 11864]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2002-10-16 9458]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2009-6-6 222456]
S2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [2006-1-22 8864]
S2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [2006-1-22 8864]
S2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [2006-1-22 8864]
S2 NNServ;NNServ;"c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart --> c:\program files\newdotnet\nnrun.exe [?]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\nvtvsnd.sys --> c:\windows\system32\drivers\nvtvsnd.sys [?]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2012-2-26 632792]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S2 Tdlpt;Tdlpt;c:\windows\system32\drivers\TDLPT.SYS [2006-1-22 8012]
S2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\14.2.0\ToolbarUpdater.exe [2013-2-20 968880]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-9-2 100480]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [2007-2-27 30336]
S3 PhTVTune;TVFM WDM TVTuner (SAA713x);c:\windows\system32\drivers\PhTVTune.sys [2003-8-29 20352]
S3 usb2vcom;USB Data Cable;c:\windows\system32\drivers\usb2vcom.sys [2009-8-23 22760]
.
=============== File Associations ===============
.
ShellExec: vmidi.exe: open="c:\program files\vanbasco's karaoke player\vmidi.exe"
ShellExec: vmidi.exe: play="c:\program files\vanbasco's karaoke player\vmidi.exe"
.
=============== Created Last 30 ================
.
2013-03-31 14:34:00 -------- d-----w- c:\documents and settings\all users\application data\2A3623675DEF180300002A35F9351BBA
.
==================== Find3M ====================
.
2024-03-21 11:44:18 246272 ----a-w- c:\windows\UNINST16.EXE
2013-02-20 16:56:12 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-01-29 10:01:50 1409 ----a-w- c:\windows\QTFont.for
2004-07-30 09:15:02 12205536 ----a-w- c:\program files\acdsee.exe
2004-01-15 01:40:26 4954024 ----a-w- c:\program files\SetupDl.exe
2004-01-04 21:27:42 4610480 ----a-w- c:\program files\icqpro2003b.exe
.
============= FINISH: 18:51:48.87 ===============


A evo i attacha

https://www.mycity.rs/must-login.png

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Ok, moraces sledeci alat da pokrenes iz Safe Mode.

Preuzmi ComboFix.

Pokreni ga i isprati uputstva. Ako restartuje racunar, obavezno da se vrati u Safe Mode kako bi mogao da zavrsi.

offline
  • Pridružio: 18 Jun 2005
  • Poruke: 573
  • Gde živiš: Springfild

Na pocetku da se zhvalim na pruzenoj pomoci.

Danas sam se cuo sa bratom da bi se dogovorili kad da svratim da nastavimo sa resavanjem problema (da pokrenemo taj ComboFix). Medjutim, kaze on meni "ej bre, ja to resio Smile " - ja Shocked zblaznut... Pitam ga kako i on mi objasni.
Imao je u kompu instaliran neki, ako sam ga dobro razumeo, registri kliner. Pokrenuo ga u sejf modu i ovaj mu izbacio neku listu rezultata kao "losih" on to obrisao i sad mu komp radi bez problema...

Iskreno ja sam i dalje Shocked u neverici....

Videcemo sta ce biti narednih dana...

U svakom slucaju, jos jednom da se zahvalim na pruzenoj pomoci.... Ziveli (a mozda ce jos biti potrebna Smile )

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Svakako bi trebao da postavis nove izvestaje iz Normalnog moda, da bi se uverili da je sve u redu...

Ko je trenutno na forumu
 

Ukupno su 1287 korisnika na forumu :: 34 registrovanih, 10 sakrivenih i 1243 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Rade, amaterSRB, Bane san, BORUTUS, Botovac, Brana01, cikadeda, CikaKURE, dankisha, DeerHunter, DPera, dragoljub11987, dushan, Fog of War, Georgius, ILGromovnik, janbo, JOntra, Još malo pa deda, Kubovac, ladro, Leonov, lord sir giga, mercedesamg, milutin134, ruma, sabros, Smajser, Srle993, Trpe Grozni, vathra, voja64, Volkhov-M, Zandar