Izgleda da je CryptoLocker zahvatio pojedine foldere i podatke?

1

Izgleda da je CryptoLocker zahvatio pojedine foldere i podatke?

offline
  • Pridružio: 04 Avg 2009
  • Poruke: 166

mycity.rs/must-login.png

mycity.rs/must-login.png





Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-10-2014
Ran by WIN7 (administrator) on WIN7-PC on 11-10-2014 14:47:09
Running from C:\Users\WIN7\Downloads
Loaded Profile: WIN7 (Available profiles: WIN7 & USERR & KOM1)
Platform: Microsoft Windows 7 Professional (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: geekstogo.com/forum/topic/335081-frst-t.....scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe
() C:\Program Files\Opera\24.0.1558.64\opera_crashreporter.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe
(Opera Software) C:\Program Files\Opera\24.0.1558.64\opera.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xE0D7B2057FE4CF01
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.100.219

FireFox:
========
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\WIN7\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Docs) - C:\Users\WIN7\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-11]
CHR Extension: (Google Drive) - C:\Users\WIN7\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-11]
CHR Extension: (YouTube) - C:\Users\WIN7\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-11]
CHR Extension: (Google Search) - C:\Users\WIN7\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-11]
CHR Extension: (Gmail) - C:\Users\WIN7\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-11]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-10-11] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
S3 catchme; \??\C:\Users\WIN7\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-11 14:47 - 2014-10-11 14:47 - 00005430 _____ () C:\Users\WIN7\Downloads\FRST.txt
2014-10-11 14:46 - 2014-10-11 14:47 - 00000000 ____D () C:\FRST
2014-10-11 14:45 - 2014-10-11 14:45 - 01101312 _____ (Farbar) C:\Users\WIN7\Downloads\FRST.exe
2014-10-11 10:24 - 2014-10-11 10:24 - 00001413 _____ () C:\Users\KOM1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-10-11 10:24 - 2014-10-11 10:24 - 00000020 ___SH () C:\Users\KOM1\ntuser.ini
2014-10-11 10:24 - 2014-10-11 10:24 - 00000000 ____D () C:\Users\KOM1\AppData\Local\Google
2014-10-11 10:24 - 2014-10-11 10:24 - 00000000 ____D () C:\Users\KOM1
2014-10-11 10:24 - 2009-07-14 06:42 - 00000000 ___RD () C:\Users\KOM1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-10-11 10:24 - 2009-07-14 06:37 - 00000000 ___RD () C:\Users\KOM1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-10-11 09:44 - 2014-10-11 09:44 - 00007098 _____ () C:\ComboFix.txt
2014-10-11 09:38 - 2014-10-11 09:44 - 00000000 ____D () C:\ComboFix
2014-10-11 09:38 - 2011-06-26 08:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-10-11 09:38 - 2010-11-07 19:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-10-11 09:38 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-10-11 09:38 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-10-11 09:38 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-10-11 09:38 - 2000-08-31 02:00 - 00098816 _____ () C:\Windows\sed.exe
2014-10-11 09:38 - 2000-08-31 02:00 - 00080412 _____ () C:\Windows\grep.exe
2014-10-11 09:38 - 2000-08-31 02:00 - 00068096 _____ () C:\Windows\zip.exe
2014-10-11 09:37 - 2014-10-11 09:44 - 00000000 ____D () C:\Qoobox
2014-10-11 09:37 - 2014-10-11 09:43 - 00000000 ____D () C:\Windows\ERDNT
2014-10-11 09:21 - 2014-10-11 09:21 - 00000000 ____D () C:\Users\WIN7\AppData\Roaming\Opera Software
2014-10-11 09:21 - 2014-10-11 09:21 - 00000000 ____D () C:\Users\WIN7\AppData\Local\Opera Software
2014-10-11 09:18 - 2014-10-11 09:18 - 00002164 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-11 09:18 - 2014-10-11 09:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-10-11 09:17 - 2014-10-11 14:22 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-11 09:17 - 2014-10-11 13:46 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-11 09:17 - 2014-10-11 09:44 - 00000000 ____D () C:\Users\WIN7\AppData\Local\Google
2014-10-11 09:17 - 2014-10-11 09:18 - 00000000 ____D () C:\Program Files\Google
2014-10-11 09:17 - 2014-10-11 09:17 - 00001117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-10-11 09:17 - 2014-10-11 09:17 - 00001105 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-10-11 09:17 - 2014-10-11 09:17 - 00001087 _____ () C:\Users\Public\Desktop\Opera.lnk
2014-10-11 09:17 - 2014-10-11 09:17 - 00001087 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2014-10-11 09:17 - 2014-10-11 09:17 - 00000000 ____D () C:\ProgramData\Mozilla
2014-10-11 09:17 - 2014-10-11 09:17 - 00000000 ____D () C:\Program Files\Opera
2014-10-11 09:17 - 2014-10-11 09:17 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-10-11 09:17 - 2014-10-11 09:17 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-11 09:16 - 2014-10-11 09:16 - 00305664 _____ (Secure By Design Inc.) C:\Users\WIN7\Desktop\Ninite_Chrome_Firefox_Opera_Chromium_Installer.exe
2014-10-11 09:10 - 2014-10-11 13:57 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-11 09:10 - 2014-10-11 09:10 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-11 09:10 - 2014-10-11 09:10 - 00000000 ____D () C:\Users\WIN7\AppData\Roaming\Macromedia
2014-10-11 09:10 - 2014-10-11 09:10 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-11 09:10 - 2014-10-11 09:10 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-11 09:10 - 2014-10-11 09:10 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-11 09:10 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-11 09:10 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-11 09:10 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-11 09:09 - 2014-10-11 09:09 - 00000000 ____D () C:\Users\WIN7\AppData\Roaming\WinRAR
2014-10-11 09:09 - 2014-10-11 09:09 - 00000000 ____D () C:\Users\WIN7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2014-10-11 09:09 - 2014-10-11 09:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2014-10-11 09:09 - 2014-10-11 09:09 - 00000000 ____D () C:\Program Files\WinRAR
2014-10-11 09:06 - 2014-10-10 23:37 - 00001771 _____ () C:\Users\WIN7\Desktop\Add_Take_Ownership.reg
2014-10-11 09:06 - 2014-10-10 22:43 - 00000441 _____ () C:\Users\WIN7\Desktop\New Text Document.txt
2014-10-10 23:07 - 2014-10-10 13:12 - 00000000 ____D () C:\Windows\Panther
2014-10-10 22:10 - 2014-10-10 22:10 - 00001345 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2014-10-10 22:10 - 2014-10-10 22:10 - 00001326 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2014-10-10 22:09 - 2014-10-10 22:09 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2014-10-10 22:08 - 2014-10-10 22:10 - 00001313 _____ () C:\Windows\TSSysprep.log
2014-10-10 19:56 - 2014-10-10 20:30 - 00000000 ____D () C:\Users\WIN7\AppData\Roaming\TeamViewer
2014-10-10 19:56 - 2014-10-10 19:56 - 00001132 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-10-10 19:56 - 2014-10-10 19:56 - 00001120 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-10-10 19:56 - 2014-10-10 19:56 - 00000000 ____D () C:\Program Files\TeamViewer
2014-10-10 15:36 - 2014-10-10 15:36 - 00000000 ____D () C:\Users\WIN7\AppData\Roaming\Adobe
2014-10-10 15:32 - 2014-10-11 14:07 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-10 15:32 - 2014-10-10 15:32 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-10-10 15:32 - 2014-10-10 15:32 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-10-10 15:32 - 2014-10-10 15:32 - 00000000 ____D () C:\Windows\system32\Macromed
2014-10-10 15:30 - 2014-10-10 15:36 - 00000000 ____D () C:\Users\WIN7\AppData\Local\Adobe
2014-10-10 15:02 - 2014-10-11 10:23 - 00004056 _____ () C:\Windows\PFRO.log
2014-10-10 14:08 - 2014-10-10 14:08 - 00001413 _____ () C:\Users\USERR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-10-10 14:08 - 2014-10-10 14:08 - 00000020 ___SH () C:\Users\USERR\ntuser.ini
2014-10-10 14:08 - 2014-10-10 14:08 - 00000000 ____D () C:\Users\USERR\AppData\Local\VirtualStore
2014-10-10 14:08 - 2014-10-10 14:08 - 00000000 ____D () C:\Users\USERR
2014-10-10 14:08 - 2009-07-14 06:42 - 00000000 ___RD () C:\Users\USERR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-10-10 14:08 - 2009-07-14 06:37 - 00000000 ___RD () C:\Users\USERR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-10-10 13:42 - 2014-10-10 15:25 - 01056768 _____ () C:\Windows\system32\defltbase.sdb
2014-10-10 13:30 - 2014-09-15 09:06 - 00231568 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-10 13:22 - 2014-10-10 13:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2014-10-10 13:22 - 2006-10-26 19:56 - 00032592 _____ (Microsoft Corporation) C:\Windows\system32\msonpmon.dll
2014-10-10 13:21 - 2014-10-10 13:21 - 00000000 ____D () C:\Windows\PCHEALTH
2014-10-10 13:21 - 2014-10-10 13:21 - 00000000 ____D () C:\Program Files\Microsoft.NET
2014-10-10 13:21 - 2014-10-10 13:21 - 00000000 ____D () C:\Program Files\Microsoft Works
2014-10-10 13:21 - 2014-10-10 13:21 - 00000000 ____D () C:\Program Files\Microsoft Visual Studio
2014-10-10 13:21 - 2014-10-10 13:21 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2014-10-10 13:20 - 2014-10-10 13:20 - 00000000 ____D () C:\Program Files\Microsoft Visual Studio 8
2014-10-10 13:19 - 2014-10-10 13:22 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-10 13:19 - 2014-10-10 13:21 - 00000000 ____D () C:\Program Files\Microsoft Office
2014-10-10 13:19 - 2014-10-10 13:19 - 00000000 ___RD () C:\MSOCache
2014-10-10 13:19 - 2014-10-10 13:19 - 00000000 ____D () C:\Users\WIN7\AppData\Local\Microsoft Help
2014-10-10 13:18 - 2014-10-10 13:18 - 00000000 ____D () C:\Users\WIN7\Desktop\TakeOwnership
2014-10-10 13:17 - 2014-10-11 14:27 - 00713888 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-10 13:15 - 2014-10-10 13:15 - 00000000 ____D () C:\Users\WIN7\Desktop\Nova
2014-10-10 13:14 - 2014-10-11 10:20 - 00108824 _____ () C:\Users\WIN7\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-10 13:13 - 2014-10-10 13:13 - 00001413 _____ () C:\Users\WIN7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-10-10 13:13 - 2012-06-03 00:19 - 01933848 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-10-10 13:13 - 2012-06-03 00:19 - 00577048 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-10-10 13:13 - 2012-06-03 00:19 - 00053784 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-10-10 13:13 - 2012-06-03 00:19 - 00045080 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-10-10 13:13 - 2012-06-03 00:19 - 00035864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-10-10 13:13 - 2012-06-03 00:12 - 02422272 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-10-10 13:13 - 2012-06-03 00:12 - 00088576 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-10-10 13:13 - 2012-06-02 15:19 - 00171904 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-10-10 13:13 - 2012-06-02 15:12 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-10-10 13:12 - 2014-10-11 13:47 - 00179682 _____ () C:\Windows\WindowsUpdate.log
2014-10-10 13:12 - 2014-10-10 13:13 - 00000000 ____D () C:\Users\WIN7
2014-10-10 13:12 - 2014-10-10 13:12 - 00000020 ___SH () C:\Users\WIN7\ntuser.ini
2014-10-10 13:12 - 2014-10-10 13:12 - 00000000 ____D () C:\Users\WIN7\AppData\Local\VirtualStore
2014-10-10 13:12 - 2014-10-10 13:12 - 00000000 ____D () C:\Recovery
2014-10-10 13:12 - 2009-07-14 06:42 - 00000000 ___RD () C:\Users\WIN7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-10-10 13:12 - 2009-07-14 06:37 - 00000000 ___RD () C:\Users\WIN7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-11 13:44 - 2009-07-14 06:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-11 13:44 - 2009-07-14 06:39 - 00017215 _____ () C:\Windows\setupact.log
2014-10-11 13:27 - 2009-07-14 06:34 - 00009600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-11 13:27 - 2009-07-14 06:34 - 00009600 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-11 09:44 - 2009-07-14 04:37 - 00000000 ___RD () C:\Users\Public
2014-10-11 09:43 - 2009-07-14 04:04 - 00000215 _____ () C:\Windows\system.ini
2014-10-11 09:02 - 2009-07-14 06:33 - 00412464 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-10 23:07 - 2009-07-14 06:57 - 00025600 ___SH () C:\Windows\system32\config\BCD-Template.LOG
2014-10-10 23:07 - 2009-07-14 06:52 - 00028672 _____ () C:\Windows\system32\config\BCD-Template
2014-10-10 22:10 - 2009-07-14 04:37 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-10-10 22:08 - 2009-07-14 09:50 - 00000000 ____D () C:\Windows\CSC
2014-10-10 22:08 - 2009-07-14 06:34 - 00001774 _____ () C:\Windows\DtcInstall.log
2014-10-10 16:07 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\rescache
2014-10-10 13:37 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-10-10 13:21 - 2009-07-14 09:50 - 00000000 ____D () C:\Windows\ShellNew
2014-10-10 13:21 - 2009-07-14 06:52 - 00000000 ____D () C:\Program Files\MSBuild
2014-10-10 13:21 - 2009-07-14 04:37 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2014-10-10 13:19 - 2009-07-14 04:37 - 00000000 ____D () C:\Program Files\Common Files\System
2014-10-10 13:19 - 2009-07-14 04:04 - 00000478 _____ () C:\Windows\win.ini
2014-10-10 13:12 - 2009-07-14 06:52 - 00000000 ____D () C:\Windows\system32\restore
2014-10-10 13:12 - 2009-07-14 04:37 - 00000000 ____D () C:\Windows\system32\Recovery

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-10 15:58

==================== End Of Log ============================

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Katana, pokretao si ComboFix bez nadzora. Cisto da znas da si ovim potezom mozda osudio svoje fajlove ...


Iskopiraj sadrzaj C:\ComboFix.txt izvestaja.

offline
  • Pridružio: 04 Avg 2009
  • Poruke: 166

Napisano: 11 Okt 2014 15:11

mycity.rs/must-login.png




ComboFix 14-10-04.01 - WIN7 10/11/2014 9:39.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3071.1824 [GMT 2:00]
Running from: c:\users\WIN7\AppData\Local\Temp\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-09-11 to 2014-10-11 )))))))))))))))))))))))))))))))
.
.
2014-10-11 07:42 . 2014-10-11 07:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-11 07:17 . 2014-10-11 07:18 -------- d-----w- c:\program files\Google
2014-10-11 07:17 . 2014-10-11 07:17 -------- d-----w- c:\program files\Mozilla Maintenance Service
2014-10-10 17:56 . 2014-10-10 17:56 -------- d-----w- c:\program files\TeamViewer
2014-10-10 13:32 . 2014-10-10 13:32 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-10 13:32 . 2014-10-10 13:32 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-10-10 13:32 . 2014-10-10 13:32 -------- d-----w- c:\windows\system32\Macromed
2014-10-10 12:08 . 2014-10-10 12:08 -------- d-----w- c:\users\USERR
2014-10-10 11:30 . 2014-09-15 00:08 8806800 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C1E111D-3D35-4A3D-86B8-EE518B1673CF}\mpengine.dll
2014-10-10 11:30 . 2014-09-15 07:06 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-10-10 11:22 . 2006-10-26 17:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2014-10-10 11:22 . 2006-10-26 17:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2014-10-10 11:21 . 2014-10-10 11:21 -------- d-----w- c:\program files\Microsoft Works
2014-10-10 11:21 . 2014-10-10 11:21 -------- d-----w- c:\windows\PCHEALTH
2014-10-10 11:21 . 2014-10-10 11:21 -------- d-----w- c:\program files\Microsoft.NET
2014-10-10 11:20 . 2014-10-10 11:20 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2014-10-10 11:19 . 2014-10-10 11:22 -------- d-----w- c:\programdata\Microsoft Help
2014-10-10 11:19 . 2014-10-11 07:22 -------- d-sh--w- c:\windows\Installer
2014-10-10 11:19 . 2014-10-10 11:19 -------- d-----r- C:\MSOCache
2014-10-10 11:17 . 2014-10-11 07:08 -------- d-----w- c:\windows\system32\wbem\Performance
2014-10-10 11:13 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2014-10-10 11:13 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2014-10-10 11:13 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2014-10-10 11:13 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2014-10-10 11:13 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2014-10-10 11:13 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2014-10-10 11:13 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2014-10-10 11:13 . 2012-06-02 13:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2014-10-10 11:13 . 2012-06-02 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-10-10 11:12 . 2014-10-10 11:13 -------- d-----w- c:\users\WIN7
2014-10-10 11:12 . 2014-10-10 11:12 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]
S2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [2014-09-12 4799760]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-10-11 110296]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CDFS
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MBAMWEBACCESSCONTROL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-11 07:18 1089352 ----a-w- c:\program files\Google\Chrome\Application\38.0.2125.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-10-10 13:32]
.
2014-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-10-11 07:17]
.
2014-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-10-11 07:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.100.219
FF - ProfilePath -
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-11 09:44:35
ComboFix-quarantined-files.txt 2014-10-11 07:44
.
Pre-Run: 89,230,331,904 bytes free
Post-Run: 89,164,759,040 bytes free
.
- - End Of File - - 94B0580EED4DC48622CA6D287BE79F33
A36C5E4F47E84449FF07ED3517B43A31

Dopuna: 11 Okt 2014 15:16

Od muke sam pokrenuo Combo,mnogo su mi bitni podaci pa nisam znao sta da radim Sad

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Dobro, a reci mi sada sta si radio sa racunarom pre 10.10. 2014? Koliko vidim, ovo je sveza instalacija, zato pitam.

Isto tako, sta si radio sa racunarom pre nego sto je instaliran TeamViewer i FlashPlayer?

Daj mi opis problema, kao sto se navodi u Korak #1.

offline
  • Pridružio: 04 Avg 2009
  • Poruke: 166

Pa odradio sam reibstalaciju,posto mi je racunar setrin,i sporo joj radio na netu skoro da nije mogla nista da otvori,sacuvao sam podatke sa Desktopa na D particiju,odradio sistem vrati joj racunra i ona me sutra dan zvala sa problemom da nijedan word dokumenut ne moze da otvori i da su svim folderima imena zelene boje .I ja juce ponovo odradio sitem mislio da nije nesto preskocio sitem.

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Evo u cemu je stvar. Pre izvrsnog vremena otkriven je nov malware koji se ponasa kao ransomware ali za razliku od njih CryptoLocked kriptuje (citaj kao: zakljucava) sva dokumenta koja se nalaze na disku. Tvorci ovog opasnog malware zaradju na taj nacin sto ucenjuju svoje zrtve za novcanu uplatu gde tvrde da ce poslati kljuc za dekripciju fajlova.

Prva greska koju si ti napravio (a to bi uradili mnogi predpostavljam) jeste da prosto urade format C diska i postave svezu instalaciju u nadi da ce resiti problem. Ono sto si trebao da uradis jeste da se odmah javis kod nas u Ambulanti da uradimo dijagnostiku. Cak ako su ti iz nekog razloga Normal/Safe mode nedostupni jer malware ne dozvoljava pokretanje alata ili slicno tome, mi imamo vise metoda da uradimo dijagnostiku i uklonimo svaki malware i iz neaktivnog Windowsa (Recovery Environment). Tada bi tacno znali sa cime imamo posla i imali bi preciznije upute.

Ovako, meni dijagnosticki alati izlaze cisti. Da, nema tragova infekcije. Sto znaci da je enkrpicija nad fajlovima ostaje. Da nisi uradio reinstalaciju sistema, mogli bismo iskoristiti nesto sto se zove Shadow Copies i odatle izvuci kopije zdravih fajlova. To nam sada ne vredi.
Posto ne znamo da li imamo posla bas sa CryptoLocker varijantom ili sa nekim od njegovih klonova, moramo odraditi neku preventivu.





===============================





Arrow Postavi primarnu AntiVirus zastitu. Poseti ovu temu:
Spisak antivirusnih programa



Arrow Preuzmi CryptoPrevent i instaliraj ga na problematican sistem. Ostavi opcije na default:





Arrow Preuzmi MCShield sa sljedeće adrese:
http://www.mcshield.net/download/MCShield-Setup.exe

Instaliraj MCShield i sačekaj da se završi uvodno skeniranje.

Kad se završi uvodno skeniranje, ubacuj sve USB memorijske uređaje redom u USB port i svaki zadrži u portu dok MCShield ne izbaci poruku da je skeniranje završeno. Ukoliko imaš više USB uređaja, zabilježi negdje kojim su redom ubacivani.

Objašnjenje: U USB memorijske uređaje spadaju svi oni uređaji koji po priključivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uređaji itd.

Pokreni MCShield ControlCenter -> Logs i pod AllScans.txt tabom klikni na dugme Save

AllScans.txt izvještaj ce biti sacuvan na Desktop-u. Iskopiraj sadrzaj tog izvestaja uz poruku.






To je sto se tice prevencije!


===============================






Arrow Sto se tice zakljucanih fajlova, prva banalna stvar koju mozes da probas jeste:

* ... da ides na jedan takav zakljucani dokument > desni klik > Restore previus versions. Ovo mozes da probas kako nad zakljucanim fajlovima, tako i na zakljucanim folderima. Znaj da ova opcija najverovatnije nece biti dostupna upravo zato sto je ovo svez sistem, a ne onaj na kome je nastao problem. Ne postoje rezervne kopije u ShadowCopy.



Ovo gore najverovatnije nece resiti problem te idemo na neku bolju metodu.




* Momci iz FireEye i Fox-IT su objavili novi cloud alatku na sledecoj stranici:
https://www.decryptcryptolocker.com/

Potrebno je da upises svoju e-mail adresu i posaljes im jedan takav enkriptovan (zakljucan) fajl. Alatka ce pokusati da razbije dati fajl sa svima njima poznatim dekripcionim kljucevima.
Paznjivo citaj i prati uputstva koja ti ona daju!
Ako uspeju da razbiju enkripciju, prosledice ti na mail alatku (oni to zovu recovery program, mislim da se zove decryptolocker.exe) gde ces upisati kljuc koji ti oni posalju i taj alat ce pokusati otkljucati sve fajlove koje je ovaj Crypto malware originalno zakljucao.


Ovo ti je jedina sanca Exclamation
Ukoliko gornja metoda ne pomogne, znaj da nema nacina da ih vratis. Jednostavno, ovo je jedina metoda. Do skora nije ni postojao nacin da se enkripcija razbije.
Druga sigurna metoda je bila da prosto platis dekripcioni kljuc losim momcima te od njih dobijes originalni kljuc. Ovo opet ne mozes izvesti jer si malware uklonio reinstalacijom sistema.




Takodje, postoji jedna alternativa koja radi slicno kao i decryptolocker.exe, koje su nase kolege sa BleepingComputer foruma sastavili, a izvorni post mozes pronaci ovde:
http://www.bleepingcomputer.com/forums/t/506924/cr.....try3441381




===============================




Srecno!

Obavezno da se javis ovde u temi da vidim(o) sta si uradio.

offline
  • Pridružio: 04 Avg 2009
  • Poruke: 166

Napisano: 11 Okt 2014 16:45

au brate, Problem je u tome sto nisam ni slutio da su podaci (folderi i fajlovi) zakljucani,na Desktopu su bili normalne boje samo sam pokupio sa desktopa i prebacio na D particiju.Ona mi se zalila da joj lose racunar kad je na internetu i da i da se sporije podize sistem,nisam ni slutio da je u pitanju ovaj problem,odradio sam sistem instaliro office paket i jos par programa i vratio joj komp. Ne mogu da verujem da se ovo desilo.

Ne mogu da skinem ovo "Preuzmi CryptoPrevent i instaliraj ga na problematican sistem. Ostavi opcije na default:" nista mi ne nudi.

Dopuna: 11 Okt 2014 16:58

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Citat:Ne mogu da skinem ovo "Preuzmi CryptoPrevent i instaliraj ga na problematican sistem. Ostavi opcije na default:" nista mi ne nudi.
Na dnu ovog linka ti se nudi download samog installera, a kako alatka radi, imas objasnjeno na datom linku:
https://www.foolishit.com/vb6-projects/cryptoprevent/





katanaa ::

http://www.howtogeek.com/howto/windows-vista/add-t.....-in-vista/
ili ...
http://www.tipandtrick.net/how-to-take-ownership-a.....-in-vista/

offline
  • Pridružio: 04 Avg 2009
  • Poruke: 166

katanaa ::

howtogeek.com/howto/windows-vista/add-t.....-in-vista/
ili ...
tipandtrick.net/how-to-take-ownership-a.....-in-vista/


Ne mogu ni ovo da rijesim sve sam odradio kako pise na ova dva linka ali nemam pristup.




edit by magna86: ispravljen quote

offline
  • magna86  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 21 Jun 2008
  • Poruke: 6102

Taj problem (slika) svakako nije prouzrokovan malware-om. Za to mozes da se obratis u neki drugi deo foruma.
Ja sam samo na osnovu slike koju si postavio (bez objasnjenja zasto si je postavio) na isti nacin i odgovorio.


Ono sto sam napisao i dalje stoji ...


magna86 ::Ovako, meni dijagnosticki alati izlaze cisti. Da, nema tragova infekcije.

Moji alati pristupaju samo sistemskom delu, pristupaju i citaju one aktivne sistemske tacke koje malware moze da koristi da bi sebe pokrenuo. Na osnovu naslova i tvoj slabog opisa ja samo mogu zakljuciti da si nekada posedovao aktivan Crypto malware jer da nisi ni imao, ne bi ga ni spomenuo. Ako si ga posedovao, dobio si sve potrebne savete koje mozes imati na netu ovde u Ambulanti.


Da ponovim, logove koje si postavio ne pokazuju tragove malware-a!


Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

ComboFix /Uninstall

Primeti da postoji razmak između "ComboFix" i "/Uninstall".



a zatim klikni OK (ili pritisni Enter).


Sačekaj da se proces deinstalacije završi.


Arrow Obrisi FRST alat, kao i sve njegove logove (FRST.txt, Addition.txt . .) kao i njegov vezani folder na C:\FRST.

Ko je trenutno na forumu
 

Ukupno su 650 korisnika na forumu :: 23 registrovanih, 6 sakrivenih i 621 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 9k38, A.R.Chafee.Jr., croato, Ctrl x, darkangel, Dorcolac, dragon986, Drug pukovnik, Fog of War, goxin, HrcAk47, ikan, Kibice, ladro, mercedesamg, Mercury, ruma, Sale.S, sladjana.peric26, Sr.Stat., Srki98, Toni, zixo