Koci mi laptop

1

Koci mi laptop

offline
  • pr1Ze
  • Pridružio: 20 Apr 2012
  • Poruke: 1640

Napisano: 08 Sep 2012 13:46

u pitanju je laptop aspire one d255,windows 7 ultimate 32bit
koci mi dosta i skeniro sam laptop Malwarebuytes Anti-Malware i pronasao je deset virusa

evo izvjestaja


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Luta at 12:58:16 on 2012-09-08
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.381.1033.18.1013.109 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\MCShield\MCShieldRTM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Join Air\AssistantServices.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Luta\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Luta\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Luta\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Luta\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Luta\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Luta\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Luta\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Luta\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Luta\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mSearchAssistant =
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpeedConnectStartUp]
uRun: [MCShield Monitor] c:\program files\mcshield\mcshieldrtm.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{6ED8DEA4-D65B-4C66-A4CA-CBA5725E08BF} : NameServer = 212.200.246.8 213.133.3.5
TCP: Interfaces\{F5A3423C-50F7-4A8C-A90B-48CFFE968F53} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 MpKsl237a7793;MpKsl237a7793;c:\programdata\microsoft\microsoft antimalware\definition updates\{ccfc1a8c-b392-4432-a1c1-080cc955059d}\MpKsl237a7793.sys [2012-9-7 29904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2012-1-8 68208]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-8 40776]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2012-1-8 6766080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 EUCR;EUCR;c:\windows\system32\drivers\EUCR6SK.sys [2012-1-8 82768]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2012-7-20 9216]
S3 MozillaMaintenance;Mozilla Maintenance Service;"c:\program files\mozilla maintenance service\maintenanceservice.exe" --> c:\program files\mozilla maintenance service\maintenanceservice.exe [?]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 PRODIGY;PRODIGY;c:\windows\system32\drivers\prodigy.sys [2012-3-28 32377]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2012-7-21 15576]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2012-7-21 10200]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2012-5-26 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2012-5-26 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2012-5-26 123648]
.
=============== Created Last 30 ================
.
2012-09-08 10:28:47 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-09-08 00:32:15 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ccfc1a8c-b392-4432-a1c1-080cc955059d}\offreg.dll
2012-09-07 19:23:45 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ccfc1a8c-b392-4432-a1c1-080cc955059d}\MpKsl237a7793.sys
2012-09-07 18:22:09 7022536 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ccfc1a8c-b392-4432-a1c1-080cc955059d}\mpengine.dll
2012-09-06 21:19:24 7022536 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-09-02 13:07:56 -------- d-----w- c:\users\luta\appdata\roaming\Rovio
2012-09-02 13:07:11 -------- d-----w- c:\program files\Rovio
2012-08-21 05:00:46 -------- d-----r- c:\program files\Skype
2012-08-21 04:10:42 -------- d-----w- c:\users\luta\appdata\local\Adobe
2012-08-16 19:05:59 -------- d-----w- c:\windows\system32\EventProviders
.
==================== Find3M ====================
.
2012-07-07 13:07:23 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-07-07 13:07:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-07-03 11:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-18 11:34:40 2872512 ----a-w- c:\windows\system32\pwNative.exe
2012-06-18 11:34:38 15576 ------w- c:\windows\system32\pwdrvio.sys
2012-06-18 11:34:38 10200 ------w- c:\windows\system32\pwdspio.sys
2012-06-13 18:21:01 2560 ----a-w- c:\windows\_MSRSTRT.EXE
.
============= FINISH: 12:59:56,86 ===============


https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png





Dopuna: 08 Sep 2012 18:22

jos samo da kazem da mi je net uzasno spor

Dopuna: 08 Sep 2012 22:43

sporo se otvaraju programi,uzasno je spor laptop

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Pozdrav, TheSpringEagle


U toku rešavanja slučaja, zamolio bih te da se pridržavas sledećeg:
Detaljno čitati moja uputstva ( ili uputstva kolega koji će me zamenjivati) i raditi isključivo po njima;
Ne tražiti istovremeno pomoć na drugom mestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budeš dobio uputstvo;
Ukoliko se desi nešto što ne stoji u uputstvu, a ne znaš šta je, zaustavi sve i pitaj;
U toku intervencije ne koristiti USB memorijske uređaje, dok to ne budem zatražio;
Uvek kopiraj ceo izveštaj u poruku, bez da ga attach-uješ, ukoliko nije tako zatraženo;
Ukoliko ne odgovorim u roku od 24h, osveži temu novim post-om;
Ukoliko se ne javiš u roku od 5 dana, zatvorićemo slučaj.

Za vise informacija o pravilima Ambulante MyCity foruma: LINK


===================================================


Preuzmi sUBs-ov ComboFix sa sljedeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati fajl, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix;
u prozoru koji se otvori klikni "I Agree".

U toku rada, ComboFix će:provjeriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izvještaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obilježeni tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izvještaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primjetiš da izvještaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje fajla C:\ComboFix.txt uz poruku.

offline
  • pr1Ze
  • Pridružio: 20 Apr 2012
  • Poruke: 1640

evo izvjestaja

ComboFix 12-09-09.02 - Luta 09.09.2012 16:02:27.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.381.1033.18.1013.257 [GMT 2:00]
Running from: c:\users\Luta\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Amazon.ico
c:\programdata\Bcool
c:\programdata\Bcool\adchnndejpglemhfcabnlbggadpkmfca.crx
c:\programdata\Bcool\background.html
c:\programdata\Bcool\bhoclass.dll
c:\programdata\Bcool\content.js
c:\programdata\Bcool\settings.ini
c:\programdata\MercadoLivre.ico
c:\programdata\QuickStores.ico
c:\users\Luta\AppData\Local\Temp\ir_ext_temp_1\AutoPlay\Docs\USBSafelyRemove.exe
c:\users\Luta\AppData\Local\TempDIR
c:\users\Luta\AppData\Local\TempDIR\BetterInstaller.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-09 to 2012-09-09 )))))))))))))))))))))))))))))))
.
.
2012-09-09 14:14 . 2012-09-09 14:15 -------- d-----w- c:\users\Luta\AppData\Local\temp
2012-09-09 14:14 . 2012-09-09 14:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-09 13:58 . 2012-09-09 13:58 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{58930B13-08C7-4013-9F5A-7891AB0211A7}\MpKsl81a53817.sys
2012-09-09 12:25 . 2012-09-09 12:25 -------- d-----w- c:\program files\Common Files\xing shared
2012-09-09 12:10 . 2012-09-09 12:12 -------- d-----w- c:\program files\Real
2012-09-08 20:39 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{58930B13-08C7-4013-9F5A-7891AB0211A7}\mpengine.dll
2012-09-07 18:22 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-02 13:07 . 2012-09-02 13:07 -------- d-----w- c:\users\Luta\AppData\Roaming\Rovio
2012-09-02 13:07 . 2012-09-02 13:07 -------- d-----w- c:\program files\Rovio
2012-08-21 05:01 . 2012-08-26 13:47 -------- d-----w- c:\users\Luta\AppData\Roaming\Skype
2012-08-21 05:00 . 2012-08-21 05:00 -------- d-----w- c:\program files\Common Files\Skype
2012-08-21 05:00 . 2012-08-21 05:00 -------- d-----r- c:\program files\Skype
2012-08-21 05:00 . 2012-08-21 05:01 -------- d-----w- c:\programdata\Skype
2012-08-21 04:10 . 2012-08-21 04:10 -------- d-----w- c:\users\Luta\AppData\Local\Adobe
2012-08-16 19:05 . 2012-08-16 19:06 -------- d-----w- c:\windows\system32\EventProviders
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-09 12:23 . 2012-07-07 13:07 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-09-09 12:23 . 2012-07-07 13:07 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-08-02 22:59 . 2012-08-02 22:59 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{67F0E707-8012-4FA9-8FC2-9BB1144B9100}\gapaengine.dll
2012-07-03 11:46 . 2012-01-08 05:51 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-29 08:44 . 2012-08-02 18:16 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81A8CBFE-369E-4D2B-8B23-42C4986054A6}\mpengine.dll
2012-06-29 05:06 . 2012-06-29 05:06 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-06-18 11:34 . 2012-07-21 17:23 2872512 ----a-w- c:\windows\system32\pwNative.exe
2012-06-18 11:34 . 2012-07-21 17:23 15576 ------w- c:\windows\system32\pwdrvio.sys
2012-06-18 11:34 . 2012-07-21 17:23 10200 ------w- c:\windows\system32\pwdspio.sys
2012-06-13 18:21 . 2012-06-13 18:21 2560 ----a-w- c:\windows\_MSRSTRT.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCShield Monitor"="c:\program files\MCShield\mcshieldrtm.exe" [2012-06-22 603648]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-07-14 895376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-09-09 296096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-01-08 20:49 136176 ----atw- c:\users\Luta\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-04-19 08:26 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-06-16 20:33 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-06-16 20:33 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2010-06-22 17:01 9292392 ------w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 11:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-09-09 12:23 296096 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIExec]
2010-07-14 19:37 138584 ----a-w- c:\program files\Join Air\UIExec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-07-14 00:56 895376 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
R1 AntiKill;avast! Process AntiKill Driver; [x]
R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL81A53817
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2787396597-1344915912-1888278398-1000Core.job
- c:\users\Luta\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-08 20:49]
.
2012-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2787396597-1344915912-1888278398-1000UA.job
- c:\users\Luta\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-08 20:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: Interfaces\{6ED8DEA4-D65B-4C66-A4CA-CBA5725E08BF}: NameServer = 212.200.246.8 213.133.3.5
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-SpeedConnectStartUp - (no file)
MSConfigStartUp-Facebook Update - c:\users\Luta\AppData\Local\Facebook\Update\FacebookUpdate.exe
MSConfigStartUp-NokiaSuite - c:\program files\Nokia\Nokia Suite\NokiaSuite.exe
MSConfigStartUp-NSU_agent - c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe
MSConfigStartUp-RivaTuner - c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe
MSConfigStartUp-USB Safely Remove - c:\users\Luta\AppData\Local\Temp\ir_ext_temp_1\AutoPlay\Docs\USBSafelyRemove.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-09 16:19:12
ComboFix-quarantined-files.txt 2012-09-09 14:19
.
Pre-Run: 59.824.517.120 bytes free
Post-Run: 59.798.953.984 bytes free
.
- - End Of File - - AC0B68CAE7A4613E629C774AD6C13AF4


https://www.mycity.rs/must-login.png

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Ne pratis uputstvo kako treba, pisalo je da ComboFix preuzmes na Desktop, a ti si ga pokrenuo iz foldera Downloads. No idemo dalje...


Korak 1.

Otvoriti Notepad i iskopirati sledeci tekst:

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


Korak 2.

Kakvo je sada stanje?

offline
  • pr1Ze
  • Pridružio: 20 Apr 2012
  • Poruke: 1640

Napisano: 09 Sep 2012 17:57

evo izvjestaja

ComboFix 12-09-09.02 - Luta 09.09.2012 17:37:54.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.381.1033.18.1013.425 [GMT 2:00]
Running from: c:\users\Luta\Downloads\ComboFix.exe
Command switches used :: c:\users\Luta\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-08-09 to 2012-09-09 )))))))))))))))))))))))))))))))
.
.
2012-09-09 15:50 . 2012-09-09 15:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-09 14:27 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{09BEC213-A254-4C90-88E4-1A879F58B5C4}\mpengine.dll
2012-09-09 14:19 . 2012-09-09 15:50 -------- d-----w- c:\users\Luta\AppData\Local\temp
2012-09-09 12:25 . 2012-09-09 12:25 -------- d-----w- c:\program files\Common Files\xing shared
2012-09-09 12:10 . 2012-09-09 12:12 -------- d-----w- c:\program files\Real
2012-09-07 18:22 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-02 13:07 . 2012-09-02 13:07 -------- d-----w- c:\users\Luta\AppData\Roaming\Rovio
2012-09-02 13:07 . 2012-09-02 13:07 -------- d-----w- c:\program files\Rovio
2012-08-21 05:01 . 2012-08-26 13:47 -------- d-----w- c:\users\Luta\AppData\Roaming\Skype
2012-08-21 05:00 . 2012-08-21 05:00 -------- d-----w- c:\program files\Common Files\Skype
2012-08-21 05:00 . 2012-08-21 05:00 -------- d-----r- c:\program files\Skype
2012-08-21 05:00 . 2012-08-21 05:01 -------- d-----w- c:\programdata\Skype
2012-08-21 04:10 . 2012-08-21 04:10 -------- d-----w- c:\users\Luta\AppData\Local\Adobe
2012-08-16 19:05 . 2012-08-16 19:06 -------- d-----w- c:\windows\system32\EventProviders
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-09 12:23 . 2012-07-07 13:07 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-09-09 12:23 . 2012-07-07 13:07 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-08-02 22:59 . 2012-08-02 22:59 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{67F0E707-8012-4FA9-8FC2-9BB1144B9100}\gapaengine.dll
2012-07-03 11:46 . 2012-01-08 05:51 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-29 08:44 . 2012-08-02 18:16 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{81A8CBFE-369E-4D2B-8B23-42C4986054A6}\mpengine.dll
2012-06-29 05:06 . 2012-06-29 05:06 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-06-18 11:34 . 2012-07-21 17:23 2872512 ----a-w- c:\windows\system32\pwNative.exe
2012-06-18 11:34 . 2012-07-21 17:23 15576 ------w- c:\windows\system32\pwdrvio.sys
2012-06-18 11:34 . 2012-07-21 17:23 10200 ------w- c:\windows\system32\pwdspio.sys
2012-06-13 18:21 . 2012-06-13 18:21 2560 ----a-w- c:\windows\_MSRSTRT.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCShield Monitor"="c:\program files\MCShield\mcshieldrtm.exe" [2012-06-22 603648]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-07-14 895376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-09-09 296096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-01-08 20:49 136176 ----atw- c:\users\Luta\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-04-19 08:26 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-06-16 20:33 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-06-16 20:33 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2010-06-22 17:01 9292392 ------w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 11:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-09-09 12:23 296096 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIExec]
2010-07-14 19:37 138584 ----a-w- c:\program files\Join Air\UIExec.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2012-07-14 00:56 895376 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
R1 AntiKill;avast! Process AntiKill Driver; [x]
R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2787396597-1344915912-1888278398-1000Core.job
- c:\users\Luta\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-08 20:49]
.
2012-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2787396597-1344915912-1888278398-1000UA.job
- c:\users\Luta\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-08 20:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: Interfaces\{6ED8DEA4-D65B-4C66-A4CA-CBA5725E08BF}: NameServer = 212.200.246.8 213.133.3.5
.
.
Completion time: 2012-09-09 17:54:29
ComboFix-quarantined-files.txt 2012-09-09 15:54
ComboFix2.txt 2012-09-09 14:19
.
Pre-Run: 59.822.690.304 bytes free
Post-Run: 59.768.586.240 bytes free
.
- - End Of File - - 067247CB3CB9F24C55A18D91067E493B


Dopuna: 09 Sep 2012 17:58

stanje je sada bolje,brze mi otvara stranice na netu...itd

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Preuzmi "Xplode"-ov AdwCleaner i sacuvaj ga na Desktop
Dvoklikom pokreni program i klikni na dugme [Search] .
Kada program zavrsi analizu otvorice notepad sa izvestajem. Zatvori taj notepad.

Klikni na dugme [Delete] i pricekaj da program zavrsi.
Program ce zatvoriti sve aktivne programe i izbaciti prozor sa tim upozorenjem. Klikni Ok kao potvrdu.
Na sledeca dva prozora koja se otvore (Informations i Restart required ) klikni Ok

Racunar ce se restartovati a potom otvoriti notepad (C:\AdwCleaner[S1].txt) sa izvestajem.
Sacuvaj taj notepad na Desktop i okaci ga uz poruku koristeci opciju "Prikaci fajl"

Napomena: Izvestaj ce takodje biti sacuvan na C:\AdwCleaner[S1].txt

offline
  • pr1Ze
  • Pridružio: 20 Apr 2012
  • Poruke: 1640

evo izvjestaja

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Arrow Računar je čist što se malware-a tiče. Potrebno je da ispratiš sledeće korake...



Korak 1.

Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti i 7 koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sljedeće:

ComboFix /Uninstall

Primjeti da postoji razmak između "ComboFix" i "/Uninstall".



a zatim klikni OK (ili pritisni Enter).


Sačekaj da se proces deinstalacije završi.



Korak 2.

Ponovo pokreni AdwCleaner
Klikni na dugme [Uninstall] i pricekaj da se postupak uninstallacije zavrsi.



Korak 3.

Arrow Preuzmi i pokreni OTC. Klikni na CleanUp. Ovim ce biti obrisani korisceni alati.



Korak 4.

Sistem ti je neažuriran, bez Service Pack 1 instaliranog. Preuzmi i instaliraj sledeći fajl: http://download.microsoft.com/download/0/A/F/0AFB5.....32-X86.exe

Takođe, preporuka je da u Control Panel-u uključiš automatski apdejt, kako bi instalirao nove apdejtove kada se oni pojave.



Korak 5.

Arrow Koristiš zastarelu verziju Java, što predstavlja sigurnosni rizik. Idi u Start -> Control Panel -> Programs and Features / Add or Remove Programs i deinstaliraj Java(TM) 6 Update 31

Poseti ovu adresu, preuzmi i instaliraj novu verziju.

www.java.com/getjava/



Arrow Preporučujem da za zaštitu USB memorijskih uredjaja koristiš MCShield v2. Nema

nikakve veze sa AntiVirus-om tj. nece ometati njegov rad, a pokazao se kao jedan od najboljih vidova zaštite od malware-a koji se prenosi

putem USB mem. uređaja. Skineš, instaliraš, ubodeš USB mem. uređaj, izvrši se skeniranje nakon čega dobiješ obaveštenje da je uređaj čist

(ukoliko je stvarno tako); ili dobiješ log u kome vidiš informacije o malware-u koji je nađen i obrisan.


Home Page MCShield-a ::Anti-Malware Tool:: v2: http://amf.mycity.rs/mcshield/

Više o MCShield-u možeš saznati u ovim temama:
v1: http://www.mycity.rs/MyCity-Laboratorija/MCShield.html
v2: http://www.mycity.rs/MyCity-Laboratorija/MCShield-v2.html




Arrow Obavezno poseti temu "Testirajte da li vam je pretraživač ranjiv", pročitaj i isprati link koji stoji u njoj.
Link do teme je: http://www.mycity.rs/Web-browseri/Testirajte-da-li.....anjiv.html




TwinHeadedEagle (AMF Tim)

offline
  • pr1Ze
  • Pridružio: 20 Apr 2012
  • Poruke: 1640

Napisano: 09 Sep 2012 19:21

sve sam uradio,ja sam skinuo SP 1 ali ne smijem da instaliram,jer imam puno vaznih podataka i nebi volio da ih izgubim

Dopuna: 09 Sep 2012 19:57

ima jos virusa,skeniro sam i nasao je 2 virusa
evo slike

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Napisano: 09 Sep 2012 19:58

Kako zelis, mada sam ja instalirao SP1 na desetine puta i nikad nije bilo problema...

Ovde zavrsavamo diskusiju, ako imas sta da pitas, otvori temu u Windows potforumu...

Poz Smile

Dopuna: 09 Sep 2012 20:12

Restartuj racunar, azuriraj MBAM, pa ponovo skeniraj i postavi log...

Ko je trenutno na forumu
 

Ukupno su 1184 korisnika na forumu :: 85 registrovanih, 9 sakrivenih i 1090 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., AleksSE, b_z_b, Batinas, Belac91, Bobrock1, bojcistv, Brada i Gibanica, BraneS, Bubili, cemix, Dejan84, Djokislav, DucicM, Duh sa sekirom, Ehinacea, FileFinder, Frunze, geo.dule, goran.vvv, helen1, hyla, ivan1973, ivan979, ivica976, JOntra, Još malo pa deda, kairos, Komentator, Kristian_KG, Kruger, kybonacci, larisadanilenko, Lazarus, Libertas, ljuba, Lord Nem, Marko Milakov, mb1213, mercedesamg, Miki01, Milan A. Nikolic, mile1983, MiroslavD, Miskohd, mnn2, nevjerna beba, Niske, operniki, opt1, Paor, Plava bluza, Pohovani_00, procesor, Rakenica, raskoljnikov, raso76, repac, Romibrat, S-lash, sakota79, ser.hill, Simon simonović, srbijaiznadsvega, Srle993, ssekir75, stegonosa, Stuka76, tanakadzo, taz1cl, Trpe Grozni, tubular, upitnik, vathra, Visionary, vladas87, vladom6, vladulns, Vlajman1957, vobo, Voja1978, Wrangler, Zadonbas, zdrebac, 125