MyCity » Ambulanta -> Arhiva Ambulante » Napad preko facebook-a

Napad preko facebook-a

Napisano na dan: 24.7.2011
1

Napad preko facebook-a
Sledeća strana Pagination

Idi na vrh

Poslao: 24 Jul 2011 22:02
Idi na vrh
offline
  • Pridružio: 29 Mar 2011
  • Poruke: 9

Pozdrav svima i odmah u startu sve pohvale za ovaj forum i nesebični trud ljudi koji pomažu u rješavanju problema.
Preći ću odmah na stvar i trudiću se da što bolje pratim upustva za otvaranje teme.
Naime danas je moja kćerka dobila poruku na engleskom jeziku od "prijatelja" sa fb u kojoj je ponuđeno da pregleda video zapis i kao u već nekoliko opisanih tema ponuđeno je da instališe Adobe flash pl. i onda se izdešavalo svašta nešto (ja nisam bio tu). Uglavnom kako mi je prenijela komp. se restartovao i pjavilo se na ekranu Safe Mode ....
Ja kad sam došao radio je komp ali mi je antivirusni (Nod 32) javljao poruku da je "prešao u nekakvi napredniji vid zaštite" i nisam mogao da ga otvorim.Pokušavao sam par puta ali ništa, onda sam pokrenuo CCleaner i pustio analizu i čišćenje kao i opciju registri i pronađi probleme i sve ih "fiksirao" (sačuvao sam backup i okačiću ga ne znam možda vam može koristiti ).
A zatim pokrenuo Malwerbytes i preskenirao komp i on mi je našao nešto oko 48 zaraženih svačega pa sam i to izbrisao (isto imam izvještaj i kačim ga).
Kad sam sve to uradio pokrenu sam Google Chrome i niternet je "fercerao" ali ne može se pokrenuti fb. Javlja onu poruku - Oops! Google Chrome could not connect to facebook.com .
Nakon toga ja opet htio biti pametan pa ponovo preskeniram Malwerbytes-om i javi da ima neka 2 zaražena fajla i opet delete. Mislim da sam i taj izvještaj zapamtio.E i to mi nije bilo malo pa sam ga pustio i treći put. Pronašao sam i da mi je Firewall bio isključen pa sam ga uključio.
E više nisam ništa pokušavao osim da pokrenem fb u IE i ne može.
A da onda sam otvorio ovaj forum i evo me tražim spas pa zato molim vas pomagajte.
Koristim ADSL Mtel-ov i imam njihov modem i svoj ruter jer imam dva kompa. Na onom drugom fb radi bez problema.
Možda sam malo ovo opširnije napisao ali to je sve iz želje da vam što je moguće više olakšam.
Probaću prikačiti sve ono što se traži a ako je potrebno još kakvih informacija tu sam.
Da zaboravio sam reći da mi sada Nod izgleda ne radi pa vas molim za savjet šta dalje, da li da ga obrišem pa ponovo instališem ili...
Prvo one moje "brljotine"
mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

A sada traženo

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

I sada DDS.txt copy/paste


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Bit at 20:23:50 on 2011-07-24
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1015.466 [GMT 2:00]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Bit\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bit\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bit\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bit\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bit\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bit\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bit\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.toggle.com/en/index.php?rvs=google
uSearch Page = hxxp://www.toggle.com/en/index.php?rvs=google
mSearch Page = hxxp://www.toggle.com/en/index.php?rvs=google
mStart Page = hxxp://www.toggle.com/en/index.php?rvs=google
uURLSearchHooks: Alawar.com Toolbar: {511131f1-4629-4254-a85f-ed7b6d75dd3c} - c:\program files\alawar.com\prxtbAla2.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Alawar.com Toolbar: {511131f1-4629-4254-a85f-ed7b6d75dd3c} - c:\program files\alawar.com\prxtbAla2.dll
BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - c:\program files\facemoods.com\facemoods\1.4.17.9\bh\facemoods.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Alawar.com Toolbar: {511131f1-4629-4254-a85f-ed7b6d75dd3c} - c:\program files\alawar.com\prxtbAla2.dll
TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.4.17.9\facemoodsTlbr.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\bit\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.17.9\facemoodssrv.exe" /md I
mRun: [tray_ico]
mRun: [tray_ico1]
mRun: [tray_ico2]
mRun: [tray_ico3]
mRun: [tray_ico4]
mRun: [1660936.exe] "c:\windows\temp\1660936.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\bit\application data\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\bit\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{27993ADE-6098-40C7-A32F-390883AFB497} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{635DDEF1-69E9-49CC-B4DB-A2C00F5013D0} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E33B3F76-A2B8-4D24-B99C-1D54E9BEB9F2} : DhcpNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]
S2 gupdate1c9e7a045104c38;Google Update Service (gupdate1c9e7a045104c38-);c:\program files\google\update\GoogleUpdate.exe [2009-6-7 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-7 133104]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-11-16 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2010-11-16 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2010-11-16 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2010-11-16 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2010-11-16 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2010-11-16 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2010-11-16 109864]
S3 s1039bus;Sony Ericsson Device 1039 driver (WDM);c:\windows\system32\drivers\s1039bus.sys [2010-11-16 98672]
S3 s1039mdfl;Sony Ericsson Device 1039 USB WMC Modem Filter;c:\windows\system32\drivers\s1039mdfl.sys [2010-11-16 14960]
S3 s1039mdm;Sony Ericsson Device 1039 USB WMC Modem Driver;c:\windows\system32\drivers\s1039mdm.sys [2010-11-16 124016]
S3 s1039mgmt;Sony Ericsson Device 1039 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1039mgmt.sys [2010-11-16 117872]
S3 s1039nd5;Sony Ericsson Device 1039 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1039nd5.sys [2010-11-16 25456]
S3 s1039obex;Sony Ericsson Device 1039 USB WMC OBEX Interface;c:\windows\system32\drivers\s1039obex.sys [2010-11-16 113904]
S3 s1039unic;Sony Ericsson Device 1039 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1039unic.sys [2010-11-16 123504]
.
=============== Created Last 30 ================
.
2011-07-24 11:43:14 -------- d-----w- c:\documents and settings\bit\local settings\application data\ConduitEngine
2011-07-24 11:43:13 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-07-24 11:43:13 -------- d-----w- c:\program files\ConduitEngine
2011-07-24 10:15:06 -------- d-----w- c:\windows\ufa
2011-07-24 10:15:06 -------- d-----w- c:\windows\phoenix
2011-07-24 10:13:43 -------- d--h--w- c:\windows\update.5.0
2011-07-24 10:11:12 246272 ----a-w- c:\windows\unrar.exe
2011-07-24 10:09:56 -------- d--h--w- c:\windows\update.2
2011-07-24 10:07:46 -------- d-----w- c:\windows\av_ico
2011-07-24 10:06:29 -------- d--h--w- c:\windows\update.1
2011-07-24 10:06:18 -------- d--h--w- c:\windows\update.tray-2-0-lnk
2011-07-24 10:06:18 -------- d--h--w- c:\windows\update.tray-2-0
2011-07-11 16:24:03 -------- d-----w- c:\documents and settings\bit\local settings\application data\mypaint
2011-07-11 16:23:01 -------- d-----w- c:\program files\MyPaint
.
==================== Find3M ====================
.
2011-07-06 17:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 17:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-14 18:07:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 20:24:15.01 ===============


I da, zaboravih. Evo i ono sa CCleaner-a


mycity.rs/must-login.png

mycity.rs/must-login.png

To bi bilo sve
Veliki pozdrav

Poslao: 24 Jul 2011 23:23
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Pozdrav mititimi!











U toku resavanja slucaja, zamolio bih te da se pridrzavas sledeceg:
Detaljno citati moja uputstva ( ili uputstva kolega koji ce me zamenjivati) i raditi iskljucivo po njima;
Ne traziti istovremeno pomoc na drugom mestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budes dobio uputstvo;
U toku intervencije ne koristiti USB memorijske uredjaje, dok to ne budem zatrazio;
Ukoliko ne odgovorim u roku od 48h, osvezi temu novim post-om;
Ukoliko se ne javis u roku od 5 dana, zatvoricemo slucaj.
Za vise informacija o pravilima Ambulante MyCity foruma: LINK

-------------------------------------------------------------------------------------




Arrow



Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix;
u prozoru koji se otvori klikni "I Agree".
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.





goran9888 (AMF Tim)

Poslao: 25 Jul 2011 00:19
Idi na vrh
offline
  • Pridružio: 29 Mar 2011
  • Poruke: 9

Svaka čast Gorane na brzini reagovanja na problem
Instalisao sam ComboFix i pokrenuo i javlja mi ovu grešku, da nije isključen Nod a ja ne znam gdje da ga isključim jer nema ikonice u donjem desnom uglu a kad sam išao na Start-Programs-Eset-Nod i pokrenuo Nod javilo mi je ovu poruku koju sam prikačio.
Šta dalje?

Poslao: 25 Jul 2011 00:24
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Pronadji NOD32 u folderu gde je instaliran (po defaultu: C:\Program files\Eset) i pokreni njegov GUI, ukoliko je moguce. Nakon toga ga deaktiviraj.



Ukoliko ne uspes, restartuj sistem u Safe mode i odatle pokreni ComboFix.







goran9888 (AMF Tim)

Poslao: 25 Jul 2011 01:04
Idi na vrh
offline
  • Pridružio: 29 Mar 2011
  • Poruke: 9

Nemam uopšte u C: nigdje Eset.
Išao sam u Safe Mod i pokrenuo Combofix a ono opet mi traži da isključim Nod. Kad sam odustao na toj poruci pokrenuo se Combofix i tražio mi da instališem RecoveryConsole, međutim nije uspjelo jer nemam internet u Safe Mod ( barem mi je tako javilo )
Ne znam Gorane šta dalje, da li da pokrenem u normalnom modu pa da zanemarim upozorenja za Nod i instališem Recovery ili ...
Ustvari radiću onako kako mi ti kažeš ali sad se moram odjaviti jer sutra radim pa ću nastaviti sutra.
Pozz.

Poslao: 25 Jul 2011 01:44
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Pa ja nisam ni napisao da se folder Eset nalazi u root-u C:\ particije, vec da se nalazi na sledecoj lokaciji:
C:\Program files\Eset



U svakom slucaju, ukoliko ne uspes, nastavi pokretanje CF-a i kada prijavi da je NOD32 ukljucen u Normal mode-u.








goran9888 (AMF Tim)

Poslao: 26 Jul 2011 00:12
Idi na vrh
offline
  • Pridružio: 29 Mar 2011
  • Poruke: 9

Pozz
Evo prvo da okačim sliku gdje se vidi da nemam na C particiji Eset folder ili ga ja ne mogu naći


Pokrenuo sam CF u normal modu i zanemario obavještenja o isključenju Nod-a.
CF je ponudio da instališem Recovery c. i ja prihvatio i išao sve "yes" do kraja.
Međutim u izv. vidim da piše da Recovery c. nije instalisan.
U svakom slučaju evo izvj.


ComboFix 11-07-25.03 - Bit 25-07-11 23:49:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1015.581 [GMT 2:00]
Running from: c:\documents and settings\Bit\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bit\Application Data\facemoods.com
c:\documents and settings\Bit\WINDOWS
c:\program files\facemoods.com
c:\program files\facemoods.com\facemoods\1.4.17.9\bh\facemoods.dll
c:\program files\facemoods.com\facemoods\1.4.17.9\facemoods.crx
c:\program files\facemoods.com\facemoods\1.4.17.9\facemoods.png
c:\program files\facemoods.com\facemoods\1.4.17.9\facemoodsApp.dll
c:\program files\facemoods.com\facemoods\1.4.17.9\facemoodsEng.dll
c:\program files\facemoods.com\facemoods\1.4.17.9\facemoodssrv.exe
c:\program files\facemoods.com\facemoods\1.4.17.9\facemoodsTlbr.dll
c:\program files\facemoods.com\facemoods\1.4.17.9\uninstall.exe
c:\program files\facemoods.com\sqlite3.dll
C:\Win
c:\win\1.exe
c:\windows\btc_client_iplist.txt
c:\windows\ddh_iplist.txt
c:\windows\front_ip_list.txt
c:\windows\iecheck_iplist.txt
c:\windows\info1
c:\windows\iplist.txt
c:\windows\IsUn0407.exe
c:\windows\loader2.exe_ok
c:\windows\phoenix.rar
c:\windows\rpcminer.rar
c:\windows\system\VI30AUT.DLL
c:\windows\system32\drivers\etc\HSTS~1
c:\windows\ufa.rar
c:\windows\update.1
c:\windows\update.2
c:\windows\update.5.0
c:\windows\winlog-dirs.txt
c:\windows\winlog-ids.txt
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SRVIECHECK
-------\Legacy_WXPDRIVERS
.
.
((((((((((((((((((((((((( Files Created from 2011-06-25 to 2011-07-25 )))))))))))))))))))))))))))))))
.
.
2011-07-24 15:02 . 2011-07-24 15:02 -------- d-----w- c:\program files\Microsoft Silverlight
2011-07-24 11:43 . 2011-07-24 12:15 -------- d-----w- c:\documents and settings\Bit\Local Settings\Application Data\ConduitEngine
2011-07-24 11:43 . 2011-07-24 11:43 -------- d-----w- c:\program files\ConduitEngine
2011-07-24 11:43 . 2011-07-24 11:43 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-07-24 10:15 . 2011-07-24 10:15 -------- d-----w- c:\windows\ufa
2011-07-24 10:15 . 2011-07-24 10:15 -------- d-----w- c:\windows\phoenix
2011-07-24 10:11 . 2011-07-24 10:15 246272 ----a-w- c:\windows\unrar.exe
2011-07-24 10:07 . 2011-07-24 10:07 -------- d-----w- c:\windows\av_ico
2011-07-24 10:06 . 2011-07-24 11:09 -------- d--h--w- c:\windows\update.tray-2-0-lnk
2011-07-24 10:06 . 2011-07-24 10:54 -------- d--h--w- c:\windows\update.tray-2-0
2011-07-11 16:24 . 2011-07-11 16:25 -------- d-----w- c:\documents and settings\Bit\Local Settings\Application Data\mypaint
2011-07-11 16:23 . 2011-07-11 16:23 -------- d-----w- c:\program files\MyPaint
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 17:52 . 2010-02-23 22:33 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 17:52 . 2010-02-23 22:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-14 18:07 . 2011-05-14 18:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{511131f1-4629-4254-a85f-ed7b6d75dd3c}"= "c:\program files\Alawar.com\prxtbAla2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{511131f1-4629-4254-a85f-ed7b6d75dd3c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{511131f1-4629-4254-a85f-ed7b6d75dd3c}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Alawar.com\prxtbAla2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{511131f1-4629-4254-a85f-ed7b6d75dd3c}"= "c:\program files\Alawar.com\prxtbAla2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{511131f1-4629-4254-a85f-ed7b6d75dd3c}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{511131F1-4629-4254-A85F-ED7B6D75DD3C}"= "c:\program files\Alawar.com\prxtbAla2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{511131f1-4629-4254-a85f-ed7b6d75dd3c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-07 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-29 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-29 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 15:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2007-03-23 12:20 227328 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 17:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 11:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-29 18:59 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Bit\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Documents and Settings\\Bit\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14-05-09 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14-05-09 15:49 94360]
S2 ekrn;ESET Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" --> c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [?]
S2 gupdate1c9e7a045104c38;Google Update Service (gupdate1c9e7a045104c38-);c:\program files\Google\Update\GoogleUpdate.exe [07-06-09 20:46 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07-06-09 20:46 133104]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [16-11-10 21:44 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [16-11-10 21:44 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [16-11-10 21:44 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [16-11-10 21:44 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [16-11-10 21:44 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [16-11-10 21:44 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [16-11-10 21:44 109864]
S3 s1039bus;Sony Ericsson Device 1039 driver (WDM);c:\windows\system32\drivers\s1039bus.sys [16-11-10 21:44 98672]
S3 s1039mdfl;Sony Ericsson Device 1039 USB WMC Modem Filter;c:\windows\system32\drivers\s1039mdfl.sys [16-11-10 21:44 14960]
S3 s1039mdm;Sony Ericsson Device 1039 USB WMC Modem Driver;c:\windows\system32\drivers\s1039mdm.sys [16-11-10 21:44 124016]
S3 s1039mgmt;Sony Ericsson Device 1039 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1039mgmt.sys [16-11-10 21:44 117872]
S3 s1039nd5;Sony Ericsson Device 1039 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1039nd5.sys [16-11-10 21:44 25456]
S3 s1039obex;Sony Ericsson Device 1039 USB WMC OBEX Interface;c:\windows\system32\drivers\s1039obex.sys [16-11-10 21:44 113904]
S3 s1039unic;Sony Ericsson Device 1039 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1039unic.sys [16-11-10 21:44 123504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-07 18:42]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-07 18:46]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-07 18:46]
.
2011-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1606980848-313710639-1003Core.job
- c:\documents and settings\Bit\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-07 18:23]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1606980848-313710639-1003UA.job
- c:\documents and settings\Bit\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-07 18:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toggle.com/en/index.php?rvs=google
mStart Page = hxxp://www.toggle.com/en/index.php?rvs=google
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\Bit\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\Bit\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{64182481-4F71-486b-A045-B233BD0DA8FC} - c:\program files\facemoods.com\facemoods\1.4.17.9\bh\facemoods.dll
Toolbar-{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - c:\program files\facemoods.com\facemoods\1.4.17.9\facemoodsTlbr.dll
HKLM-Run-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.9\facemoodssrv.exe
HKLM-Run-tray_ico - (no file)
HKLM-Run-tray_ico1 - (no file)
HKLM-Run-tray_ico2 - (no file)
HKLM-Run-tray_ico3 - (no file)
HKLM-Run-tray_ico4 - (no file)
MSConfigStartUp-Sony Ericsson PC Companion - c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.9\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-07-25 23:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3544)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2011-07-26 00:00:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-25 22:00
.
Pre-Run: 7,220,547,584 bytes free
Post-Run: 7,218,188,288 bytes free
.
- - End Of File - - 75A6E11A5195D57FD6898F8FF29B7918

Poslao: 26 Jul 2011 00:41
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

- Nemoj jos uvek prikljucivati USB memorijske uredjaje, dok to ne zatrazim;
- Reinstaliraj NOD32 Anti-Virus;
- Start -> Control Panel -> Add or Remove Programs - deinstaliraj sledece: Alawar.com Toolbar i Facebook Plug-In.




Arrow


Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\unrar.exe

Folder::
c:\windows\ufa
c:\windows\phoenix
c:\windows\av_ico
c:\windows\update.tray-2-0-lnk
c:\windows\update.tray-2-0

FileLook::
c:\program files\Alawar.com\prxtbAla2.dll

DDS::
uStart Page = hxxp://www.toggle.com/en/index.php?rvs=google
mStart Page = hxxp://www.toggle.com/en/index.php?rvs=google

Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.








goran9888 (AMF Tim)

Poslao: 26 Jul 2011 01:23
Idi na vrh
offline
  • Pridružio: 29 Mar 2011
  • Poruke: 9

Evo učinjeno kao što si rekao


ComboFix 11-07-25.03 - Bit 26-07-11 1:15.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.1015.527 [GMT 2:00]
Running from: c:\documents and settings\Bit\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bit\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"c:\windows\unrar.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\av_ico
c:\windows\av_ico\ico_NOD_AV_START.ico
c:\windows\av_ico\ico_NOD_SYSINSP.ico
c:\windows\av_ico\ico_NOD_SYSRESC.ico
c:\windows\av_ico\ico_NOD_TXT.ico
c:\windows\av_ico\ico_NOD_UNINSTALL.ico
c:\windows\phoenix
c:\windows\phoenix\kernels\phatk\__init__.py
c:\windows\phoenix\kernels\phatk\__init__.pyc
c:\windows\phoenix\kernels\phatk\BFIPatcher.py
c:\windows\phoenix\kernels\phatk\kernel.cl
c:\windows\phoenix\kernels\poclbm\__init__.py
c:\windows\phoenix\kernels\poclbm\__init__.pyc
c:\windows\phoenix\kernels\poclbm\BFIPatcher.py
c:\windows\phoenix\kernels\poclbm\kernel.cl
c:\windows\phoenix\phoenix.exe
c:\windows\ufa
c:\windows\ufa\ufa.exe
c:\windows\unrar.exe
c:\windows\update.tray-2-0-lnk
c:\windows\update.tray-2-0
.
.
((((((((((((((((((((((((( Files Created from 2011-06-25 to 2011-07-25 )))))))))))))))))))))))))))))))
.
.
2011-07-25 22:53 . 2011-07-25 22:53 -------- d-----w- c:\program files\ESET
2011-07-25 22:53 . 2011-07-25 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-07-24 15:02 . 2011-07-24 15:02 -------- d-----w- c:\program files\Microsoft Silverlight
2011-07-24 11:43 . 2011-07-24 11:43 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-07-11 16:24 . 2011-07-11 16:25 -------- d-----w- c:\documents and settings\Bit\Local Settings\Application Data\mypaint
2011-07-11 16:23 . 2011-07-11 16:23 -------- d-----w- c:\program files\MyPaint
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 17:52 . 2010-02-23 22:33 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 17:52 . 2010-02-23 22:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-14 18:07 . 2011-05-14 18:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-25_21.55.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-25 23:08 . 2011-07-25 23:08 16384 c:\windows\Temp\Perflib_Perfdata_36c.dat
- 2004-08-04 19:00 . 2011-07-25 08:28 67312 c:\windows\system32\perfc009.dat
+ 2004-08-04 19:00 . 2011-07-25 23:12 67312 c:\windows\system32\perfc009.dat
+ 2011-07-25 22:53 . 2011-07-25 23:07 10134 c:\windows\Installer\{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}\callmsi.exe
- 2009-06-03 21:11 . 2009-06-03 21:11 10134 c:\windows\Installer\{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}\callmsi.exe
- 2004-08-04 19:00 . 2011-07-25 08:28 432356 c:\windows\system32\perfh009.dat
+ 2004-08-04 19:00 . 2011-07-25 23:12 432356 c:\windows\system32\perfh009.dat
+ 2011-07-25 22:53 . 2011-07-25 23:07 101480 c:\windows\Installer\{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}\egui.exe
- 2009-06-03 21:11 . 2009-06-03 21:11 101480 c:\windows\Installer\{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}\egui.exe
+ 2011-07-25 22:53 . 2011-07-25 22:53 1131520 c:\windows\Installer\2e37b2.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-07 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-29 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-29 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 15:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2007-03-23 12:20 227328 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 17:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 11:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-29 18:59 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Bit\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Documents and Settings\\Bit\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14-05-09 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14-05-09 15:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14-05-09 15:47 731840]
S2 gupdate1c9e7a045104c38;Google Update Service (gupdate1c9e7a045104c38-);c:\program files\Google\Update\GoogleUpdate.exe [07-06-09 20:46 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07-06-09 20:46 133104]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [16-11-10 21:44 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [16-11-10 21:44 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [16-11-10 21:44 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [16-11-10 21:44 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [16-11-10 21:44 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [16-11-10 21:44 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [16-11-10 21:44 109864]
S3 s1039bus;Sony Ericsson Device 1039 driver (WDM);c:\windows\system32\drivers\s1039bus.sys [16-11-10 21:44 98672]
S3 s1039mdfl;Sony Ericsson Device 1039 USB WMC Modem Filter;c:\windows\system32\drivers\s1039mdfl.sys [16-11-10 21:44 14960]
S3 s1039mdm;Sony Ericsson Device 1039 USB WMC Modem Driver;c:\windows\system32\drivers\s1039mdm.sys [16-11-10 21:44 124016]
S3 s1039mgmt;Sony Ericsson Device 1039 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1039mgmt.sys [16-11-10 21:44 117872]
S3 s1039nd5;Sony Ericsson Device 1039 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1039nd5.sys [16-11-10 21:44 25456]
S3 s1039obex;Sony Ericsson Device 1039 USB WMC OBEX Interface;c:\windows\system32\drivers\s1039obex.sys [16-11-10 21:44 113904]
S3 s1039unic;Sony Ericsson Device 1039 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1039unic.sys [16-11-10 21:44 123504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-07 18:42]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-07 18:46]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-07 18:46]
.
2011-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1606980848-313710639-1003Core.job
- c:\documents and settings\Bit\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-07 18:23]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1606980848-313710639-1003UA.job
- c:\documents and settings\Bit\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-07 18:23]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\Bit\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\Bit\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-07-26 01:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-26 01:21:45
ComboFix-quarantined-files.txt 2011-07-25 23:21
ComboFix2.txt 2011-07-25 22:00
.
Pre-Run: 6,976,344,064 bytes free
Post-Run: 6,961,164,288 bytes free
.
- - End Of File - - 394E0E7822A61EDA11A50EE56BBD3443

Poslao: 26 Jul 2011 01:32
Idi na vrh
offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Arrow Korak 1

Zapakuj u (zip, rar) arhivu sledeci folder:

C:\Qoobox\Quarantine

... i upload-uj ga preko link-a:

http://www.mycity.rs/ambulanta-upload.php




Arrow Korak 2


Preuzmi instalaciju za program Malwarebytes Anti-Malware sa sledećeg linka:
http://www.besttechie.net/tools/mbam-setup.exe

Dvoklikom pokreni instalaciju - na samom kraju procesa, proveri da su obeležene opcije:
Update Malwarebytes' Anti-Malware;
Launch Malwarebytes Anti-Malware;
a zatim klikni Finish.

Nakon završenog ažuriranja program će se pokrenuti.

Izaberi opciju Perform Quick Scan i klikni Scan.

Po završetku procesa klikni OK, Show Results: u listi detektovanog malware-a, obeleži sve stavke i klikni Remove Selected.

Po završetku procesa, logfile će se otvoriti u Notepad-u; iskopiraj ga u temu na forumu.
Ukoliko program zatraži restart kako bi se završio proces čišćenja, obavezno ga dozvoliti.

Napomena: ako dođe do restarta na kraju procesa čišćenja, logfile će biti dostupan na Logs kartici (obeleži ga i klikni Open).




Arrow Korak 3

Za zastitu USB memorijskih uredjaja ti predlazem da koristis MCShield. Nema nikakve veze sa AntiVirus-om tj. nece ometati njegov rad a pokazao se kao jedan od najboljih vida zastite od malware-a koji se prenosi putem USB mem. uredjaja.

Skines, instaliras, ubodes USB mem. uredjaj, izvrsi se skeniranje nakon cega dobijes obavestenje da je uredjaj cist (ukoliko je stvarno tako); ili dobijes log u kome vidis informacije o malware-u koji je nadjen i obrisan.


Home Page MCShield-a: http://amf.mycity.rs/programs/mc/mcshield/

Vise o MCShield-u mozes saznati u ovoj temi: http://www.mycity.rs/Antispyware-programi/MCShield.html


Nakon instaliranja MCShield-a, ubodi jedan po jedan USB memorijski uredjaj; sacekaj da ih MCShield skenira. Kada zavrsi skeniranje zadnjeg uredjaja okaci mi izvestaj pod nazivom: AllScans.txt.

Start -> Run -> %UserProfile%\Application Data\MCShield\AllScans.txt -> Enter


Posalji mi sadrzaj izvestaja koji ce ti se otvoriti u Notepad-u.











goran9888 (AMF Tim)

MyCity » Ambulanta -> Arhiva Ambulante » Napad preko facebook-a

Ko je trenutno na forumu
 

Ukupno su 900 korisnika na forumu :: 44 registrovanih, 9 sakrivenih i 847 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aleksmajstor, anta, babaroga, bladesu, darios, darkangel, dekan.m, Denaya, Dukelander, FileFinder, GenZee, Georgius, goxin, Griffon vulture, Joja, kalens021, Karla, Kubovac, Leonov, Mcdado, mercedesamg, Milometer, MiroslavD, Mixelotti, mnn2, nenad81, nuke92, ostoja, pein, Ripanjac, RJ, sasa87, Simon simonović, sokojet, Stanlio, stegonosa, tubular, vathra, voja64, YugoSlav, zeo, ZetaMan, žeks62