Slucaj Rakovica

Slucaj Rakovica

offline
  • Pridružio: 18 Jul 2003
  • Poruke: 4204
  • Gde živiš: U zlatnom kavezu

Ljudi, tresla se gora rodio se mis. Komp je sopr, jer ima 2gb rama.
Po meni na osnovu klinicke slike sistema ovde nema malwarea, sam ccleaner ga je dosta ubrzao.
Bio hijackovan serach engine u chromeu, to sam resio adwcleanerom, stavio sam i mc sheald i proskenirao 4 flasha ni na jednom nije bilo virusa.
Slede logovi


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by User (administrator) on USER-PC (22-03-2016 10:48:58)
Running from C:\Users\User\Desktop
Loaded Profiles: User (Available Profiles: User)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-t.....scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Software 2000 Limited) C:\Windows\System32\spool\drivers\x64\3\HP1006MC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(MyCity) C:\Program Files (x86)\MCShield\MCShieldRTM.exe
(AeroAdmin Inc.) C:\Users\User\Desktop\AeroAdmin.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11613288 2010-11-19] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1205956071-2428138795-338955350-1000\...\Run: [MCShield Monitor] => C:\Program Files (x86)\MCShield\mcshieldrtm.exe [650816 2014-04-11] (MyCity)
HKU\S-1-5-21-1205956071-2428138795-338955350-1000\...\MountPoints2: {5cd069f3-3cae-11e1-b48b-806e6f6e6963} - E:\Bin\assetup.exe
HKU\S-1-5-21-1205956071-2428138795-338955350-1000\...\MountPoints2: {f95b38e7-ea7e-11e5-9b1a-14dae993f609} - F:\SISetup.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 0.0.0.0
Tcpip\..\Interfaces\{307F068E-0945-4146-976B-08D44E404C52}: [DhcpNameServer] 192.168.1.1 0.0.0.0
Tcpip\..\Interfaces\{E95274B9-75DC-43E9-ADD8-B366EA24F8CA}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Internet Explorer:
==================
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-03-22] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-03-22] (Oracle Corporation)

FireFox:
========
FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-03-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-03-22] (Oracle Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-03-17] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1205956071-2428138795-338955350-1000: @tools.google.com/Google Update;version=3 -> C:\Users\User\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-04] (Google Inc.)
FF Plugin HKU\S-1-5-21-1205956071-2428138795-338955350-1000: @tools.google.com/Google Update;version=9 -> C:\Users\User\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-04] (Google Inc.)

Chrome:
=======
CHR Plugin: (Native Client) - C:\Users\User\AppData\Local\Google\Chrome\Application\49.0.2623.87\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\User\AppData\Local\Google\Chrome\Application\49.0.2623.87\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\User\AppData\Local\Google\Chrome\Application\49.0.2623.87\gcswf32.dll => No File
CHR Plugin: (Google Update) - C:\Users\User\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Translator Chrome) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\mekahndniojbopfnkekkpmdemcfpimap [2015-12-09]
CHR Extension: (Плаћања у Chrome веб-продавници) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-30]
StartMenuInternet: Google Chrome - C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 RosettaStoneDaemon; "C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-22 10:48 - 2016-03-22 10:49 - 00006740 _____ C:\Users\User\Desktop\FRST.txt
2016-03-22 10:48 - 2016-03-22 10:48 - 00000000 ____D C:\FRST
2016-03-22 10:47 - 2016-03-22 10:47 - 02374144 _____ (Farbar) C:\Users\User\Desktop\FRST64.exe
2016-03-22 10:35 - 2016-03-22 10:40 - 00000000 ____D C:\ProgramData\Oracle
2016-03-22 10:35 - 2016-03-22 10:35 - 00000000 ____D C:\Users\User\AppData\Roaming\Sun
2016-03-22 10:35 - 2016-03-22 10:35 - 00000000 ____D C:\Users\User\.oracle_jre_usage
2016-03-22 10:30 - 2016-03-22 10:46 - 00000000 ____D C:\ProgramData\MCShield
2016-03-22 10:30 - 2016-03-22 10:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MCShield
2016-03-22 10:30 - 2016-03-22 10:30 - 00000000 ____D C:\Program Files (x86)\MCShield
2016-03-22 10:29 - 2016-03-22 10:29 - 02856736 _____ (MyCity) C:\Users\User\Downloads\MCShield-Setup.exe
2016-03-22 10:15 - 2016-03-22 10:16 - 00000000 ____D C:\AdwCleaner
2016-03-22 10:14 - 2016-03-22 10:14 - 01530368 _____ C:\Users\User\Desktop\AdwCleaner.exe
2016-03-22 10:01 - 2016-03-22 10:01 - 00003304 ____N C:\bootsqm.dat
2016-03-22 08:36 - 2016-03-22 08:36 - 00002786 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-03-22 08:36 - 2016-03-22 08:36 - 00000827 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-03-22 08:36 - 2016-03-22 08:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-03-22 08:36 - 2016-03-22 08:36 - 00000000 ____D C:\Program Files\CCleaner
2016-03-22 08:34 - 2016-03-22 08:34 - 06828320 _____ (Piriform Ltd) C:\Users\User\Downloads\ccsetup514.exe
2016-03-22 08:18 - 2016-03-22 10:19 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-03-22 08:18 - 2016-03-22 08:18 - 00000000 ____D C:\ProgramData\Aeroadmin
2016-03-22 08:18 - 2016-03-21 19:52 - 02107672 _____ (AeroAdmin Inc.) C:\Users\User\Desktop\AeroAdmin.exe
2016-03-18 10:16 - 2016-03-18 10:19 - 00000000 ____D C:\Windows\system32\appmgmt
2016-03-15 10:51 - 2016-03-15 10:51 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2016-03-15 10:51 - 2016-03-15 10:51 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2016-03-15 10:19 - 2016-03-15 10:28 - 00000000 ____D C:\Users\User\Desktop\ČLANARINA
2016-03-15 09:51 - 2016-03-15 09:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2016-03-15 09:51 - 2011-05-18 07:23 - 00126520 _____ (HP) C:\Windows\system32\HPSIsvc.exe
2016-03-15 09:49 - 2016-03-15 09:49 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_mvusbews_01007.Wdf
2016-03-15 09:49 - 2016-03-15 09:49 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_HPM1210FAX_01007.Wdf
2016-03-15 09:38 - 2010-03-31 11:52 - 01366016 _____ C:\Windows\system32\HPM1210SM.exe
2016-03-15 09:38 - 2010-03-31 11:51 - 00407040 _____ C:\Windows\system32\HPM1210LM.DLL
2016-03-15 09:33 - 2016-03-15 09:33 - 00000000 ____D C:\ProgramData\HP
2016-03-15 09:04 - 2010-03-31 18:49 - 00350720 _____ C:\Windows\system32\mvhlewsi.dll
2016-03-15 09:03 - 2016-03-15 09:03 - 00000000 ____D C:\Program Files\HP
2016-03-15 09:02 - 2011-04-15 17:14 - 01490656 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01007.dll
2016-03-15 09:02 - 2011-04-15 17:14 - 00212992 _____ C:\Windows\system32\m1210wia.dll
2016-03-15 09:02 - 2011-04-15 17:14 - 00082432 _____ C:\Windows\system32\mvusbews.dll
2016-03-15 09:02 - 2011-04-15 17:14 - 00020480 _____ (Marvell Semiconductor, Inc.) C:\Windows\system32\Drivers\mvusbews.sys
2016-03-15 09:02 - 2011-04-15 17:14 - 00016384 _____ C:\Windows\system32\Drivers\HPM1210FAX.sys
2016-03-15 09:02 - 2011-04-15 17:13 - 00049152 _____ C:\Windows\system32\HPM1210SMs.dll
2016-03-15 08:46 - 2016-03-15 08:46 - 00002760 _____ C:\Windows\System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance
2016-03-02 10:21 - 2016-03-02 10:21 - 00269232 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgmfx64.sys
2016-02-23 14:28 - 2016-02-23 14:28 - 00000000 ____D C:\Users\Default\AppData\Roaming\AVG
2016-02-23 14:28 - 2016-02-23 14:28 - 00000000 ____D C:\Users\Default\AppData\Local\AVG
2016-02-23 14:28 - 2016-02-23 14:28 - 00000000 ____D C:\Users\Default User\AppData\Roaming\AVG
2016-02-23 14:28 - 2016-02-23 14:28 - 00000000 ____D C:\Users\Default User\AppData\Local\AVG

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-22 10:47 - 2009-07-14 06:13 - 00717892 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-22 10:47 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-03-22 10:36 - 2014-07-03 12:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-03-22 10:36 - 2014-07-03 12:53 - 00000000 ____D C:\Program Files (x86)\Java
2016-03-22 10:35 - 2014-07-03 12:53 - 00278624 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2016-03-22 10:35 - 2014-07-03 12:53 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-03-22 10:25 - 2009-07-14 05:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-22 10:25 - 2009-07-14 05:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-22 10:18 - 2012-07-06 10:37 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1205956071-2428138795-338955350-1000UA.job
2016-03-22 10:18 - 2012-07-06 10:37 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1205956071-2428138795-338955350-1000Core.job
2016-03-22 10:18 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-22 08:15 - 2009-07-14 04:20 - 00000000 __RHD C:\Users\Public\Libraries
2016-03-18 10:21 - 2015-07-17 10:49 - 00000000 ____D C:\Program Files (x86)\Rosetta Stone
2016-03-18 09:44 - 2016-02-07 01:21 - 00000000 ____D C:\Users\User\AppData\Local\AvgSetupLog
2016-03-18 09:08 - 2015-07-23 23:10 - 00000000 ____D C:\Users\User\AppData\Roaming\YcanPDF
2016-03-18 08:53 - 2016-02-07 01:24 - 00000000 ____D C:\ProgramData\MFAData
2016-03-15 10:51 - 2016-02-07 01:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-03-15 10:49 - 2016-02-07 01:21 - 00000000 ____D C:\Users\User\AppData\Local\Avg
2016-03-15 10:03 - 2012-07-06 10:38 - 00002336 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-15 08:30 - 2016-02-07 01:27 - 00000000 ____D C:\Program Files\Common Files\AV
2016-02-23 14:30 - 2016-02-07 01:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2016-02-23 14:29 - 2016-02-07 01:28 - 00000000 ____D C:\Users\User\AppData\Roaming\AVG

==================== Files in the root of some directories =======

2013-09-11 09:06 - 2016-01-28 09:17 - 0010540 _____ () C:\Users\User\AppData\Roaming\docXConverter (3).ini
2013-09-11 09:06 - 2016-01-28 09:16 - 0000137 ____H () C:\Users\User\AppData\Roaming\lakerda1967.sys

Some files in TEMP:
====================
C:\Users\User\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\User\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-03-22 09:09

==================== End of FRST.txt ============================
https://www.mycity.rs/must-login.png

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Ne izgleda da je inficiran na prvi pogled. Obrisi jedan od ta dva antivirusa i to je to. Instaliraj CryptoPrevent.

offline
  • Pridružio: 18 Jul 2003
  • Poruke: 4204
  • Gde živiš: U zlatnom kavezu

vec su obrisani, to su repovi daj mi link za crypto

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Imas Google

http://lmgtfy.com/?q=CryptoPrevent

Ko je trenutno na forumu
 

Ukupno su 744 korisnika na forumu :: 23 registrovanih, 3 sakrivenih i 718 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: amaterSRB, Bane san, bokisha253, dule10savic, Frunze, HrcAk47, Još malo pa deda, krkalon, Leonov, Luka1998, Marko Marković, mercedesamg, Mi lao shu, MikeHammer, mrvica78, nesa1962, Ripanjac, Srki94, ss10, stokssone, styg, vladetije, x9