Forum » Pomoč in nasveti » Undo za ComboFix
Undo za ComboFix
MrStein ::
ComboFix mi je malo zmešal sisstem.
Kako priti v prejšnje stanje?
System restore je zdaj kao izklopljen. (to napiše, če poženem)
Windows 7 x64
99% ni bilo malware na sistemu.
Kako priti v prejšnje stanje?
System restore je zdaj kao izklopljen. (to napiše, če poženem)
Windows 7 x64
99% ni bilo malware na sistemu.
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
MrStein ::
To sem videl, samo je ComboFix izklopil System Restore...
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Wox ::
V C:\Windows\erdnt maš registry backup. V C:\Qoobox pa fajle, ki jih je CF pobrisal.
Commodore 64
amigo_no1 ::
If that does not resolve you issues, then be aware that as part of its routine, ComboFix creates backups in the event something goes awry with Windows which can be used to restore your computer to the state it was prior to using the tool.
Open Windows Explorer or right-click on My Computer and choose Explore.
Navigate to C:\WINDOWS\ERDNT\subs\erdnt.exe, double-click on erdnt.exe and then reboot the machine.
If that does not work, then navigate to C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe, double-click on erdnt.exe and reboot the machine.
MrStein ::
A to govorite iz izkušenj, ali samo kopirate od tam?
Med drugim je etc/hosts spremenil, pa tega ni med backupiranimi fajli.
Med drugim je etc/hosts spremenil, pa tega ni med backupiranimi fajli.
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Zgodovina sprememb…
- spremenil: MrStein ()
satfinder ::
@MrStein
meni konkretno je ComboFix 2 meseca
naza napravil isto "stalo", delalo ni
nic od namescenih programov. -)
Mi je pa ComboFix pred posegom v OS
samodejno napravil [sam od sebe]
restore point/ obnovitveno tocko.
In sem uspel restorat OS na
prejsnje stanje b.p.
V kolikor pa to ne bi slo skozi,
bi pa pognal varnostno sliko OSa
narejeno z Acronis True Image ...
In bi bil OS prav tako restoran
na prejsnje ok stanje.
meni konkretno je ComboFix 2 meseca
naza napravil isto "stalo", delalo ni
nic od namescenih programov. -)
Mi je pa ComboFix pred posegom v OS
samodejno napravil [sam od sebe]
restore point/ obnovitveno tocko.
In sem uspel restorat OS na
prejsnje stanje b.p.
V kolikor pa to ne bi slo skozi,
bi pa pognal varnostno sliko OSa
narejeno z Acronis True Image ...
In bi bil OS prav tako restoran
na prejsnje ok stanje.
Korak do konca in Naprej :).
Zgodovina sprememb…
- spremenilo: satfinder ()
MrStein ::
Čakam še na njihov odgovor, pol pa bom sam šel reševat.
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
satfinder ::
Combofix Screenshots
http://tinyurl.com/9jy594a
Opis programa
http://tinyurl.com/yhjxce8
Komentarji uporabnikov
http://download.cnet.com/Combofix/3000-...
Ko sem zalaufal Combofix,
mi ni omogocil prav nobene
selekcije, kaj naj ostane,
in kaj naj se pobrise. -)
Pobrisal mi je same zdrave
fajle iz PortableaAps, ...
vse preverjene na 43 AV
skenerjih na VirusTotal. -)
?Ima tale konzolni program Combofix
sploh opcijo izbora, ali pobrise
vse kar se mu zdi, cetudi gre
za 100% clean fajle. -)
http://tinyurl.com/9jy594a
Opis programa
http://tinyurl.com/yhjxce8
Komentarji uporabnikov
http://download.cnet.com/Combofix/3000-...
Ko sem zalaufal Combofix,
mi ni omogocil prav nobene
selekcije, kaj naj ostane,
in kaj naj se pobrise. -)
Pobrisal mi je same zdrave
fajle iz PortableaAps, ...
vse preverjene na 43 AV
skenerjih na VirusTotal. -)
?Ima tale konzolni program Combofix
sploh opcijo izbora, ali pobrise
vse kar se mu zdi, cetudi gre
za 100% clean fajle. -)
Korak do konca in Naprej :).
Zgodovina sprememb…
- spremenilo: satfinder ()
MrStein ::
Eh, od časa C64 dalje mi še noben kos softvera nikoli ni sfukal sistema toliko kot ComboFix 
Vsepovsod je neke svoje fajle namestil, zbrisal (OK, premaknil v karanteno) kup fajlov in nastavitev ter bog ve še česa, kar še nisem ugotovil.
To bi moralo z velikimi rdečimi črkami pisati "This program can and will destroy your system. Proceed only of you are desperate", start pa na gumbu z napisom "Please do nuke my PC from orbit"...
Vsepovsod je neke svoje fajle namestil, zbrisal (OK, premaknil v karanteno) kup fajlov in nastavitev ter bog ve še česa, kar še nisem ugotovil.
To bi moralo z velikimi rdečimi črkami pisati "This program can and will destroy your system. Proceed only of you are desperate", start pa na gumbu z napisom "Please do nuke my PC from orbit"...
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Zgodovina sprememb…
- spremenil: MrStein ()
MrStein ::
Navigate to C:\WINDOWS\ERDNT\subs\erdnt.exe, double-click on erdnt.exe and then reboot the machine.
If that does not work, then navigate to C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe, double-click on erdnt.exe and reboot the machine.
\WINDOWS\ERDNT\subs te mape sploh ni, je pa ta druga.
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
MrStein ::
Glede System Restore.
Sem probal vklopiti za particijo C: in dobim ta dva error dialoga:
---------------------------
---------------------------
Could not apply the settings for the following reason:
The filename, directory name, or volume label syntax is incorrect. (0x8007007B)
---------------------------
OK
---------------------------
---------------------------
---------------------------
There was an unexpected error in the property page:
The filename, directory name, or volume label syntax is incorrect. (0x8007007B)
Please close the property page and try again.
---------------------------
OK
---------------------------
To je baje, ker je C: dvakrat v spisku in dejansko je res. Enkrat kot Off, drugič pa (Missing) On.
A se kako pogledati, če so pod tem Missing kaki Restore točke? V normalnem Restore dialogu mi nič ne ponudi.
Kot že omenjeno, ComboFix je na začetku naredil Restore točko in bi jo rad našel in po možnosti instaliral.
Sem probal vklopiti za particijo C: in dobim ta dva error dialoga:
---------------------------
---------------------------
Could not apply the settings for the following reason:
The filename, directory name, or volume label syntax is incorrect. (0x8007007B)
---------------------------
OK
---------------------------
---------------------------
---------------------------
There was an unexpected error in the property page:
The filename, directory name, or volume label syntax is incorrect. (0x8007007B)
Please close the property page and try again.
---------------------------
OK
---------------------------
To je baje, ker je C: dvakrat v spisku in dejansko je res. Enkrat kot Off, drugič pa (Missing) On.
A se kako pogledati, če so pod tem Missing kaki Restore točke? V normalnem Restore dialogu mi nič ne ponudi.
Kot že omenjeno, ComboFix je na začetku naredil Restore točko in bi jo rad našel in po možnosti instaliral.
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Wox ::
Brez CF loga je težko karkoli konkretnejšega svetovat. Pa btw, CF je interno orodje.
Commodore 64
MrStein ::
To je bil CF log:
ComboFix 12-09-14.03 - stein 14.09.2012 23:02:34.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.386.1033.18.4078.2102 [GMT 2:00]
Running from: k:\downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\users\stein\AppData\Local\Softexe\Cursor Hider\CursorHider.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
.
.
2012-09-14 21:05 . 2012-09-14 21:05 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-14 21:05 . 2012-09-14 21:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-14 20:57 . 2012-09-14 20:57 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A7C64120-A409-4A21-9E26-0354A4D44172}\offreg.dll
2012-09-14 14:38 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A7C64120-A409-4A21-9E26-0354A4D44172}\mpengine.dll
2012-09-12 09:48 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-12 09:48 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-12 09:48 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-12 09:48 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-12 09:48 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-12 09:48 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 09:48 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-09-11 19:50 . 2012-09-11 19:50 -------- d-----w- c:\users\stein\AppData\Local\HddLed Indicator
2012-09-11 19:50 . 2012-09-11 19:50 -------- d-----w- c:\program files (x86)\HddLed
2012-09-09 22:56 . 2012-09-09 22:56 -------- d-----w- c:\program files (x86)\Kaspersky Lab
2012-08-30 21:57 . 2012-08-30 21:57 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-08-30 21:57 . 2012-08-30 21:57 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-30 21:57 . 2012-08-30 21:57 -------- d-----w- c:\program files (x86)\Java
2012-08-29 14:28 . 2012-08-29 14:28 -------- d-----w- c:\users\stein\AppData\Local\Western Digital
2012-08-27 20:32 . 2012-08-27 20:32 -------- d-----w- c:\programdata\Protexis
2012-08-27 20:32 . 2012-08-27 20:32 -------- d-----w- c:\users\stein\AppData\Roaming\Corel
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\stein\AppData\Local\Softexe
2012-08-27 18:13 . 2012-09-07 22:11 -------- d-----w- c:\users\stein\AppData\Local\VMware
2012-08-27 18:13 . 2012-09-07 21:26 -------- d-----w- c:\users\stein\AppData\Roaming\VMware
2012-08-27 18:02 . 2012-07-06 10:30 67224 ----a-w- c:\windows\system32\vsocklib.dll
2012-08-27 18:02 . 2012-07-06 10:29 63128 ----a-w- c:\windows\SysWow64\vsocklib.dll
2012-08-27 18:02 . 2012-07-06 10:29 70256 ----a-w- c:\windows\system32\drivers\vsock.sys
2012-08-27 18:02 . 2012-08-15 13:18 67224 ----a-w- c:\windows\system32\drivers\vmx86.sys
2012-08-27 18:02 . 2012-08-15 13:16 32920 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2012-08-27 18:02 . 2012-08-15 13:18 357016 ----a-w- c:\windows\SysWow64\vmnetdhcp.exe
2012-08-27 18:02 . 2012-08-15 13:18 30360 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2012-08-27 18:02 . 2012-08-15 13:17 435864 ----a-w- c:\windows\SysWow64\vmnat.exe
2012-08-27 18:02 . 2012-08-15 13:18 933528 ----a-w- c:\windows\system32\vnetlib64.dll
2012-08-27 18:02 . 2012-08-01 15:10 52376 ----a-w- c:\windows\system32\drivers\hcmon.sys
2012-08-27 18:01 . 2012-08-27 18:01 -------- d-----w- c:\program files\Common Files\VMware
2012-08-27 18:01 . 2012-09-14 07:58 -------- d-----w- c:\programdata\VMware
2012-08-27 18:01 . 2012-08-27 18:01 -------- d-----w- c:\program files (x86)\VMware
2012-08-27 18:01 . 2012-08-27 18:01 -------- d-----w- c:\program files (x86)\Common Files\VMware
2012-08-24 18:02 . 2012-08-24 18:02 -------- d-----w- c:\users\stein\temp
2012-08-21 17:56 . 2012-08-21 17:56 -------- d-----w- c:\users\stein\AppData\Roaming\Garmin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-12 10:42 . 2011-07-18 20:31 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-09-07 15:04 . 2012-04-20 20:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 21:57 . 2012-01-23 23:44 821736 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-30 21:57 . 2011-07-18 21:13 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-27 21:38 . 2012-04-22 14:12 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-27 21:38 . 2012-04-22 14:12 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-15 13:16 . 2012-08-15 13:16 62104 ----a-w- c:\windows\system32\vmnetbridge.dll
2012-08-15 13:16 . 2012-08-15 13:16 48792 ----a-w- c:\windows\system32\vnetinst.dll
2012-08-15 13:16 . 2012-08-15 13:16 45720 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2012-08-15 13:16 . 2012-08-15 13:16 24216 ----a-w- c:\windows\system32\drivers\vmnet.sys
2012-08-15 13:16 . 2012-08-15 13:16 20120 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys
2012-08-15 11:33 . 2012-08-15 11:33 353280 ----a-w- c:\windows\SysWow64\vmnc.dll
2012-08-01 15:10 . 2012-08-01 15:10 37680 ----a-w- c:\windows\system32\drivers\vmusb.sys
2012-07-18 18:15 . 2012-08-14 18:33 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-06 10:29 . 2012-07-06 10:29 85104 ----a-w- c:\windows\system32\drivers\vmci.sys
2012-07-04 22:16 . 2012-08-14 18:33 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:13 . 2012-08-14 18:33 59392 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:13 . 2012-08-14 18:33 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-14 18:33 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-06-30 17:54 . 2012-04-11 22:30 708200 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2012-06-30 17:54 . 2012-01-23 20:34 74344 ----a-w- c:\windows\system32\RtNicProp64.dll
2012-06-30 17:54 . 2012-01-23 20:34 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
2012-06-29 04:55 . 2012-08-14 18:36 17809920 ----a-w- c:\windows\system32\mshtml.dll
2012-06-29 04:09 . 2012-08-14 18:36 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-06-29 03:56 . 2012-08-14 18:36 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 03:49 . 2012-08-14 18:36 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-29 03:49 . 2012-08-14 18:36 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 03:48 . 2012-08-14 18:36 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 03:47 . 2012-08-14 18:36 237056 ----a-w- c:\windows\system32\url.dll
2012-06-29 03:45 . 2012-08-14 18:36 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-29 03:44 . 2012-08-14 18:36 816640 ----a-w- c:\windows\system32\jscript.dll
2012-06-29 03:43 . 2012-08-14 18:36 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 03:42 . 2012-08-14 18:36 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-29 03:40 . 2012-08-14 18:36 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-29 03:39 . 2012-08-14 18:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-29 03:35 . 2012-08-14 18:36 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-29 00:16 . 2012-08-14 18:36 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-29 00:09 . 2012-08-14 18:36 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-29 00:08 . 2012-08-14 18:36 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-29 00:04 . 2012-08-14 18:36 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-29 00:00 . 2012-08-14 18:36 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-25 14:04 . 2012-06-25 14:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hddled.exe"="c:\program files (x86)\HddLed\hddled.exe" [2009-08-21 805376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" [2012-02-29 56088]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2010-08-03 107816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Storitev Posodobitve za Google (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-02 136176]
R2 hddledd;hddledd;c:\program files (x86)\HddLed\hddledd.exe [2009-08-21 49152]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-27 250568]
R3 ALSysIO;ALSysIO;c:\users\stein\AppData\Local\Temp\ALSysIO64.sys [x]
R3 bcbxq;{D874112A-74A7-43D0-A61C-FE055821F921};c:\program files (x86)\ophcrack\pwdump\servpw.exe [x]
R3 cpuz130;cpuz130;c:\users\stein\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 fbsnc;{F0503CEC-8C0D-410C-8BFA-B9FCAAB362C2};c:\program files (x86)\ophcrack\pwdump\servpw.exe [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-12-09 135584]
R3 gupdatem;Storitev Posodobitve za Google (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-02 136176]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 29720]
R3 LcAgent;LC Remote Agent;c:\windows\Temp\lcagent.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-06 114144]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 17464]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-24 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2010-09-23 129008]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2012-07-06 85104]
S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2012-07-06 70256]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-02-01 13592]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-09-28 25824]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-03-11 2656280]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-08-01 917656]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [2011-08-02 129000]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [2011-08-02 391144]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2011-03-11 56344]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2012-06-30 708200]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-11-25 694888]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 21:38]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-02 17:48]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-02 17:48]
.
2012-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3235208281-3310333265-147021884-1001Core.job
- c:\users\stein\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-26 17:53]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3235208281-3310333265-147021884-1001UA.job
- c:\users\stein\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-26 17:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-01-16 12445288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.aldi.com
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: %windir%\system32\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: x-owacid2 - {5B290518-830E-4C57-A66B-E4F748900C27} - c:\program files (x86)\Microsoft\SMIME Client (2010)\mimectl.dll
FF - ProfilePath - c:\users\stein\AppData\Roaming\Mozilla\Firefox\Profiles\x0642j45.default\
FF - prefs.js: browser.startup.homepage - about:blank
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-CursorHider - c:\users\stein\AppData\Local\Softexe\Cursor Hider\CursorHider.exe
AddRemove-WinImage - c:\users\stein\Desktop\winima85\winimage.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-14 23:06:54
ComboFix-quarantined-files.txt 2012-09-14 21:06
.
Pre-Run: 72.475.611.136 bytes free
Post-Run: 72.398.417.920 bytes free
.
- - End Of File - - B129A64D64545A79B709C5FB09D0A866
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Wox ::
* Created a new restore point
RP je tam. Edino če si odstranil CF z combofix.exe /uninstall v cmd-ju ti zbriše stare RP-je.
Commodore 64
MrStein ::
Hec je, da RP ni "tam".
Prazno mi kaže.
Zato me zanima, če lahko še ročno RP poiščem na disku. Če sploh je kje.
Prazno mi kaže.
Zato me zanima, če lahko še ročno RP poiščem na disku. Če sploh je kje.
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Wox ::
Poskusi z repair in potem system restore, kot je opisano tule: http://www.faultwire.com/solutions/usin... Sicer za visto, ampak je isto v 7.
Commodore 64
MrStein ::
Ja to vem.
Zanima me struktura.
Zanima me struktura.
Motiti se je človeško.
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Motiti se pogosto je neumno.
Vztrajati pri zmoti je... oh, pozdravljen!
Vredno ogleda ...
| Tema | Ogledi | Zadnje sporočilo | |
|---|---|---|---|
| Tema | Ogledi | Zadnje sporočilo | |
| » | Tweakanje osveževanja USB mišk (strani: 1 2 3 4 5 )Oddelek: Igre | 138483 (54426) | BorutO |
| » | Internet Explorer auto run on startupOddelek: Pomoč in nasveti | 930 (697) | amigo_no1 |
| » | A je to virus?Oddelek: Pomoč in nasveti | 2143 (1796) | fulgur |
| » | winxp, safe mode ne dela, problem z registromOddelek: Pomoč in nasveti | 1974 (1906) | SkIDiver |
| » | Pomoč! Urgentno - sistem okužen, sesuva se na 10 - 20 min BSODOddelek: Pomoč in nasveti | 2087 (1809) | ___ |