Windows out of Virtual Memory

1

Windows out of Virtual Memory

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Dobro veče ili jutro - kako kome..Smile Bio sam na "windowsu" i poslali su me ovamo. Od jutros mi je poceo stekati komp, kad ga upalim kao da pokrene bezbroj programa u pozadini a nista ne mogu naci, isao sam i na disk defragment, i trazio greske na disku, nista nisam uspio naci, tj. nista nije bolje. Stalno nesto obradjuje i kao da se pati, izbaci obavjestenje kako nemam virtuelne memorije. I ovo jedva pisem. Sve je pocelo, cini mi se, kad sam prebacio par filmova iz downloads-a u folder na D disku. i onda redom poceo izbacivati greske, Tuneuputilities.exe greska pa greska vamo pa tamo, haos.. Sta da radim? Hvala unaprijed i lijep pozdrav.

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15874
  • Gde živiš: Beograd

Pozdrav,

Isprati temu i dostavi izvestaje

http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Napisano: 09 Jul 2014 9:11

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-07-2014 01
Ran by Jolly (administrator) on XPWINDOWS7 on 09-07-2014 08:40:05
Running from C:\Documents and Settings\Jolly\My Documents\Downloads
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 7
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: geekstogo.com/forum/topic/335081-frst-t.....scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
(TuneUp Software) C:\Program Files\TuneUp Utilities 2014\TuneUpUtilitiesService32.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
(MyCity) C:\Program Files\MCShield\MCShieldRTM.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(BitTorrent Inc.) C:\Documents and Settings\Jolly\Application Data\uTorrent\uTorrent.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Farbar) C:\Documents and Settings\Jolly\My Documents\Downloads\FRST (1).exe
(Farbar) C:\Documents and Settings\Jolly\My Documents\Downloads\FRST (2).exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKLM\...\Policies\Explorer\Run: [37797] => C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe [273408 2012-06-02] ( (Adobe Systems Inc.))
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKU\.DEFAULT\...\RunOnce: [nltide_2] - regsvr32 /s /n /i:U shell32
HKU\.DEFAULT\...\RunOnce: [nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Run: [MCShield Monitor] => C:\Program Files\MCShield\MCShieldRTM.exe [650816 2014-04-11] (MyCity)
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Run: [uTorrent] => C:\Documents and Settings\Jolly\Application Data\uTorrent\uTorrent.exe [1322832 2014-07-02] (BitTorrent Inc.)
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Run: [Facebook Update] => C:\Documents and Settings\Jolly\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [138096 2014-05-16] (Facebook Inc.)
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoActiveDesktop] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoSaveSettings] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x0000000000000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Winlogon: [Shell] C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule\SunJavaUpdata.exe [1275904 2014-04-13] (Sony Corporation) <==== ATTENTION
Startup: C:\Documents and Settings\Jolly\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = wyzo.wyzostart.com/?cfg=2-47-0-0&engine_id=.....country=BA
SearchScopes: HKCU - DefaultScope {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Documents and Settings\Jolly\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF user.js: detected! => C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\user.js
FF Extension: GoPhotoIt - C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\Extensions\gophoto@gophoto.it.xpi [2013-08-08]
FF StartMenuInternet: FIREFOX.EXE - C:\zoek_backup\C_Program Files_Mozilla Firefox\firefox.exe

Chrome:
=======
CHR HomePage: hxxp://www.search.ask.com/?o=APN10645A&gct=hp&d=406-420&v=a10733-176&t=4
CHR RestoreOnStartup: "hxxp://google.rs/"
CHR DefaultSearchKeyword: facebook
CHR DefaultSearchProvider: Facebook
CHR DefaultSearchURL: facebook.com/search.php?q={searchTerms}
CHR DefaultNewTabURL:
CHR Extension: (Google новчаник) - C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-27]
CHR Extension: (GoPhoto.it) - C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk [2014-04-06]
CHR HKLM\...\Chrome\Extension: [pfmopbbadnfoelckkcmjjeaaegjpjjbk] - C:\Program Files\Gophoto.it\gophotoit16.crx [2013-08-08]

========================== Services (Whitelisted) =================

S4 Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [495616 2007-12-05] (ATI Technologies Inc.) [File not signed]
S4 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [593920 2007-09-28] () [File not signed]
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)
S3 ClipSrv; C:\WINDOWS\system32\clipsrv.exe [43008 2008-04-28] (Microsoft Corporation) [File not signed]
S4 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2013-12-18] (Oracle Corporation)
S3 mnmsrvc; C:\WINDOWS\system32\mnmsrvc.exe [53248 2008-04-28] (Microsoft Corporation) [File not signed]
S3 MSDTC; C:\WINDOWS\system32\msdtc.exe [30720 2008-04-28] (Microsoft Corporation) [File not signed]
S4 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [769432 2012-07-13] (Nero AG)
S4 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
R2 TuneUp.UtilitiesSvc; C:\Program Files\TuneUp Utilities 2014\TuneUpUtilitiesService32.exe [1740600 2013-08-29] (TuneUp Software)
S3 Wmi; C:\WINDOWS\System32\advapi32.dll [617472 2008-03-20] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

S3 A5AGU; C:\WINDOWS\System32\DRIVERS\A5AGU.sys [347648 2006-05-08] (D-Link Corporation)
R3 AtcL001; C:\WINDOWS\System32\DRIVERS\atl01_xp.sys [35712 2006-08-22] (Attansic Technology corporation.)
R3 ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2782208 2007-12-05] (ATI Technologies Inc.) [File not signed]
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [24896 2012-04-18] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [31952 2012-01-30] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [302368 2013-04-11] (AVG Technologies CZ, s.r.o.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R1 dtsoftbus01; C:\WINDOWS\System32\DRIVERS\dtsoftbus01.sys [242240 2014-03-08] (DT Soft Ltd)
R3 IntcAzAudAddService; C:\WINDOWS\System32\drivers\RtkHDAud.sys [4374016 2006-08-24] (Realtek Semiconductor Corp.) [File not signed]
R0 mv614x; C:\WINDOWS\System32\DRIVERS\mv614x.sys [63232 2006-07-03] ()
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 PAC7302; C:\WINDOWS\System32\DRIVERS\PAC7302.SYS [458752 2007-11-08] (PixArt Imaging Inc.) [File not signed]
R0 sptd; C:\WINDOWS\System32\Drivers\sptd.sys [664064 2012-10-30] () [File not signed]
R1 tStLib; C:\WINDOWS\System32\drivers\tStLib.sys [55224 2014-02-19] (StdLib)
R3 TuneUpUtilitiesDrv; C:\Program Files\TuneUp Utilities 2014\TuneUpUtilitiesDriver32.sys [12320 2013-08-21] (TuneUp Software)
R0 videX32; C:\WINDOWS\System32\DRIVERS\videX32.sys [9728 2006-02-23] (VIA Technologies, Inc.)
R0 xfilt; C:\WINDOWS\System32\DRIVERS\xfilt.sys [11264 2006-02-23] (VIA Technologies,Inc)
S4 IntelIde; No ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-07-09 08:39 - 2014-07-09 08:40 - 00000000 ____D () C:\FRST
2014-07-08 23:27 - 2014-07-08 23:27 - 00457230 _____ () C:\Documents and Settings\Jolly\Desktop\dddd.bmp
2014-07-08 22:40 - 2014-07-08 22:40 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-05.dmp
2014-07-08 21:42 - 2014-07-08 21:42 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-04.dmp
2014-07-08 21:04 - 2014-07-08 21:04 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-03.dmp
2014-07-08 18:30 - 2014-07-08 18:30 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-02.dmp
2014-07-08 15:49 - 2014-07-08 15:49 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-01.dmp
2014-07-08 14:04 - 2014-07-09 08:26 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-07-08 14:02 - 2014-07-09 08:24 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2014-07-08 14:02 - 2014-07-08 14:02 - 00498640 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-07-08 14:02 - 2014-07-08 14:02 - 00138720 _____ () C:\Documents and Settings\Jolly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-07-08 14:02 - 2014-07-08 14:02 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2014-07-02 16:38 - 2014-07-02 16:38 - 00000000 ____D () C:\Program Files\MyFree Codec
2014-07-02 16:38 - 2014-07-02 16:38 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\MyFree Codec
2014-07-02 16:36 - 2014-07-07 19:12 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Samsung
2014-07-02 16:33 - 2014-07-02 16:33 - 00000000 ____D () C:\Documents and Settings\Jolly\Local Settings\Application Data\Downloaded Installations
2014-06-11 18:55 - 2014-06-11 18:55 - 00000721 _____ () C:\Documents and Settings\Jolly\Desktop\VirtualDJ Home FREE.lnk
2014-06-11 18:54 - 2014-07-03 22:45 - 00000000 ____D () C:\Documents and Settings\Jolly\My Documents\VirtualDJ
2014-06-11 18:54 - 2014-06-11 18:55 - 00000000 ____D () C:\Documents and Settings\Jolly\Start Menu\Programs\VirtualDJ
2014-06-11 18:54 - 2014-06-11 18:54 - 00000000 ____D () C:\Program Files\VirtualDJ
2014-06-11 00:09 - 2014-07-07 22:42 - 00000000 ____D () C:\Documents and Settings\Jolly\Start Menu\Programs\Virtual DJ

==================== One Month Modified Files and Folders =======

2014-07-09 08:41 - 2014-04-05 23:34 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\uTorrent
2014-07-09 08:41 - 2014-03-26 15:56 - 00000000 ____D () C:\Documents and Settings\Jolly\Local Settings\Temp
2014-07-09 08:41 - 2014-01-05 13:34 - 116858691 _____ () C:\Documents and Settings\Jolly\avgui.log
2014-07-09 08:41 - 2013-01-07 14:50 - 00000294 _____ () C:\WINDOWS\Tasks\Browser Manager.job
2014-07-09 08:40 - 2014-07-09 08:39 - 00000000 ____D () C:\FRST
2014-07-09 08:30 - 2011-12-21 20:13 - 00004732 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-07-09 08:26 - 2014-07-08 14:04 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-07-09 08:26 - 2014-03-26 17:25 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MCShield
2014-07-09 08:25 - 2013-02-08 17:28 - 01340889 _____ () C:\WINDOWS\WindowsUpdate.log
2014-07-09 08:24 - 2014-07-08 14:02 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2014-07-09 08:24 - 2012-11-23 12:28 - 00000896 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-09 08:24 - 2011-12-21 13:29 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-07-09 03:10 - 2012-11-23 12:28 - 00000900 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-09 02:16 - 2013-09-28 11:50 - 00000178 ___SH () C:\Documents and Settings\Jolly\ntuser.ini
2014-07-09 02:16 - 2013-02-08 17:20 - 00131072 _____ () C:\WINDOWS\system32\config\TuneUp.evt
2014-07-09 02:16 - 2011-12-21 13:29 - 00032564 _____ () C:\WINDOWS\SchedLgU.Txt
2014-07-09 01:00 - 2013-09-28 13:26 - 00039424 _____ () C:\Documents and Settings\Jolly\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-07-09 00:56 - 2014-05-16 18:51 - 00000998 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-329068152-1326574676-1606980848-1003UA.job
2014-07-08 23:27 - 2014-07-08 23:27 - 00457230 _____ () C:\Documents and Settings\Jolly\Desktop\dddd.bmp
2014-07-08 22:40 - 2014-07-08 22:40 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-05.dmp
2014-07-08 22:40 - 2012-01-23 15:09 - 00000000 ____D () C:\WINDOWS\Minidump
2014-07-08 21:42 - 2014-07-08 21:42 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-04.dmp
2014-07-08 21:04 - 2014-07-08 21:04 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-03.dmp
2014-07-08 18:30 - 2014-07-08 18:30 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-02.dmp
2014-07-08 18:27 - 2011-12-22 14:57 - 00002267 _____ () C:\Documents and Settings\All Users\Desktop\Skype.lnk
2014-07-08 16:25 - 2013-10-16 16:53 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Skype
2014-07-08 15:49 - 2014-07-08 15:49 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-01.dmp
2014-07-08 14:02 - 2014-07-08 14:02 - 00498640 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-07-08 14:02 - 2014-07-08 14:02 - 00138720 _____ () C:\Documents and Settings\Jolly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-07-08 14:02 - 2014-07-08 14:02 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2014-07-08 13:59 - 2013-12-24 19:10 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Wise Disk Cleaner
2014-07-07 22:42 - 2014-06-11 00:09 - 00000000 ____D () C:\Documents and Settings\Jolly\Start Menu\Programs\Virtual DJ
2014-07-07 22:42 - 2013-09-28 11:50 - 00000000 ____D () C:\Documents and Settings\Jolly
2014-07-07 22:41 - 2014-02-28 19:34 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Winamp
2014-07-07 19:12 - 2014-07-02 16:36 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Samsung
2014-07-07 19:12 - 2012-12-09 15:28 - 00000000 ____D () C:\Program Files\SAMSUNG
2014-07-07 19:12 - 2011-12-22 12:03 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-07-07 19:08 - 2014-06-07 20:15 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-07-07 19:08 - 2014-06-07 20:11 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-07-07 19:08 - 2012-05-07 14:11 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Apple Computer
2014-07-07 18:56 - 2014-05-16 18:51 - 00000976 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-329068152-1326574676-1606980848-1003Core.job
2014-07-03 22:45 - 2014-06-11 18:54 - 00000000 ____D () C:\Documents and Settings\Jolly\My Documents\VirtualDJ
2014-07-03 11:11 - 2004-08-04 14:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-07-02 16:38 - 2014-07-02 16:38 - 00000000 ____D () C:\Program Files\MyFree Codec
2014-07-02 16:38 - 2014-07-02 16:38 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\MyFree Codec
2014-07-02 16:33 - 2014-07-02 16:33 - 00000000 ____D () C:\Documents and Settings\Jolly\Local Settings\Application Data\Downloaded Installations
2014-07-01 15:32 - 2014-03-08 18:26 - 00000000 ____D () C:\Documents and Settings\Jolly\My Documents\KONAMI
2014-06-26 21:53 - 2013-10-04 17:43 - 00000000 ____D () C:\Documents and Settings\Jolly\Local Settings\Application Data\NFS Underground 2
2014-06-25 15:09 - 2014-03-08 18:08 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\DAEMON Tools Lite
2014-06-11 18:55 - 2014-06-11 18:55 - 00000721 _____ () C:\Documents and Settings\Jolly\Desktop\VirtualDJ Home FREE.lnk
2014-06-11 18:55 - 2014-06-11 18:54 - 00000000 ____D () C:\Documents and Settings\Jolly\Start Menu\Programs\VirtualDJ
2014-06-11 18:54 - 2014-06-11 18:54 - 00000000 ____D () C:\Program Files\VirtualDJ

Some content of TEMP:
====================
C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe
[2008-08-18 20:17] - [2008-08-18 20:17] - 1616384 ____A (Microsoft Corporation) 4a90f51b778fa0157f60d206e8b37d2a

C:\WINDOWS\system32\winlogon.exe
[2008-04-28 11:24] - [2008-04-28 11:24] - 0547328 ____A (Microsoft Corporation) a55b8899d2ea2e800061bcfd456e34dc

C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll
[2008-03-20 20:36] - [2008-03-20 20:36] - 0578560 ____A (Microsoft Corporation) f92d8964b5286de225bd2b6bf89764be

C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Dopuna: 09 Jul 2014 9:12

mycity.rs/must-login.png

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15874
  • Gde živiš: Beograd

1. Otvori Notepad (Text Document) i iskopiraj sledeći tekst unutar kod polja ispod:

HKLM\...\Policies\Explorer\Run: [37797] => C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe [273408 2012-06-02] ( (Adobe Systems Inc.))
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoActiveDesktop] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoSaveSettings] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x0000000000000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Winlogon: [Shell] C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule\SunJavaUpdata.exe [1275904 2014-04-13] (Sony Corporation) <==== ATTENTION
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wyzo.wyzostart.com/?cfg=2-47-0-0&engine_id=.....country=BA
SearchScopes: HKCU - DefaultScope {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = http://wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = http://wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
FF Extension: GoPhotoIt - C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\Extensions\gophoto@gophoto.it.xpi [2013-08-08]
FF StartMenuInternet: FIREFOX.EXE - C:\zoek_backup\C_Program Files_Mozilla Firefox\firefox.exe
CHR Extension: (GoPhoto.it) - C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk [2014-04-06]
CHR HKLM\...\Chrome\Extension: [pfmopbbadnfoelckkcmjjeaaegjpjjbk] - C:\Program Files\Gophoto.it\gophotoit16.crx [2013-08-08]
S4 IntelIde; No ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe
C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule
Task: C:\WINDOWS\Tasks\Browser Manager.job => C:\WINDOWS\system32\sc.exe
cmd: ipconfig /flushdns
Reboot:


2. Sačuvaj notepad na Desktop pod nazivom fixlist.txt
To možes uraditi i iz notepad-a => klik na File potom na Save As i u novom prozoru, dole pod File Name: staviš za naziv fixlist.txt
Napomena: Važno je da se oba fajla, FRST i fixlist nalaze na istoj lokaciji jer u suprotnom fix nece raditi.

3. Ponovo pokreni FRST/FRST64, klikni jednom na dugme Fix i sačekaj.
Ukoliko alat zatraži restart sistema, dozvoli mu i postaraj se da alat kompletira fix nakon restarta sistema.



Alat će formirati log (Fixlog.txt) na Desktop-u. Potrebno je sadržaj tog loga iskopirati u poruku.
Napomena: Ukoliko te alat upozori da postoji novija verzija, postaraj se da preuzmes i koristiš ažuriranu kopiju FRST-a.

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:05-07-2014 01
Ran by Jolly at 2014-07-09 10:16:13 Run:1
Running from C:\Documents and Settings\Jolly\Desktop\New Folder
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...\Policies\Explorer\Run: [37797] => C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe [273408 2012-06-02] ( (Adobe Systems Inc.))
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoActiveDesktop] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoSaveSettings] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x0000000000000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Winlogon: [Shell] C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule\SunJavaUpdata.exe [1275904 2014-04-13] (Sony Corporation) <==== ATTENTION
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = wyzo.wyzostart.com/?cfg=2-47-0-0&engine_id=.....country=BA
SearchScopes: HKCU - DefaultScope {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
FF Extension: GoPhotoIt - C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\Extensions\gophoto@gophoto.it.xpi [2013-08-08]
FF StartMenuInternet: FIREFOX.EXE - C:\zoek_backup\C_Program Files_Mozilla Firefox\firefox.exe
CHR Extension: (GoPhoto.it) - C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk [2014-04-06]
CHR HKLM\...\Chrome\Extension: [pfmopbbadnfoelckkcmjjeaaegjpjjbk] - C:\Program Files\Gophoto.it\gophotoit16.crx [2013-08-08]
S4 IntelIde; No ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe
C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule
Task: C:\WINDOWS\Tasks\Browser Manager.job => C:\WINDOWS\system32\sc.exe
cmd: ipconfig /flushdns
Reboot:
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\37797 => value deleted successfully.
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop => value deleted successfully.
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings => value deleted successfully.
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ClearRecentDocsOnExit => value deleted successfully.
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1F1DD852-89B9-7F11-D737-3C55E9E56A3C}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{1F1DD852-89B9-7F11-D737-3C55E9E56A3C}'=> Key not found.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}'=> Key not found.
C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\Extensions\gophoto@gophoto.it.xpi => Moved successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\\Default => Value was restored successfully.
C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk => Moved successfully.
'HKLM\SOFTWARE\Google\Chrome\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk' => Key deleted successfully.
C:\Program Files\Gophoto.it\gophotoit16.crx => Moved successfully.
IntelIde => Service deleted successfully.
USBAAPL => Service deleted successfully.
Could not move "C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe" => Scheduled to move on reboot.
C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule => Moved successfully.
C:\WINDOWS\Tasks\Browser Manager.job => Moved successfully.

========= ipconfig /flushdns =========



Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15874
  • Gde živiš: Beograd

Kakva je sada situacija?

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Pa malo je bolja, al i dalje kao da ima nesto u pozadini. Udjem u google chrome i sam izbaci koliko mu nesto zauzima memoriju. cak i najosnovnije radnje mu je tesko da uradi..o.O

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15874
  • Gde živiš: Beograd

1. Preuzmi sUBs-ov ComboFix () sa ovog linka i sačuvaj alat na Desktop.
• Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
• Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.


------------------------------------------------------------
2. Privremeno deaktiviraj AntiVirus program, u većini slučajeva preko desnog klika na ikonu programa u system tray. Oni mogu ometati alat tokom rada.
Ukoliko nisi siguran kako to da uradiš, isprati ovo uputstvo.

------------------------------------------------------------
3. Dvoklikom na ikonicu pokreni ComboFix. Potom, na disclaimer prozoru klikni dugme I Agree!

• ComboFix će proveriti da li je dostupna nova verzija alata.
Klikni Yes ako je zatrazeno preuzimanje.
• Ukoliko Recovery Console nije instaliran, ComboFix će ponuditi preuzimanje i instalaciju.
Klikni Yes da bi dozvolio alatu da preuzme i instalira Recovery Console
• ComboFix će skenirati računar po fazama (Stage_#) ukupno 50 faza.
Ne kliktati okolo dok ComboFix ispituje sistem.
• Ukoliko je malware detektovan, ComboFix će zapoceti njegovo uklanjanje.
Iz tog razloga, alat će po potrebi restartovati Windows (nekad i više puta);

Napomena: Ako nakon rada alata dobiješ grešku (Illegal operation attempted on a registry key that has been marked for deletion) prilikom startovanja programa, restartovati računar i to ce rešiti problem.


------------------------------------------------------------
4. Kada alat završi, formiraće i otvoriti izveštaj (tipična lokacija: C:\ComboFix.txt)
Iskopiraj sadržaj ComboFix.txt izveštaja u poruku.

ComboFix će takođe formirati i dodatan izveštaj (tipicna lokacija: C:\Qoobox\ComboFix-quarantined-files.txt)
Okači ComboFix-quarantined-files.txt izveštaj uz poruku koristeći opciju Prikači fajl

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Pise da bi trebalo da uzme 10 min, eventualno 20. Ja cekao 2 sata - nista.. da li trebam jos duze da cekam?

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15874
  • Gde živiš: Beograd

Prekini, probacemo drugi alat:


Arrow Preuzmi Malwarebytes Anti-Rootkit (MBAR) sa sledeceg linka i sacuvaj ga na Desktop.

Dvoklikom pokreni MBAR () na ikonicu programa:
- Klikni OK na sledecem prozoru da bi dozvolio raspakivanje u zaseban mbar folder na desktop-u;
- mbar.exe ce biti startovan. Na nekim sistemima to moze da potraje nekoliko dodatnih sekundi, te pricekati pokretanje.;
- U uvodnom prozoru klikni dugme Next ukoliko si saglasan;



• Na 'Update Database' prozoru klik na dugme Update da bi preuzeo sveze definicije. Kada se ispise poruka 'Success: Database was successfully updated' klik na dugme Next;
• Pod sekcijom 'Scan Targets' proveri da su sve opcije stiklirane, te klikni na dugme Scan;

Obavestenje: sa nekim infekcijama moze se desiti da se prikaze neka od sledecih poruka:
- 'Could not load protection driver' => u tom slucaju klikni OK.
- 'Could not load DDA driver' => klikni Yes na to obavestenje da bi dozvolio ucitavanje nakon restarta. Dozvoli restart i nastavi sa ostatkom instrukcija posle restarta.





>> Ukoliko malware nije detektovan, klik na Exit dugme da zatvoris program. U sledecu poruku postavi mbar-log-year-month-day (sat-minuti-sekundi).txt i system-log.txt izveštaje.

>> Ukoliko su infekcija/e pronadjene, proveriti da li je obelezena opcija 'Create Restore Point' i klikni na dugme Cleanup! da bi uklonili pretnje.
- Procedura uklanjanje malware-a (scheduled) ce biti zakazana po restartu, bice prikazano obavestenje u pop-up prozoru. Klikni dugme Yes i sistem bi trebao da se restartuje i da zavrsi proceduru ciscenja.



Obavestenje! samo ukoliko je RootKit detektovan: - postaraj se da pokrenes fixdamage.exe alat koji se nalazi u mbar folderu, \Plugins\fixdamage.exe:
- Dvoklikom pokreni fixdamage, u crnom prozoru koji se otvori (command prompt) ukucaj Y (Y stoji za Yes) da bi nastavio izvrsenje, pricekati da alat odradi sve popravke ...
- Kada vidis poruku 'press any key to exit' popravka je kompletirana. Pritisnuti bilo koju tipku na tastaturi da bi se prozor zatvorio. Restartovati sistem.





Sledeci izvestaji ce biti formirani u mbar folderu.
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Iskopiraj sadrzaj mbar log-a u poruku a system log okaci uz poruku koristeci opciju Prikači fajl.

Ko je trenutno na forumu
 

Ukupno su 768 korisnika na forumu :: 45 registrovanih, 8 sakrivenih i 715 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., amaterSRB, amstel2, AS2, babaroga2, Bane san, Boris902, bulovic, CUCLA70, Cufo, Djole, Drug pukovnik, Duško, Eyes Wide Shut, igorkozar83, indja, ivance95, Konda2, Krstić, krunc, Kubovac, kuntalo, lord sir giga, Lulubi, MarKhan, Markoni29, MB120mm, MegaVLAdaR, mushroom, prekodrinski, racerx11080, rankogrande, Recce, sekretar2, shone34, soonne, srbi, Srky Boy, Vlada78, VladaKG1980, vladica_pavlovic, vlvl, Warhawk, x9, Zerajic