ajutor, virus

[Mafy]

Salutare tuturor, am o vecina care nu stiu cum face dar cel putin odata pe luna ma cheama sa-i repar calculatorul...nu stiu pe unde intra dar virusul asta care l-a luat acum imi da de cap rau de tot.

Aprind calculatorul, conectez internetul, intru pe orice pagina de internet, totul bine si frumos (cred ca 30 de min n-am avut probleme), cand deodata imi iese din tot si ma duce pe home page. Apoi nici in partitii nu mai puteam sa intru (are 3 partitii C/D/E), dau dublu clic, vad pentru 2 secunde folderele din C apoi ma duce iar inapoi in my computer. Am instalat "Malwarebytes Anti-Malware", i-am dat scanare la C, mi-a gasit 2 virusi, i-am dat remove, am dat restart, si tot asa, din ce in ce mai repede, adica dupa restart dura foarte putin pana sa-si revina virusul, si sa nu ma mai lase sa accesez paginile de net sau partitiile. Am instalat si avira, am dat scan, nu a gasit nimic (am scanat on-line cu 3-4 anti-virusuri, si n-a gasit nimic). Am intrat si in safe mode, am dat scan cu Malwarebytes Anti-Malware, si n-a mai gasit nimic. Dupa ce i-am dat restart si am intrat normal in windows, nici la internet (rds) nu ma mai lasa sa ma conectez ), parca stia , dadeam dublu clic pe rds, si nu-mi aparea nimic, daca intram din control panel la network connections nu-mi mai aparea nimic.

Poate stiti cu ce virus am de`a face, si cum sa scap de el. O sa revin maine cu un log cu Hijackthis daca este nevoie

multumesc anticipat

ps. am uitat sa spun ca la inceput daca intram in control panel -> Internet Options si dadeam delete la cookies/temporary files si history, puteam apoi sa intru pe orice pagina de net, si in orice partitie...la inceput dura 4-5 minute pana isi revenea, dupa n-a mai mers deloc metoda asta

[mandeamarian]

Era o data o vorba "format c:"

[Mafy]

Era o data o vorba "format c:"

in final daca n-o sa gasesc o rezolvare, bagam windowsul, iti dai seama

format + Deep Freeze daca e urata si nu vrei sa te mai cheme la ea

[aelius]

Nu vad de ce te-ar deranja faptul ca te cheama vecina la ea. E tanara ?

Cea mai buna chestie e sa instalezi os-ul si apoi sa-i faci imagine. Il reinstalezi in 7-10 minute cu tot ce e necesar pe el.

[nexus200]

dupa cum spuneam eu in alt post:

omule, nu scapi decat cu bitdefender.

eu tin pe D:/ 10 foldere cu virusi care se autoexecuta si nu patesc nimic. Toti sunt blocati, iar cand l-am instalat prima data pc-ul era full virused, imediat mi-a cerut reboot si exact cand porneste iti arata cum curata(este un tool integrat in boot loader).

SFAT: Bitdefender 2012 Internet Security |x64|x86|

[Wav3]

Acelasi lucru ca si celuilalt care avea probleme cu virusii.

Fa un print la taskmanager full-screen si la msconfig in tab-ul startup (run -> msconfig). Urca-le aici si mai vorbim.

[nexus200]

omule exista programe care sunt ascunse(nu le afiseaza TSKMAN).

[aelius]

Ceva scule bune pentru windows, in loc de aberatiile default:

RootkitRevealer

Process Explorer

Autoruns for Windows

PsTools

TCPView for Windows

http://secunia.com/vulnerability_scanning/personal/

Puteti arunca o privire si pe aici.

Edited January 5, 2012 by aelius

[nSnoopy]

omule exista programe care sunt ascunse(nu le afiseaza TSKMAN).

Nu sunt "ascunse" sunt injectate in alte processe gen: explorer.exe / svchost.exe (astea sunt cele mai folosite)

[Scorpionadi]

Eu zic sa incerci cel mai bine o scanare la intreg PC-ul cu un antivirus rulat de pe CD gen "hiren's boot cd" sau altele asemanatoare , pt ca din ce am inteles eu vecina ta are un virus tip vierme si chiar daca formatezi C-ul si bagi windowsul cand vei intra in celelalte partitii se va infecta din nou tot PC-ul.Poti face si un stick bootabil cu programele respective pentru a rula de pe stick si dupa ce esti sigur ca s-au dezinfectat toate partitiile in cazul in care nu mai merge corect windowsul atunci il reinstalezi.

Bafta

[crs12decoder]

Fa un print screen la msconfig.

90% din virusi au proces individual care porneste de la inceput.

[mike_vio]

Mai bine sapi sa vezi sursa infectiei decat sa formatezi + instalare + drivere + office... Dupa operatie sigur ramai cu ceva cunostinte decat format+ instalat.

[Mafy]

multumesc pentru raspunsuri, o sa revin cu niste printuri la task manager, msconfig, si un log cu Hijackthis, daca nu-l rezolv, ma gandeam sa bag windowsul complet, sa sterg tot

edit: am revenit cu printurile si log-ul hijackthis

Printuri msconfig:

Printuri taskmanager:

Si log-ul :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:07:41, on 17.03.2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Program Files\Opera\Opera.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\Dana\LOCALS~1\Temp\Rar$EX43.833\HijackThis.exe

C:\Program Files\TeamViewer\Version7\TeamViewer.exe

C:\Program Files\TeamViewer\Version7\tv_w32.exe

c:\program files\teamviewer\version7\TeamViewer_Desktop.exe

C:\WINDOWS\system32\taskmgr.exe

C:\jackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Search-results Search

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! India

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo! India

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! India

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dts.search-results.com/sr?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms}

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dts.search-results.com/sr?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms}

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! India

R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport în Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Cercetare - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (BitDefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D1F9B3D0-112D-492E-BA90-6A2BBFA86CC0}: NameServer = 193.231.252.1 193.231.252.1

O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Serviciul Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Serviciul Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 6189 bytes

astept raspunsurile voastre

Edited January 5, 2012 by Mafy

[root_prime]

aia e startup la tine? sunt sute de entryes venite din registrii, services, boot execute, etc, ia toata suita de produse de la sysinternal.com, si posteaza un log complet de la autoruns, de la GMER (google it) si process monitor, ia si hitman pro si da o scanare cu el si daca mai gasesti un malware posteaza un link la sample

reposting

cea mai mare tampenie e sa dai format imediat ce esti virusat, sunt zeci de lucruri care le poti face ca sa scapi manual de orice malware, verifici procesele active cu GMER ca sa detectezi rootkiti si procesele ascunse, te uiti sa vezi daca malwareul nu a fost lansat de alt fisier la randul lui, incerci sa inchizi procesul si fisierele aditionale, daca nu reusesti incerci sa le scoti din memorie si dupa sa le stergi sau in ultima instanta bootezi de pe un live cd si stergi de acolo iar dupa aceea poti trece la stergerea fisierelor inactive lasate de malware in urma; poti apela si la live cd-uri de tip rescue de la diverse companii antivirus daca vrei sa fie treaba facuta automat; legat de sandbox, nu e mereu eficient sa testezi fisiere in el, unele din ele nu isi executa payloadul malitios daca "se simt" in mediu virtualizat si te-ar putea face sa crezi ca fisierul e legit si bun de executat pe sistemul real, prin urmare e bine sa ai un sistem HIPS avansat gen MalwareDefender setat bine si il pornesti de fiecare data cand lansezi un fisier pentru prima oara astfel incat sa iti ceara permisiune la fiecare actiune luata de noul fisier, observi usor comportament suspecte gen creare fisier, adaugare in startup, api hooking, injectie in memorie, modficare la fisiere critice din windows, etc., e bine sa aveti un log cu lista md5-uri la toate fisierele din pc si sa le comparati cu noua lista creata daca ceva pare dubios pentru a vede ce ar putea fi infectat(a nu se confunda un fisier infectat cu altul modificat in timp prin updateuri sau alte actiuni ok), in fine, se pot scrie romane despre "devirusari", am generalizat cat de mult am putut.

Mai trist e ca pe un forum specializat in securitate toate sfaturile postate aici au fost ori de cacat jumatate din ele fiind 'FORMATUL E SOLUTIA", ori 20% complete (daca fisierul malitios nu se afla in baza de data la malwarebytes de exexmplu nu ai rezolvat nimic, trebuie mereu sa fie apelate si unelte cu detectie euristica sau tehnologie cloud), nimic avansat, 0 detalii, etc

Edited January 5, 2012 by root_prime

[Mafy]

reposting

daca eram genu ala, crede-ma ca nici nu stateam pe ganduri si bagam din nou windowsul, dar nu vreau sa-l bag decat in cazul in care nu-i dau de cap, si in timpul asta, i-am dat un scan cu SUPERAntiSpyware , sugerat de cineva de pe alt forum

[coffee]

Ma da vezi ca poate vecina ta foloseste virusu' pe post de pretext ca sa te cheme in vizita.Data viitoare pe langa bitdefender ia si niste durex.

[root_prime]

daca eram genu ala, crede-ma ca nici nu stateam pe ganduri si bagam din nou windowsul, dar nu vreau sa-l bag decat in cazul in care nu-i dau de cap, si in timpul asta, i-am dat un scan cu SUPERAntiSpyware , sugerat de cineva de pe alt forum

scuze dar iti pierzi timpul, nu ai nimic malware in startup entries atat cat ai postat sau in procesele de suprafata, citeste tot postul si o sa vezi ca ai o tona de incercat desi nu e neaparat sa ai un virus, posteaza ce ti-am sugerat, proababil ce a gasit malwarebytes au fost doua rahaturi de cookies nu amenintari reale, mai intai vi cu un set complet de informatii si dupa sari la concluzii

Edited January 5, 2012 by root_prime

[Mafy]

cum am zis mai sus, am scanat cu superantispyware, si in C mi-a gasit vreo 6 virusi, postez printuri sa vedeti despre ce este vorba, 3 i-a bagat in carantina

[root_prime]

exact ce ti-am zis, NU SUNT VIRUSI, sunt COOKIES si niste valori de registrii, scaneaza cu ce ti-am spus si posteaza alea nu asa ceva, de cand ai zis ca

"se regenereaza dupa restart" m-am gandit ca sunt cookies care apar cand reviziteaza site-ul respectiv, un cookie ad.yieldmanager apare si la vizitarea yahoo, invata sa faci diferenta intre virus, vierme, troian, cookie, rootkit, etc, folositi cuvantul virusi de parca e universal

Edited January 5, 2012 by root_prime

[Mafy]

exact ce ti-am zis, NU SUNT VIRUSI, sunt COOKIES si niste valori de registrii, scaneaza cu ce ti-am spus si posteaza alea nu asa ceva

acum scanez cu Hitman Pro, o sa postez imediat rezultatul

i-am dat sa scaneze cu GMER acum

Edited January 5, 2012 by Mafy

[root_prime]

acum scanez cu Hitman Pro, o sa postez imediat rezultatul

scaneaza cu hitman pro de plictiseala pana prezinti logurile din autoruns(Autoruns for Windows) si process explorer (Process Explorer) si logul de la gmer (GMER - Rootkit Detector and Remover)

// dupa cat dureaza presupun ca ai dat scan cu toate alea bifate xD, era destul sa postezi ce apare la startup-ul softului si dupa sa dai un scan la registrii, ignora files

Edited January 5, 2012 by root_prime

[Mafy]

Log GMER :

GMER 1.0.15.15641 - GMER - Rootkit Detector and Remover

Rootkit scan 2005-03-17 16:38:37

Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3320613AS rev.SD22

Running: GMER..exe; Driver: C:\DOCUME~1\Dana\LOCALS~1\Temp\pxtdapod.sys

---- System - GMER 1.0.15 ----

SSDT BA6E69D4 ZwClose

SSDT BA6E698E ZwCreateKey

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F82A20]

SSDT BA6E69DE ZwCreateSection

SSDT BA6E6984 ZwCreateThread

SSDT BA6E6993 ZwDeleteKey

SSDT BA6E699D ZwDeleteValueKey

SSDT BA6E69CF ZwDuplicateObject

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F832A8]

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8E910]

SSDT BA6E69BB ZwLoadDriver

SSDT BA6E69A2 ZwLoadKey

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xB9F8E794]

SSDT BA6E6970 ZwOpenProcess

SSDT BA6E6975 ZwOpenThread

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F832C8]

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xB9F8E866]

SSDT BA6E69AC ZwReplaceKey

SSDT BA6E69A7 ZwRestoreKey

SSDT BA6E69E3 ZwSetContextThread

SSDT BA6E69C0 ZwSetSystemInformation

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8E0B0]

SSDT BA6E6998 ZwSetValueKey

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA4F6B640]

SSDT BA6E697A ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C58 80503858 4 Bytes JMP A6B6F255

.text ntkrnlpa.exe!ZwCallbackReturn + 2DF8 805039F8 4 Bytes CALL F642F3F5

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB5354000, 0x1985C4, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1948] SHELL32.dll!StrStrW 7C9CC1D0 8 Bytes [E0, 10, 60, 19, 00, 11, 60, ...] {LOOPNZ 0x12; PUSHA ; SBB [EAX], EAX; ADC [EAX+0x19], ESP}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [613478C9] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [613463D7] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [61346306] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [61346344] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateFileA] [61346622] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [61346537] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [61346344] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [613463D7] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColorBrush] [613464A2] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [61346306] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [613478C9] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\IPHLPAPI.DLL [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\IPHLPAPI.DLL [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2376] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [613478C9] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [613463D7] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [61346306] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [61346344] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateFileA] [61346622] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [61346537] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [61346344] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [613463D7] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColorBrush] [613464A2] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [61346306] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [613478C9] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\IPHLPAPI.DLL [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2744] @ C:\WINDOWS\system32\IPHLPAPI.DLL [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89D842E8

Device \Driver\Cdrom \Device\CdRom0 89A53798

Device \FileSystem\Rdbss \Device\FsWrap 8994F1E8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89A53B98

Device \Driver\atapi \Device\Ide\IdePort0 89A53B98

Device \Driver\atapi \Device\Ide\IdePort1 89A53B98

Device \Driver\atapi \Device\Ide\IdePort2 89A53B98

Device \Driver\atapi \Device\Ide\IdePort3 89A53B98

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 89A53B98

Device \Driver\Cdrom \Device\CdRom1 89A53798

Device \FileSystem\Srv \Device\LanmanServer 89C985B0

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8970B738

Device \FileSystem\MRxSmb \Device\LanmanRedirector 8970B738

Device \FileSystem\Npfs \Device\NamedPipe 89AA6208

Device \FileSystem\Msfs \Device\Mailslot 89AA2DD0

Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target0Lun0 89ABF520

Device \Driver\d347prt \Device\Scsi\d347prt1 89ABF520

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8998C880

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8998C880

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8998C880

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8998C880

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8998C880

Device \FileSystem\Cdfs \Cdfs 89C51898

---- Modules - GMER 1.0.15 ----

Module _________ B9EE5000-B9EFD000 (98304 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x07 0x81 0xFC 0x40 ...

---- EOF - GMER 1.0.15 ----

Printuri Proces Explorer:

Edited January 5, 2012 by Mafy

[root_prime]

congrats, totul e in ordine in prinvinta virusilor, ma indoiesc ca e un file infector 0-day, nimeni nu mai creeaza asa ceva, poti testa plasand un executabil curat de al tau in pc-ul ei, compari md5-ul care l-a avut pe pc-ul tau si md5-ul care il are pe pc-ul ei dupa ce a fost executat si inchis, daca sunt egale nu are nimic, legat de

"Aprind calculatorul, conectez internetul, intru pe orice pagina de internet, totul bine si frumos (cred ca 30 de min n-am avut probleme), cand deodata imi iese din tot si ma duce pe home page. Apoi nici in partitii nu mai puteam sa intru (are 3 partitii C/D/E), dau dublu clic, vad pentru 2 secunde folderele din C apoi ma duce iar inapoi in my computer"

asigura-te ca nu ai probleme cu tasta "backspace" la tastatura, ar mai fi o varianta sa ai anumite pagube in registry, ia regvac si da o curatare completa, daca problema persista foloseste un system restore point de dinainte sa ai problema asta si pe viitor urmeaza sfatul lui tex daca e asa inapta tipa

Cea mai buna chestie e sa instalezi os-ul si apoi sa-i faci imagine. Il reinstalezi in 7-10 minute cu tot ce e necesar pe el.

poti face asta cu norton ghost

[Mafy]

congrats, totul e in ordine in prinvinta virusilor, ma indoiesc ca e un file infector 0-day, nimeni nu mai creeaza asa ceva, poti testa plasand un executabil curat de al tau in pc-ul ei, compari md5-ul care l-a avut pe pc-ul tau si md5-ul care il are pe pc-ul ei dupa ce a fost executat si inchis, daca sunt egale nu are nimic, legat de

"Aprind calculatorul, conectez internetul, intru pe orice pagina de internet, totul bine si frumos (cred ca 30 de min n-am avut probleme), cand deodata imi iese din tot si ma duce pe home page. Apoi nici in partitii nu mai puteam sa intru (are 3 partitii C/D/E), dau dublu clic, vad pentru 2 secunde folderele din C apoi ma duce iar inapoi in my computer"

asigura-te ca nu ai probleme cu tasta "backspace" la tastatura, ar mai fi o varianta sa ai anumite pagube in registry, ia regvac si da o curatare completa, daca problema persista foloseste un system restore point de dinainte sa ai problema asta si pe viitor urmeaza sfatul lui tex daca e asa inapta tipa

poti face asta cu norton ghost

am luat regvac, a fost totul ok la toate partitiile, dupa scanarea cu superantispyware (care mi-a gasit virusii aia), am mai dat o scanare cu Malware anti mallware si avira si n-au mai gasit nimic, am facut update la opera, ie, si cat timp am stat la ea (1 ora si ceva), nu s-a mai intamplat nimic , finger crossed, si in caz ca apare iar problema, ii bag windowsul, multumesc pentru raspunsuri & la multi ani!

[root_prime]

am luat regvac, a fost totul ok la toate partitiile, dupa scanarea cu superantispyware (care mi-a gasit virusii aia), am mai dat o scanare cu Malware anti mallware si avira si n-au mai gasit nimic, am facut update la opera, ie, si cat timp am stat la ea (1 ora si ceva), nu s-a mai intamplat nimic , finger crossed, si in caz ca apare iar problema, ii bag windowsul, multumesc pentru raspunsuri & la multi wait ani!

wait WHAT THE FUCK, regvac curata registrii nu partitii si superantispyware gasise doar cookies de browser, nu a mai intrat dupa pe respectivele siteuri = nu au mai aparut, chiar daca reapar alea sunt 0 pericol, sunt doar "tracing cookie", risc pentru intimitate pe propriul pc, nimic mai mult deci daca nu mai are probleme era doar o problema in registrii