Windows out of Virtual Memory

1

Windows out of Virtual Memory

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Dobro veče ili jutro - kako kome..Smile Bio sam na "windowsu" i poslali su me ovamo. Od jutros mi je poceo stekati komp, kad ga upalim kao da pokrene bezbroj programa u pozadini a nista ne mogu naci, isao sam i na disk defragment, i trazio greske na disku, nista nisam uspio naci, tj. nista nije bolje. Stalno nesto obradjuje i kao da se pati, izbaci obavjestenje kako nemam virtuelne memorije. I ovo jedva pisem. Sve je pocelo, cini mi se, kad sam prebacio par filmova iz downloads-a u folder na D disku. i onda redom poceo izbacivati greske, Tuneuputilities.exe greska pa greska vamo pa tamo, haos.. Sta da radim? Hvala unaprijed i lijep pozdrav.

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Pozdrav,

Isprati temu i dostavi izvestaje

http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Napisano: 09 Jul 2014 9:11

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-07-2014 01
Ran by Jolly (administrator) on XPWINDOWS7 on 09-07-2014 08:40:05
Running from C:\Documents and Settings\Jolly\My Documents\Downloads
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 7
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: geekstogo.com/forum/topic/335081-frst-t.....scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
(TuneUp Software) C:\Program Files\TuneUp Utilities 2014\TuneUpUtilitiesService32.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
(MyCity) C:\Program Files\MCShield\MCShieldRTM.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(BitTorrent Inc.) C:\Documents and Settings\Jolly\Application Data\uTorrent\uTorrent.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Farbar) C:\Documents and Settings\Jolly\My Documents\Downloads\FRST (1).exe
(Farbar) C:\Documents and Settings\Jolly\My Documents\Downloads\FRST (2).exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKLM\...\Policies\Explorer\Run: [37797] => C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe [273408 2012-06-02] ( (Adobe Systems Inc.))
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKU\.DEFAULT\...\RunOnce: [nltide_2] - regsvr32 /s /n /i:U shell32
HKU\.DEFAULT\...\RunOnce: [nltide_3] - rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Run: [MCShield Monitor] => C:\Program Files\MCShield\MCShieldRTM.exe [650816 2014-04-11] (MyCity)
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Run: [uTorrent] => C:\Documents and Settings\Jolly\Application Data\uTorrent\uTorrent.exe [1322832 2014-07-02] (BitTorrent Inc.)
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Run: [Facebook Update] => C:\Documents and Settings\Jolly\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [138096 2014-05-16] (Facebook Inc.)
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoActiveDesktop] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoSaveSettings] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x0000000000000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Winlogon: [Shell] C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule\SunJavaUpdata.exe [1275904 2014-04-13] (Sony Corporation) <==== ATTENTION
Startup: C:\Documents and Settings\Jolly\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = wyzo.wyzostart.com/?cfg=2-47-0-0&engine_id=.....country=BA
SearchScopes: HKCU - DefaultScope {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Documents and Settings\Jolly\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF user.js: detected! => C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\user.js
FF Extension: GoPhotoIt - C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\Extensions\gophoto@gophoto.it.xpi [2013-08-08]
FF StartMenuInternet: FIREFOX.EXE - C:\zoek_backup\C_Program Files_Mozilla Firefox\firefox.exe

Chrome:
=======
CHR HomePage: hxxp://www.search.ask.com/?o=APN10645A&gct=hp&d=406-420&v=a10733-176&t=4
CHR RestoreOnStartup: "hxxp://google.rs/"
CHR DefaultSearchKeyword: facebook
CHR DefaultSearchProvider: Facebook
CHR DefaultSearchURL: facebook.com/search.php?q={searchTerms}
CHR DefaultNewTabURL:
CHR Extension: (Google новчаник) - C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-27]
CHR Extension: (GoPhoto.it) - C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk [2014-04-06]
CHR HKLM\...\Chrome\Extension: [pfmopbbadnfoelckkcmjjeaaegjpjjbk] - C:\Program Files\Gophoto.it\gophotoit16.crx [2013-08-08]

========================== Services (Whitelisted) =================

S4 Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [495616 2007-12-05] (ATI Technologies Inc.) [File not signed]
S4 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [593920 2007-09-28] () [File not signed]
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)
S3 ClipSrv; C:\WINDOWS\system32\clipsrv.exe [43008 2008-04-28] (Microsoft Corporation) [File not signed]
S4 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2013-12-18] (Oracle Corporation)
S3 mnmsrvc; C:\WINDOWS\system32\mnmsrvc.exe [53248 2008-04-28] (Microsoft Corporation) [File not signed]
S3 MSDTC; C:\WINDOWS\system32\msdtc.exe [30720 2008-04-28] (Microsoft Corporation) [File not signed]
S4 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [769432 2012-07-13] (Nero AG)
S4 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
R2 TuneUp.UtilitiesSvc; C:\Program Files\TuneUp Utilities 2014\TuneUpUtilitiesService32.exe [1740600 2013-08-29] (TuneUp Software)
S3 Wmi; C:\WINDOWS\System32\advapi32.dll [617472 2008-03-20] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

S3 A5AGU; C:\WINDOWS\System32\DRIVERS\A5AGU.sys [347648 2006-05-08] (D-Link Corporation)
R3 AtcL001; C:\WINDOWS\System32\DRIVERS\atl01_xp.sys [35712 2006-08-22] (Attansic Technology corporation.)
R3 ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2782208 2007-12-05] (ATI Technologies Inc.) [File not signed]
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [24896 2012-04-18] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [31952 2012-01-30] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [302368 2013-04-11] (AVG Technologies CZ, s.r.o.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R1 dtsoftbus01; C:\WINDOWS\System32\DRIVERS\dtsoftbus01.sys [242240 2014-03-08] (DT Soft Ltd)
R3 IntcAzAudAddService; C:\WINDOWS\System32\drivers\RtkHDAud.sys [4374016 2006-08-24] (Realtek Semiconductor Corp.) [File not signed]
R0 mv614x; C:\WINDOWS\System32\DRIVERS\mv614x.sys [63232 2006-07-03] ()
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 PAC7302; C:\WINDOWS\System32\DRIVERS\PAC7302.SYS [458752 2007-11-08] (PixArt Imaging Inc.) [File not signed]
R0 sptd; C:\WINDOWS\System32\Drivers\sptd.sys [664064 2012-10-30] () [File not signed]
R1 tStLib; C:\WINDOWS\System32\drivers\tStLib.sys [55224 2014-02-19] (StdLib)
R3 TuneUpUtilitiesDrv; C:\Program Files\TuneUp Utilities 2014\TuneUpUtilitiesDriver32.sys [12320 2013-08-21] (TuneUp Software)
R0 videX32; C:\WINDOWS\System32\DRIVERS\videX32.sys [9728 2006-02-23] (VIA Technologies, Inc.)
R0 xfilt; C:\WINDOWS\System32\DRIVERS\xfilt.sys [11264 2006-02-23] (VIA Technologies,Inc)
S4 IntelIde; No ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-07-09 08:39 - 2014-07-09 08:40 - 00000000 ____D () C:\FRST
2014-07-08 23:27 - 2014-07-08 23:27 - 00457230 _____ () C:\Documents and Settings\Jolly\Desktop\dddd.bmp
2014-07-08 22:40 - 2014-07-08 22:40 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-05.dmp
2014-07-08 21:42 - 2014-07-08 21:42 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-04.dmp
2014-07-08 21:04 - 2014-07-08 21:04 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-03.dmp
2014-07-08 18:30 - 2014-07-08 18:30 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-02.dmp
2014-07-08 15:49 - 2014-07-08 15:49 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-01.dmp
2014-07-08 14:04 - 2014-07-09 08:26 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-07-08 14:02 - 2014-07-09 08:24 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2014-07-08 14:02 - 2014-07-08 14:02 - 00498640 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-07-08 14:02 - 2014-07-08 14:02 - 00138720 _____ () C:\Documents and Settings\Jolly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-07-08 14:02 - 2014-07-08 14:02 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2014-07-02 16:38 - 2014-07-02 16:38 - 00000000 ____D () C:\Program Files\MyFree Codec
2014-07-02 16:38 - 2014-07-02 16:38 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\MyFree Codec
2014-07-02 16:36 - 2014-07-07 19:12 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Samsung
2014-07-02 16:33 - 2014-07-02 16:33 - 00000000 ____D () C:\Documents and Settings\Jolly\Local Settings\Application Data\Downloaded Installations
2014-06-11 18:55 - 2014-06-11 18:55 - 00000721 _____ () C:\Documents and Settings\Jolly\Desktop\VirtualDJ Home FREE.lnk
2014-06-11 18:54 - 2014-07-03 22:45 - 00000000 ____D () C:\Documents and Settings\Jolly\My Documents\VirtualDJ
2014-06-11 18:54 - 2014-06-11 18:55 - 00000000 ____D () C:\Documents and Settings\Jolly\Start Menu\Programs\VirtualDJ
2014-06-11 18:54 - 2014-06-11 18:54 - 00000000 ____D () C:\Program Files\VirtualDJ
2014-06-11 00:09 - 2014-07-07 22:42 - 00000000 ____D () C:\Documents and Settings\Jolly\Start Menu\Programs\Virtual DJ

==================== One Month Modified Files and Folders =======

2014-07-09 08:41 - 2014-04-05 23:34 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\uTorrent
2014-07-09 08:41 - 2014-03-26 15:56 - 00000000 ____D () C:\Documents and Settings\Jolly\Local Settings\Temp
2014-07-09 08:41 - 2014-01-05 13:34 - 116858691 _____ () C:\Documents and Settings\Jolly\avgui.log
2014-07-09 08:41 - 2013-01-07 14:50 - 00000294 _____ () C:\WINDOWS\Tasks\Browser Manager.job
2014-07-09 08:40 - 2014-07-09 08:39 - 00000000 ____D () C:\FRST
2014-07-09 08:30 - 2011-12-21 20:13 - 00004732 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-07-09 08:26 - 2014-07-08 14:04 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-07-09 08:26 - 2014-03-26 17:25 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MCShield
2014-07-09 08:25 - 2013-02-08 17:28 - 01340889 _____ () C:\WINDOWS\WindowsUpdate.log
2014-07-09 08:24 - 2014-07-08 14:02 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2014-07-09 08:24 - 2012-11-23 12:28 - 00000896 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-09 08:24 - 2011-12-21 13:29 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-07-09 03:10 - 2012-11-23 12:28 - 00000900 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-09 02:16 - 2013-09-28 11:50 - 00000178 ___SH () C:\Documents and Settings\Jolly\ntuser.ini
2014-07-09 02:16 - 2013-02-08 17:20 - 00131072 _____ () C:\WINDOWS\system32\config\TuneUp.evt
2014-07-09 02:16 - 2011-12-21 13:29 - 00032564 _____ () C:\WINDOWS\SchedLgU.Txt
2014-07-09 01:00 - 2013-09-28 13:26 - 00039424 _____ () C:\Documents and Settings\Jolly\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-07-09 00:56 - 2014-05-16 18:51 - 00000998 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-329068152-1326574676-1606980848-1003UA.job
2014-07-08 23:27 - 2014-07-08 23:27 - 00457230 _____ () C:\Documents and Settings\Jolly\Desktop\dddd.bmp
2014-07-08 22:40 - 2014-07-08 22:40 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-05.dmp
2014-07-08 22:40 - 2012-01-23 15:09 - 00000000 ____D () C:\WINDOWS\Minidump
2014-07-08 21:42 - 2014-07-08 21:42 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-04.dmp
2014-07-08 21:04 - 2014-07-08 21:04 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-03.dmp
2014-07-08 18:30 - 2014-07-08 18:30 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-02.dmp
2014-07-08 18:27 - 2011-12-22 14:57 - 00002267 _____ () C:\Documents and Settings\All Users\Desktop\Skype.lnk
2014-07-08 16:25 - 2013-10-16 16:53 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Skype
2014-07-08 15:49 - 2014-07-08 15:49 - 00065536 _____ () C:\WINDOWS\Minidump\Mini070814-01.dmp
2014-07-08 14:02 - 2014-07-08 14:02 - 00498640 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-07-08 14:02 - 2014-07-08 14:02 - 00138720 _____ () C:\Documents and Settings\Jolly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-07-08 14:02 - 2014-07-08 14:02 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2014-07-08 13:59 - 2013-12-24 19:10 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Wise Disk Cleaner
2014-07-07 22:42 - 2014-06-11 00:09 - 00000000 ____D () C:\Documents and Settings\Jolly\Start Menu\Programs\Virtual DJ
2014-07-07 22:42 - 2013-09-28 11:50 - 00000000 ____D () C:\Documents and Settings\Jolly
2014-07-07 22:41 - 2014-02-28 19:34 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Winamp
2014-07-07 19:12 - 2014-07-02 16:36 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\Samsung
2014-07-07 19:12 - 2012-12-09 15:28 - 00000000 ____D () C:\Program Files\SAMSUNG
2014-07-07 19:12 - 2011-12-22 12:03 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-07-07 19:08 - 2014-06-07 20:15 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-07-07 19:08 - 2014-06-07 20:11 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-07-07 19:08 - 2012-05-07 14:11 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Apple Computer
2014-07-07 18:56 - 2014-05-16 18:51 - 00000976 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-329068152-1326574676-1606980848-1003Core.job
2014-07-03 22:45 - 2014-06-11 18:54 - 00000000 ____D () C:\Documents and Settings\Jolly\My Documents\VirtualDJ
2014-07-03 11:11 - 2004-08-04 14:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-07-02 16:38 - 2014-07-02 16:38 - 00000000 ____D () C:\Program Files\MyFree Codec
2014-07-02 16:38 - 2014-07-02 16:38 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\MyFree Codec
2014-07-02 16:33 - 2014-07-02 16:33 - 00000000 ____D () C:\Documents and Settings\Jolly\Local Settings\Application Data\Downloaded Installations
2014-07-01 15:32 - 2014-03-08 18:26 - 00000000 ____D () C:\Documents and Settings\Jolly\My Documents\KONAMI
2014-06-26 21:53 - 2013-10-04 17:43 - 00000000 ____D () C:\Documents and Settings\Jolly\Local Settings\Application Data\NFS Underground 2
2014-06-25 15:09 - 2014-03-08 18:08 - 00000000 ____D () C:\Documents and Settings\Jolly\Application Data\DAEMON Tools Lite
2014-06-11 18:55 - 2014-06-11 18:55 - 00000721 _____ () C:\Documents and Settings\Jolly\Desktop\VirtualDJ Home FREE.lnk
2014-06-11 18:55 - 2014-06-11 18:54 - 00000000 ____D () C:\Documents and Settings\Jolly\Start Menu\Programs\VirtualDJ
2014-06-11 18:54 - 2014-06-11 18:54 - 00000000 ____D () C:\Program Files\VirtualDJ

Some content of TEMP:
====================
C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe
[2008-08-18 20:17] - [2008-08-18 20:17] - 1616384 ____A (Microsoft Corporation) 4a90f51b778fa0157f60d206e8b37d2a

C:\WINDOWS\system32\winlogon.exe
[2008-04-28 11:24] - [2008-04-28 11:24] - 0547328 ____A (Microsoft Corporation) a55b8899d2ea2e800061bcfd456e34dc

C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll
[2008-03-20 20:36] - [2008-03-20 20:36] - 0578560 ____A (Microsoft Corporation) f92d8964b5286de225bd2b6bf89764be

C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Dopuna: 09 Jul 2014 9:12

mycity.rs/must-login.png

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

1. Otvori Notepad (Text Document) i iskopiraj sledeći tekst unutar kod polja ispod:

HKLM\...\Policies\Explorer\Run: [37797] => C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe [273408 2012-06-02] ( (Adobe Systems Inc.))
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoActiveDesktop] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoSaveSettings] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x0000000000000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Winlogon: [Shell] C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule\SunJavaUpdata.exe [1275904 2014-04-13] (Sony Corporation) <==== ATTENTION
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wyzo.wyzostart.com/?cfg=2-47-0-0&engine_id=.....country=BA
SearchScopes: HKCU - DefaultScope {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = http://wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = http://wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
FF Extension: GoPhotoIt - C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\Extensions\gophoto@gophoto.it.xpi [2013-08-08]
FF StartMenuInternet: FIREFOX.EXE - C:\zoek_backup\C_Program Files_Mozilla Firefox\firefox.exe
CHR Extension: (GoPhoto.it) - C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk [2014-04-06]
CHR HKLM\...\Chrome\Extension: [pfmopbbadnfoelckkcmjjeaaegjpjjbk] - C:\Program Files\Gophoto.it\gophotoit16.crx [2013-08-08]
S4 IntelIde; No ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe
C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule
Task: C:\WINDOWS\Tasks\Browser Manager.job => C:\WINDOWS\system32\sc.exe
cmd: ipconfig /flushdns
Reboot:


2. Sačuvaj notepad na Desktop pod nazivom fixlist.txt
To možes uraditi i iz notepad-a => klik na File potom na Save As i u novom prozoru, dole pod File Name: staviš za naziv fixlist.txt
Napomena: Važno je da se oba fajla, FRST i fixlist nalaze na istoj lokaciji jer u suprotnom fix nece raditi.

3. Ponovo pokreni FRST/FRST64, klikni jednom na dugme Fix i sačekaj.
Ukoliko alat zatraži restart sistema, dozvoli mu i postaraj se da alat kompletira fix nakon restarta sistema.



Alat će formirati log (Fixlog.txt) na Desktop-u. Potrebno je sadržaj tog loga iskopirati u poruku.
Napomena: Ukoliko te alat upozori da postoji novija verzija, postaraj se da preuzmes i koristiš ažuriranu kopiju FRST-a.

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:05-07-2014 01
Ran by Jolly at 2014-07-09 10:16:13 Run:1
Running from C:\Documents and Settings\Jolly\Desktop\New Folder
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...\Policies\Explorer\Run: [37797] => C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe [273408 2012-06-02] ( (Adobe Systems Inc.))
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoActiveDesktop] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [NoSaveSettings] 0x00000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x0000000000000000
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\...\Winlogon: [Shell] C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule\SunJavaUpdata.exe [1275904 2014-04-13] (Sony Corporation) <==== ATTENTION
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = wyzo.wyzostart.com/?cfg=2-47-0-0&engine_id=.....country=BA
SearchScopes: HKCU - DefaultScope {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {1F1DD852-89B9-7F11-D737-3C55E9E56A3C} URL = wyzo.wyzostart.com/s/?q={searchTerms}&iesrc={referrer:source?}&cfg=2-47-0-0
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
FF Extension: GoPhotoIt - C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\Extensions\gophoto@gophoto.it.xpi [2013-08-08]
FF StartMenuInternet: FIREFOX.EXE - C:\zoek_backup\C_Program Files_Mozilla Firefox\firefox.exe
CHR Extension: (GoPhoto.it) - C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk [2014-04-06]
CHR HKLM\...\Chrome\Extension: [pfmopbbadnfoelckkcmjjeaaegjpjjbk] - C:\Program Files\Gophoto.it\gophotoit16.crx [2013-08-08]
S4 IntelIde; No ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe
C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule
Task: C:\WINDOWS\Tasks\Browser Manager.job => C:\WINDOWS\system32\sc.exe
cmd: ipconfig /flushdns
Reboot:
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\37797 => value deleted successfully.
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop => value deleted successfully.
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings => value deleted successfully.
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ClearRecentDocsOnExit => value deleted successfully.
HKU\S-1-5-21-329068152-1326574676-1606980848-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1F1DD852-89B9-7F11-D737-3C55E9E56A3C}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{1F1DD852-89B9-7F11-D737-3C55E9E56A3C}'=> Key not found.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}'=> Key not found.
C:\Documents and Settings\Jolly\Application Data\Mozilla\Firefox\Profiles\u50vzrml.default\Extensions\gophoto@gophoto.it.xpi => Moved successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\\Default => Value was restored successfully.
C:\Documents and Settings\Jolly\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk => Moved successfully.
'HKLM\SOFTWARE\Google\Chrome\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk' => Key deleted successfully.
C:\Program Files\Gophoto.it\gophotoit16.crx => Moved successfully.
IntelIde => Service deleted successfully.
USBAAPL => Service deleted successfully.
Could not move "C:\Documents and Settings\All Users\Local Settings\Temp\msikevacy.exe" => Scheduled to move on reboot.
C:\Documents and Settings\Jolly\Application Data\SunJavaUpdataShedule => Moved successfully.
C:\WINDOWS\Tasks\Browser Manager.job => Moved successfully.

========= ipconfig /flushdns =========



Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Kakva je sada situacija?

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Pa malo je bolja, al i dalje kao da ima nesto u pozadini. Udjem u google chrome i sam izbaci koliko mu nesto zauzima memoriju. cak i najosnovnije radnje mu je tesko da uradi..o.O

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

1. Preuzmi sUBs-ov ComboFix () sa ovog linka i sačuvaj alat na Desktop.
• Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
• Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.


------------------------------------------------------------
2. Privremeno deaktiviraj AntiVirus program, u većini slučajeva preko desnog klika na ikonu programa u system tray. Oni mogu ometati alat tokom rada.
Ukoliko nisi siguran kako to da uradiš, isprati ovo uputstvo.

------------------------------------------------------------
3. Dvoklikom na ikonicu pokreni ComboFix. Potom, na disclaimer prozoru klikni dugme I Agree!

• ComboFix će proveriti da li je dostupna nova verzija alata.
Klikni Yes ako je zatrazeno preuzimanje.
• Ukoliko Recovery Console nije instaliran, ComboFix će ponuditi preuzimanje i instalaciju.
Klikni Yes da bi dozvolio alatu da preuzme i instalira Recovery Console
• ComboFix će skenirati računar po fazama (Stage_#) ukupno 50 faza.
Ne kliktati okolo dok ComboFix ispituje sistem.
• Ukoliko je malware detektovan, ComboFix će zapoceti njegovo uklanjanje.
Iz tog razloga, alat će po potrebi restartovati Windows (nekad i više puta);

Napomena: Ako nakon rada alata dobiješ grešku (Illegal operation attempted on a registry key that has been marked for deletion) prilikom startovanja programa, restartovati računar i to ce rešiti problem.


------------------------------------------------------------
4. Kada alat završi, formiraće i otvoriti izveštaj (tipična lokacija: C:\ComboFix.txt)
Iskopiraj sadržaj ComboFix.txt izveštaja u poruku.

ComboFix će takođe formirati i dodatan izveštaj (tipicna lokacija: C:\Qoobox\ComboFix-quarantined-files.txt)
Okači ComboFix-quarantined-files.txt izveštaj uz poruku koristeći opciju Prikači fajl

offline
  • Pridružio: 24 Mar 2014
  • Poruke: 29

Pise da bi trebalo da uzme 10 min, eventualno 20. Ja cekao 2 sata - nista.. da li trebam jos duze da cekam?

offline
  • Research Engineer @MalwareBytes
  • Pridružio: 09 Avg 2011
  • Poruke: 15877
  • Gde živiš: Beograd

Prekini, probacemo drugi alat:


Arrow Preuzmi Malwarebytes Anti-Rootkit (MBAR) sa sledeceg linka i sacuvaj ga na Desktop.

Dvoklikom pokreni MBAR () na ikonicu programa:
- Klikni OK na sledecem prozoru da bi dozvolio raspakivanje u zaseban mbar folder na desktop-u;
- mbar.exe ce biti startovan. Na nekim sistemima to moze da potraje nekoliko dodatnih sekundi, te pricekati pokretanje.;
- U uvodnom prozoru klikni dugme Next ukoliko si saglasan;



• Na 'Update Database' prozoru klik na dugme Update da bi preuzeo sveze definicije. Kada se ispise poruka 'Success: Database was successfully updated' klik na dugme Next;
• Pod sekcijom 'Scan Targets' proveri da su sve opcije stiklirane, te klikni na dugme Scan;

Obavestenje: sa nekim infekcijama moze se desiti da se prikaze neka od sledecih poruka:
- 'Could not load protection driver' => u tom slucaju klikni OK.
- 'Could not load DDA driver' => klikni Yes na to obavestenje da bi dozvolio ucitavanje nakon restarta. Dozvoli restart i nastavi sa ostatkom instrukcija posle restarta.





>> Ukoliko malware nije detektovan, klik na Exit dugme da zatvoris program. U sledecu poruku postavi mbar-log-year-month-day (sat-minuti-sekundi).txt i system-log.txt izveštaje.

>> Ukoliko su infekcija/e pronadjene, proveriti da li je obelezena opcija 'Create Restore Point' i klikni na dugme Cleanup! da bi uklonili pretnje.
- Procedura uklanjanje malware-a (scheduled) ce biti zakazana po restartu, bice prikazano obavestenje u pop-up prozoru. Klikni dugme Yes i sistem bi trebao da se restartuje i da zavrsi proceduru ciscenja.



Obavestenje! samo ukoliko je RootKit detektovan: - postaraj se da pokrenes fixdamage.exe alat koji se nalazi u mbar folderu, \Plugins\fixdamage.exe:
- Dvoklikom pokreni fixdamage, u crnom prozoru koji se otvori (command prompt) ukucaj Y (Y stoji za Yes) da bi nastavio izvrsenje, pricekati da alat odradi sve popravke ...
- Kada vidis poruku 'press any key to exit' popravka je kompletirana. Pritisnuti bilo koju tipku na tastaturi da bi se prozor zatvorio. Restartovati sistem.





Sledeci izvestaji ce biti formirani u mbar folderu.
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Iskopiraj sadrzaj mbar log-a u poruku a system log okaci uz poruku koristeci opciju Prikači fajl.

Ko je trenutno na forumu
 

Ukupno su 563 korisnika na forumu :: 28 registrovanih, 4 sakrivenih i 531 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Apok, arsa, Cranium, darkangel, doktor1964, dozorni, dragoljub11987, Drug pukovnik, ekser222, FOX, Joja, kalens021, kovinacc, L3g1oN, Marko Marković, Recce, RJ, rodoljub, sekretar, Smiljke, Suva planina, trajkoni018, vathra, Vlad000, voja64, Warhawk, yufighter