[Solutie] Virus Yahoo! Messenger – Virusii de tip image.php

De cateva zile circula pe Yahoo! messenger un nou virus (denumit Palevo) care trimite cateva link-uri ca cele de mai jos, precedate de un text:


fotooo ha http://www.facebook-style.com/image.php?=pic346436.JPG=
hahaha footo http://tinyurl.com/38bj2cp – nume fisier: ano.exe si descarca hxtp://82.114.87.46/a2re.jpg
http://hit-img.com/image.php
hahaha footo http://www.toplmages.com/image.php
foto: http://msearch-lmages.com/image.php
foto: http://save.infos-blog.net/photos/pic08052010-jpg.scr
foto: http://jbillu.net/image/IMG08052010-JPG.scr
foto: http://space4lamges.com/image.php
foto: http://facrebook-img.net/photo.php
foto: http://lmg001.com/getimage.php
foto: http://spacelmagesfor.com/getimage.php
foto: http://www.flaceboolk-img.com/image.php
foto: http://forestphotos.net/getimage.php
foto: http://myspacee-img.com/getimage.php
foto: http://fotolmg.com/getimage.php
foto: http://easyuploadphoto.com/getimage.php
foto: http://emoticlmages.com/getimage.php
foto: http://onlinelmages.com/getimage.php
foto: http://lmages4vip.com/image.php
foto: http://lmages1.com/image.php
foto: http://205.234.171.116/suspended.page/IMAGE-www.facebook.com-0412478-JPG.exe
foto: http://moourl.com/0r0xm
foto: http://flacksbooks.com/image.php
foto: http://qwx.si/a7t
foto: http://cubaslmages.com/image.php
foto: http://i.phatobuckats.com/image.php
foto: http://drm-lmages.com/image.php
foto: http://urlmages.com/image.php
foto: http://ficasebokse.com/image.php
foto: http://photos4vpspace.com/image.php
foto: http://bflmages.com/image.php
foto: http://dlmages.com/image.php
foto: http://space4l.com/image.php
foto: http://imsn-lmages.com/image.php
foto: http://space4foto.com/image.php
foto: http://phlmages.com/image.php
foto: http://viplmages.com/image.php
foto: http://discophotos.net/image.php
foto: http://fotolucky.net/image.php
foto: http://walletimages.com/image.php
foto: http://privfotos.com/image.php
foto: http://photo4urspace.com/image.php
foto: http://lmagesspot.com/image.php
foto: http://keralawebhosting.biz/image.php
foto: http://memorylmages.com/image.php
foto: http://mbi-photos.com/image.php
foto: http://wallerimages.com/image.php
foto: http://foto-spaces.com/image.php
foto: http://joblin.co.nz/image.php
foto: http://margaretiamges.com/image.php
foto: http://beautyphotoson.com/image.php
foto: http://photos-fb.com/image.php
foto: http://facebook-lmg.com/image.php
foto: http://lmagesbucket.com/image.php
foto http://facebook-lmages.com/image.php
foto: http://facebook-imb.com/image.php
foto: http://lmb-space.com/image.php
foto: http://myspace-imb.biz/image.php
foto: http://lmages-space.com/image.php
foto: http://yungimages.net/image.php
foto: http://mimapic.com/image.php
foto: http://post-photos.com/image.php
foto: http://limpskr.com/image.php
foto: http://kompnk.com/image.php
foto: http://yunphotos.net/image.php
foto: http://domeimg.com/image.php
foto: http://vertiphotos.com/image.php
foto: http://twittersphoto.com/image.php
foto: http://myphotoarchives.net/image.php
foto: http://mycomimg.com/image.php
foto: http://funwiththisguy.com/image.php
foto: http://red-myspace.com/image.php
foto: http://ariafotos.com/image.php
foto: http://zhelefun.com/image.php
foto: http://tviceimg.com/image.php
foto: http://tuesimages.com/image.php
foto: http://ceceliaimg.com/image.php

Odata accesat acest link primit pe messenger de la un contact din lista, vi se va oferi spre descarcare un fisier cu o denumire asemanatoare cu cea de mai jos:

IM56245.JPG-www.myspace.com.exe

Cei mai multi nu vor vedea extensia de la final .exe, deoarece Windows-ul vine setat by default sa nu afiseze extensia unui fisier. (Mare greseala dupa parerea mea)


Pentru a nu lungi vorba, iata cum puteti scapa de acest intrus:

Metoda 1: Descarcati Malwarebytes Anti-Malware.
Instalati-l si la sfarsit asigurati-va ca ati bifat urmatoarele: Update Malwarebytes’ Anti-Malware si Launch Malwarebytes’ Anti-Malware. Apoi apasati Finish
Dupa lansarea programului, selectati Perform quick scan (sau Full scan, dar dureaza mult mai mult) si apoi apasati pe Scan.
Dupa ce termina apasati OK si apoi Show Results. Asigurati-va ca e totul bifat si apoi apasati Remove Selected.
La final va solicita restartarea PC-ului.

Metoda 2: Descarcati Kaspersky Removal Tool si scanati partitia C:\ cu el, stergand infectiile gasite.

Metoda 3:
Descarcati ComboFix si salvati-l pe Desktop.
Apoi asigurati-va ca ati inchis toate programele care ruleaza (Yahoo Messenger, MozilaFirefox, etc) si rulati ComboFix. Va va intreba daca sa inceapa sa curete sistemul. Confirmati cu Yes de fiecare data. Nu-l opriti in timp ce scaneaza si dezinfecteaza sistemul. E posibil ca in timpul rularii lui desktop-ul sa dispara, dar nu va ingrijorati.
La sfarsit va afisa rezultatele scanarii. Salvati acel fisier si trimiteti-mi continutul prin e-mail.

Metoda 4: Faceti un log HijackThis, trimiteti-mi-l prin e-mail si va voi da solutia manuala de dezinfectie, adaptata fiecarui utilizator in parte.
Este nevoie uneori si de aceasta solutie, fiindca virusul creeaza denumiri aleatorii ale fisierelor.

Pentru cei interesati de mai multe detalii, virusul creeaza urmatoarele fisiere:
%Windir%\infocard.exe (acesta va fi si procesul activ; sunt folosite si alte denumiri, cum ar fi net.exe sau net1.exe)
%Windir%\mds.sys
%Windir%\mdt.sys
%Windir%\winbrd.jpg

De asemenea urmatoarele chei registry ii apartin:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = “%Windir%\infocard.exe”]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = “%Windir%\infocard.exe”]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = “%Windir%\infocard.exe”]

Prin aceste intrari in registry-ul Windows, virusul isi asigura rularea la fiecare pornire a computer-ului.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

168 responses to “[Solutie] Virus Yahoo! Messenger – Virusii de tip image.php”

  1. adelina belu

    ComboFix 10-10-19.04 – adelina 10/20/2010 18:54:49.1.1 – FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.120 [GMT 3:00]
    Running from: c:\documents and settings\adelina\My Documents\Downloads\ComboFix.exe
    AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    * Resident AV is active

    .

    ((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 )))))))))))))))))))))))))))))))
    .

    2010-10-20 11:32 . 2010-10-20 11:32 ——– d—–w- c:\windows\LastGood
    2010-10-20 11:32 . 2009-10-22 10:54 37392 —-a-w- c:\windows\system32\drivers\18531472.sys
    2010-10-20 11:32 . 2009-10-09 20:31 315408 —-a-w- c:\windows\system32\drivers\1853147.sys
    2010-10-20 11:32 . 2009-09-25 14:59 128016 —-a-w- c:\windows\system32\drivers\18531471.sys
    2010-10-20 10:37 . 2010-10-20 10:37 ——– d—–w- c:\documents and settings\adelina\Application Data\Malwarebytes
    2010-10-20 10:37 . 2010-04-29 12:39 38224 —-a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-20 10:37 . 2010-10-20 10:37 ——– d—–w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-20 10:37 . 2010-04-29 12:39 20952 —-a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-20 10:36 . 2010-10-20 10:36 ——– d—–w- c:\program files\Malwarebytes’ Anti-Malware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    “Messenger (Yahoo!)”=”c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe” [2009-05-26 4351216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    “egui”=”c:\program files\ESET\ESET NOD32 Antivirus\egui.exe” [2007-11-14 1410304]
    “WinampAgent”=”c:\program files\Winamp\winampa.exe” [2009-07-01 37888]
    “NvCplDaemon”=”c:\windows\system32\NvCpl.dll” [2006-10-22 7700480]
    “nwiz”=”nwiz.exe” [2006-10-22 1622016]
    “NvMediaCenter”=”c:\windows\system32\NvMcTray.dll” [2006-10-22 86016]
    “Adobe Reader Speed Launcher”=”c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-12-21 35760]
    “Adobe ARM”=”c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2010-09-21 932288]
    “NeroFilterCheck”=”c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]

    c:\documents and settings\adelina\Start Menu\Programs\Startup\
    setup_9.0.0.722_20.10.2010_13-19.lnk – c:\documents and settings\adelina\Desktop\Virus Removal Tool\setup_9.0.0.722_20.10.2010_13-19\startup.exe [2010-10-20 72208]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    McAfee Security Scan.lnk – c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    “%windir%\\system32\\sessmgr.exe”=
    “c:\\Program Files\\uTorrent\\uTorrent.exe”=
    “c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe”=
    “c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE”=

    R0 18531472;18531472 Boot Guard Driver;c:\windows\system32\drivers\18531472.sys [10/20/2010 2:32 PM 37392]
    R1 18531471;18531471;c:\windows\system32\drivers\18531471.sys [10/20/2010 2:32 PM 128016]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [11/14/2007 3:06 PM 30728]
    R1 setup_9.0.0.722_20.10.2010_13-19drv;setup_9.0.0.722_20.10.2010_13-19drv;c:\windows\system32\drivers\1853147.sys [10/20/2010 2:32 PM 315408]
    R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/14/2007 3:05 PM 455936]

    — Other Services/Drivers In Memory —

    *NewlyCreated* – 18531471
    *NewlyCreated* – 18531472
    *NewlyCreated* – SETUP_9.0.0.722_20.10.2010_13-19DRV
    .
    .
    ——- Supplementary Scan ——-
    .
    uStart Page = hxxp://www.google.ro/
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel – c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: {9BDA277F-9AD6-4258-9C1D-F03F4F7CAF52} = 213.154.124.1 193.231.252.1
    FF – ProfilePath – c:\documents and settings\adelina\Application Data\Mozilla\Firefox\Profiles\8071pa58.default\
    FF – prefs.js: browser.search.defaulturl – hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
    FF – prefs.js: browser.search.selectedEngine – Google
    FF – prefs.js: browser.startup.homepage – hxxp://www.google.ro/
    FF – component: c:\documents and settings\adelina\Application Data\Mozilla\Firefox\Profiles\8071pa58.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\FFExternalAlert.dll
    FF – component: c:\documents and settings\adelina\Application Data\Mozilla\Firefox\Profiles\8071pa58.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\RadioWMPCore.dll
    FF – plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF – plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

    —- FIREFOX POLICIES —-
    c:\program files\Mozilla Firefox\greprefs\all.js – pref(“network.IDN.whitelist.xn--mgbaam7a8h”, true);
    c:\program files\Mozilla Firefox\greprefs\all.js – pref(“network.IDN.whitelist.xn--mgberp4a5d4ar”, true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js – pref(“dom.ipc.plugins.enabled”, false);
    .
    – – – – ORPHANS REMOVED – – – –

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} – (no file)
    HKCU-Run-Search Protection – c:\program files\Yahoo!\Search Protection\SearchProtection.exe

    .
    ——————— LOCKED REGISTRY KEYS ———————

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @=”FlashBroker”
    “LocalizedString”=”@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101”

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @=”c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe”

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @=”{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @=”IFlashBroker4″

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @=”{00020424-0000-0000-C000-000000000046}”

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @=”{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”
    “Version”=”1.0″
    .
    ——————— DLLs Loaded Under Running Processes ———————

    – – – – – – – > ‘explorer.exe'(248)
    c:\windows\system32\shdoclc.dll
    .
    Completion time: 2010-10-20 19:17:54
    ComboFix-quarantined-files.txt 2010-10-20 16:17

    Pre-Run: 1,548,173,312 bytes free
    Post-Run: 2,380,398,592 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT=”Microsoft Windows Recovery Console” /cmdcons
    UnsupportedDebug=”do not select this” /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional” /noexecute=optin /fastdetect

    – – End Of File – – 072E503CD627AB34B42DCF53352E57DE

  2. veres simmona

    ms amice chiar a functionat prima varianta
    sper sa nu mai am problema asta
    si am incercat singura data sa instalez singura un program si am reusit si chiar si-a facut treaba
    multumesc mult

  3. marcus

    i nedd to get out of virus

    1. Gaby

      Toate aceste solutii sunt antivirusi?Am un antivirus care e permanent si mi-e teama sa nu se ****bata**** intre ei. Va rog ajutati-ma ca si eu am acest virus. Cand se trimite pe mess, se inchide si antivirusul. Reply va rog

  4. eamon

    ce virus e asta ?

    Ð ä n ¥ Ê l: is this you? http://doiop.com/id1.php?=http://www.facebook.com/profile.php

    Da mass…cum il scot ?

  5. Bianca

    Am avut si eu virusul asta, nu stiu exact ce am facut dar am scapat de el:)). Asa, dar acum ceva timp am primit un mesaj de la o prietena pe care o cunosc de jumatate de viata, in romana , ceva de genu ” fata uite asta e colega cu mine si are 24 de ani =)) [link]” am intreabt-o daca e virus nu stiu ce si a zis ceva de genu “ce-ai fata, eu si virusii=))” in fine, l-am luat ca proasta, dupa care imi zice tot fata aia, eu nepatind nimic pana atunci :” fata, am o problema, intri tu la mine pe mess sa ma ajuti sa imi schimb parola [sau nu mai stiu ce mi-a zis, oricum ceva credibil ] si i-am zis da. ea mi-a dat aparenta ei parola, si eu i-am dat-o pe a mea pentru ca mi-a cerut-o chipurile sa comunicam. cand sa intru la ea pe mess, marea tzaca! a inceput sa intre si la mine pe mess, sa vorbeasca efectiv cu prietenii mei:|. am ramas uimita, dar mi-am recuperat parola si am schimbat-o, evident.

    IN CONCLUZIE: POATE FI SI CEL MAI BUN PRIETEN, CEL MAI DE INCREDERE, NU DA FRATE CLICK LA CE NU STII! [zic asta pentru ca si eu mi-am luat-o]

    1. happyday

      multumesc de sfaturi 🙂 . deja mi-am sters toti prietenii din lista de mess ca le dadusem tuturor parola mea si ma gandeam sa nu am surprize 😀 . mai mult, unii imi trimiteau link-uri subversive de genul “www.youtube.com” si am decis sa nu dau crezare unor astfel de provocari marsave.

      pe o scara de la 1 la 10 tu cam pe unde crezi ca te situezi, 10 fiind blonda autentica ? 😀

  6. Madalin

    eu am dat din greseala pe un link cu face-poc…si am virus,nu am fost atent si a intrat virusu in pc,acum nu mai vad scrisu de pe mess…:|….. acum sa vad daca reusesc cu prima varianta si revin cu unu topic

  7. Madalin

    e bun….am scapat de virusu ala

  8. vlad

    salut ma poti ajuta si pe mine cu virusul assta?

    1) XXX: Scuze de deranj, la tine merge www.jdetector.com ? mie imi zice busy cand bag un id acolo

    2) XXX: incearca sa scanezi id meu pe www.Jdetector.com sa vezi ce imagine am la avatar

    3) XXX: Salut, daca te intrebi dc primesti asa multe mass-uri cu www.Jdetector.com , trebuie neaparat sa citesti asta: http://www.jdetector.com/unsubscribe/

    Precizez ca doar pe un id l-am capatat . MS mult.

  9. vlad

    sincer sa fiu nu retin asa ceva. am reinstalat windows ul deci ma gandesc ca nu ar si avut unde sa ramana. metionez ca doar pe id ul ala trimite mass uri doar cand nu sunt logat.

  10. vlad

    PS. uite si mesaje ca astea a mai trimis :

    xxx (01/11/2011 3:34:57 PM) : Daca vrei sa descarci melodii sau filme de pe youtube, acuma poti, nu trebuie sa instalezi nici un program in pc, intri pe vvv.YGrabber.com si introduci link-ul de youtube. PS: trimite si tu mai departe

    xxx (12/26/2010 3:55:01 PM) : hahahaha uite aici !!! vvv.FazePenale.com numai pot de ras…

    Scuze am pus linkul corect prima data.

  11. vlad

    cand fac acest log HijackThis?

  12. vlad

    am trimis.

  13. Mariowe

    Am reusit din prima cu varianta 1
    Pana sa gasesc solutiile date de voi am incercat o gramada de alte metode, urma sa imi reinstalez sistemul de operare. Bine ca v-am gasit la timp. Multumesc foarte frumos.

  14. andreea

    am si eu virusul ala. am urmat pasii si la hijack mi’a aparut asta…ma poti ajuta te rog?

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:20:04 PM, on 3/12/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.7\ccSvcHst.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Join Air\AssistantServices.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Join Air\UIExec.exe
    C:\Program Files\SweetIM\Messenger\SweetIM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\jusched.exe
    C:\Program Files\Orbitdownloader\orbitdm.exe
    C:\Program Files\Orbitdownloader\orbitnet.exe
    C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://domredi.com/2/
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R3 – URLSearchHook: UrlSearchHook Class – {00000000-6E41-4FD3-8538-502F5495E5FC} – C:\Program Files\Ask.com\GenericAskToolbar.dll
    R3 – URLSearchHook: Winamp Search Class – {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} – C:\Program Files\Winamp Toolbar\winamptb.dll
    R3 – URLSearchHook: DeviceVM Url Search Hook – {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} – C:\WINDOWS\system32\dvmurl.dll
    R3 – URLSearchHook: Yahoo! Toolbar – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    R3 – URLSearchHook: McAfee SiteAdvisor Toolbar – {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} – c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    R3 – URLSearchHook: SweetIM ToolbarURLSearchHook Class – {EEE6C35D-6118-11DC-9C72-001320C79847} – C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
    R3 – URLSearchHook: Zynga Toolbar – {7b13ec3e-999a-4b70-b9cb-2617b8323822} – C:\Program Files\Zynga\tbZyn0.dll
    O2 – BHO: btorbit.com – {000123B4-9B42-4900-B3F7-F4B073EFC214} – C:\Program Files\Orbitdownloader\orbitcth.dll
    O2 – BHO: &Yahoo! Toolbar Helper – {02478D38-C3F9-4efb-9B51-7695ECA05670} – C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 – BHO: HP Print Enhancer – {0347C33E-8762-4905-BF09-768834316C61} – C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 – BHO: Adobe PDF Reader Link Helper – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 – BHO: PriceGong – {1631550F-191D-4826-B069-D9439253D926} – C:\Program Files\PriceGong\2.1.0\PriceGongIE.dll
    O2 – BHO: Winamp Toolbar Loader – {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} – C:\Program Files\Winamp Toolbar\winamptb.dll
    O2 – BHO: Zynga Toolbar – {7b13ec3e-999a-4b70-b9cb-2617b8323822} – C:\Program Files\Zynga\tbZyn0.dll
    O2 – BHO: Ajutor conectare Windows Live – {9030D464-4C02-4ABF-8ECC-5164760863C6} – C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 – BHO: Google Toolbar Helper – {AA58ED58-01DD-4d91-8333-CF10577473F7} – C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 – BHO: Google Toolbar Notifier BHO – {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} – C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
    O2 – BHO: McAfee SiteAdvisor BHO – {B164E929-A1B6-4A06-B104-2CD0E90A88FF} – c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 – BHO: Ask Toolbar BHO – {D4027C7F-154A-4066-A1AD-4243D8127440} – C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 – BHO: Java(tm) Plug-In 2 SSV Helper – {DBC80044-A445-435b-BC74-9C25C1C588A9} – C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 – BHO: JQSIEStartDetectorImpl – {E7E6F031-17CE-4C07-BC86-EABFE594F69C} – C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 – BHO: SWEETIE – {EEE6C35C-6118-11DC-9C72-001320C79847} – C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
    O2 – BHO: Norton Safe Web Lite BHO – {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} – C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.7\coIEPlg.dll
    O2 – BHO: SingleInstance Class – {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} – C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O2 – BHO: HP Smart BHO Class – {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} – C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 – Toolbar: McAfee SiteAdvisor Toolbar – {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} – c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 – Toolbar: SweetIM Toolbar for Internet Explorer – {EEE6C35B-6118-11DC-9C72-001320C79847} – C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
    O3 – Toolbar: Grab Pro – {C55BBCD6-41AD-48AD-9953-3609C48EACC7} – C:\Program Files\Orbitdownloader\GrabPro.dll
    O3 – Toolbar: Winamp Toolbar – {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} – C:\Program Files\Winamp Toolbar\winamptb.dll
    O3 – Toolbar: Zynga Toolbar – {7b13ec3e-999a-4b70-b9cb-2617b8323822} – C:\Program Files\Zynga\tbZyn0.dll
    O3 – Toolbar: Google Toolbar – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 – Toolbar: Ask Toolbar – {D4027C7F-154A-4066-A1AD-4243D8127440} – C:\Program Files\Ask.com\GenericAskToolbar.dll
    O3 – Toolbar: Norton Safe Web Lite – {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} – C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.7\coIEPlg.dll
    O3 – Toolbar: Yahoo! Toolbar – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 – HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 – HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 – HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 – HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 – HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
    O4 – HKLM\..\Run: [NBKeyScan] “C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
    O4 – HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 – HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
    O4 – HKLM\..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
    O4 – HKLM\..\Run: [avgnt] “C:\Program Files\Avira\AntiVir Desktop\avgnt.exe” /min
    O4 – HKLM\..\Run: [UIExec] “C:\Program Files\Join Air\UIExec.exe”
    O4 – HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
    O4 – HKLM\..\Run: [Java developer Script Browse] C:\WINDOWS\jusched.exe
    O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 – HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe”
    O4 – HKCU\..\Run: [msnmsgr] ~”C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
    O4 – HKCU\..\Run: [3DRelax Product Alerter] C:\Documents and Settings\ADmin\Application Data\3DRelax Product Alerter\TrioTrayApp.exe
    O4 – HKCU\..\Run: [Java developer Script Browse] C:\WINDOWS\jusched.exe
    O4 – HKCU\..\Run: [Messenger (Yahoo!)] ~”C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe” -quiet
    O4 – HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘LOCAL SERVICE’)
    O4 – HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘NETWORK SERVICE’)
    O4 – HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘SYSTEM’)
    O4 – HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘Default user’)
    O4 – Startup: FlipToast.lnk = C:\Program Files\FlipToast\FlipToast.exe
    O4 – Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
    O8 – Extra context menu item: &Download by Orbit – res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 – Extra context menu item: &Grab video by Orbit – res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 – Extra context menu item: &Winamp Search – C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 – Extra context menu item: Do&wnload selected by Orbit – res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 – Extra context menu item: Down&load all by Orbit – res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 – Extra context menu item: Google Sidewiki… – res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 – Extra button: (no name) – {53F6FCCD-9E22-4d71-86EA-6E43136192AB} – (no file)
    O9 – Extra button: (no name) – {925DAB62-F9AC-4221-806A-057BFB1014AA} – (no file)
    O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 – Extra button: HP Smart Select – {DDE87865-83C5-48c4-8357-2F5B1AA84522} – C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O16 – DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) – http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256818813731
    O16 – DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) – https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 – DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) – http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O17 – HKLM\System\CCS\Services\Tcpip\..\{EC5D5E2E-0EC8-40A9-BF42-4EEF480D18CA}: NameServer = 82.76.253.115 82.76.253.125
    O18 – Protocol: dssrequest – {5513F07E-936B-4E52-9B00-067394E91CC5} – c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 – Protocol: sacore – {5513F07E-936B-4E52-9B00-067394E91CC5} – c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 – AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
    O22 – SharedTaskScheduler: Browseui preloader – {438755C2-A8BA-11D1-B96B-00A0C90312E1} – C:\WINDOWS\system32\browseui.dll
    O22 – SharedTaskScheduler: Component Categories cache daemon – {8C7461EF-2B13-11d2-BE35-3078302C2030} – C:\WINDOWS\system32\browseui.dll
    O23 – Service: Avira AntiVir Scheduler (AntiVirSchedulerService) – Avira GmbH – C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 – Service: Avira AntiVir Guard (AntiVirService) – Avira GmbH – C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 – Service: ES lite Service for program management. (ES lite Service) – Unknown owner – C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
    O23 – Service: Manager Google Desktop 5.9.1005.12335 (GoogleDesktopManager-051210-111108) – Google – C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 – Service: Google Update Service (gupdate) (gupdate) – Google Inc. – C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 – Service: Google Software Updater (gusvc) – Google – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 – Service: Java Quick Starter (JavaQuickStarterService) – Sun Microsystems, Inc. – C:\Program Files\Java\jre6\bin\jqs.exe
    O23 – Service: McAfee SiteAdvisor Service – McAfee, Inc. – c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
    O23 – Service: Nero BackItUp Scheduler 3 – Nero AG – C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 – Service: NMIndexingService – Nero AG – C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 – Service: Norton Safe Web Lite (NSL) – Symantec Corporation – C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.7\ccSvcHst.exe
    O23 – Service: PLFlash DeviceIoControl Service – Prolific Technology Inc. – C:\WINDOWS\system32\IoctlSvc.exe
    O23 – Service: UI Assistant Service – Unknown owner – C:\Program Files\Join Air\AssistantServices.exe
    O23 – Service: Yahoo! Updater (YahooAUService) – Yahoo! Inc. – C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe


    End of file – 15120 bytes

    1. Dyddye

      mie mia trimis asa si lam luat Foto si mi se trimite 1 data la 5 min

  15. Gigi

    In Hijack-This bifeaza si apasa Fix Checked pentru liniile:

    O4 – HKLM\..\Run: [Java developer Script Browse] C:\WINDOWS\jusched.exe
    O4 – HKCU\..\Run: [Java developer Script Browse] C:\WINDOWS\jusched.exe

    Apoi descarca Removal.zip, dezarhiveaza si executa fisierul Removal.bat.

  16. Vexx

    De cateva zile tot primesc massuri de la ID-uri necunoscute cu un site… mai exact http://www.x1u .eu.Le-am dat ignore dar vad ca primesc de la alte ID-uri acum…Cum pot sa rezolv problema sa nu mai primesc massuri?

  17. Zoone

    sal. mai devreme sora mea a dat un click pe un link (hxtp://paidly.com/ifR1DY) iar dupa catva timp a a dat alte link-uri fantoma (htxp://paidly.com/W5AHH4) si tot asa. cum sa scap de el? il gasesc in regedit? am antivirus NOD32 si nu l-a gasit. alte sugestii? mersi

  18. Zoone

    @Radu FaraVirusi(com): am instalat ComboFix. A scanat, a procesat, a sters virusii si dupa ce am intrat pe Yahoo Mesenger, minune… totul e perfect. Bine ca am iintrat aici la voi pe site. Mersi de ajutor Radu. Numai bine si sarbatori fericite. Daca mai am probleme o sa mai intru. Numai bine. :0

    Respecte, Zoone.

  19. Xadarx Black

    am si eu o problema am primit de la un pieten de pe mess cica Foto:D si linkul am dat pe iel ca prostul si am primit ceva de descarcat sa descarcat si cica instalat eu find tampit sa fac asa chestie a aparus sai dau Ok misepare si la mess dupa ce am dat restart a inceput sa trimita mesaje eu aveam ID meu in lista si am observat ca EU imi trimit MIE aceiasi chestie Foto:D si linkul nustiu cum sa scap dar mia aparut daca vreau sami sterg toate adresele din lista ce fac 🙁 am rulat antivirusul am sters cateva infecti dar tot afel imi fac va rog sami spuneti ce sa fac plz

  20. mihai pop

    (((http://x61.ch/186df8))))))) dupa ce am primit link-ul asta, la cateva min mi se albastreste lista toata si imi intra messul in bara (yahoo messenger)

  21. cibocip

    problema mea este ca de catva zile prietenii de pe lista de mess se plang ca primesc messaje cu my profile , am rulat o scanare cu Malwarebytes Anti-Malware dar nu a gasit nici o infectie , ajutati-ma , devine devine penibila toata povestea. multumesc

  22. Horaţiu

    Salut. Am primit de la o adresă de Messenger Yahoo! pe care nu o am în listă următorul mesaj, cu funcţie de link: http://WWW.X1U.EU

    Nu i-am dat click, ci doar am selectat textul mesajului ca să-i dau un search cu google. La selecţie, mesajul mi-a apărut în întregime ca fiind: IE Wh 8 V 8Wnrv1Cf<WWW.X1U.EU

    Pe google mi-a dat mai multe rezultate, printre care şi site-ul tău. În câteva dintre cele pe care apărea linkul se dădea şi sugestia de a instala antiviruşi sau antimalware pentru a da un scan calculatorului.

    Întrebarea mea: dacă nu am dat curs linkului din mesaj, este posibil să-mi fie calculatorul infectat? Precizez că mesajul nu mi s-a salvat în Message Archive şi nu am primit de la calculator nici un fel de atenţionări privitor la vreo problemă. Am instalat un Avast. De asemenea, după ce am primit mesajul, am şters Temporary Internet Files.

    Merci.

    1. Gigi
      1. Horaţiu

        Mulţumim frumos. Deci e clar că nu m-am infectat. Ar fi fost naşpa.

        Merci încă o dată.

  23. Julia

    Buna,am o problema, de pe adresa mea de yahoo-mail se trimit automat e.mail-ri la toata lista de contacte.Initial erau sub forma ‘ no subject’ si contineau reclame la produse farmaceutice,acum apar sub forma de mai jos:
    iulia…………… Re: Re: I am my own boss

    Hey.
    I could see my future fading fast this got me back on my feet in no time now nobody would dare disrespect me this is just between us
    http://wbopole.home.pl/CraigBaker87.html
    talk to you soon.
    E-mail-l se trimite zilnic fara ca eu sa fiu logata.
    Te rog da-mi o solutie sa rezolv problema.

  24. Yana

    buna ….va rog sa ma ajutati urgent !!!! de 2 zile mi se tot trimit mass-uri celor din lista mea cu urmatorul link rofl lol hxxp://i2.tinyphotohd.com/g.php?5u9c1&res ……cred ca e virus …nu stiu cum sa scap de el .

    1. Gigi

      Ai antivirus instalat?

  25. Yana

    Va multumesc foarte mult ca m-ati ajutat !!!:*

  26. vasy

    ce virus e asta? haha hxxp://s9.megaphotohost.com/g.php?j7d4h6b-Picture38.JPG

  27. Aly

    Buna…am apasat din greseala cred..deobicei nu dau click pe nimic din ce primesc si dupa cateva zile am vazut ca numai am aproape nici un id in lista si daca dau add dupa ce imi zice finish nu apare id ul in lista ..iar cei pe care nu ii mai vad in lista ei ma vad pe mine online?poti sa ma ajuti ca nu stiu ce sa fac:(? mersi

  28. DjLemon

    Sall all ! Am si eu o problema unei prietene ii se schimba din 5 in 5 min sts … cu cv gen ( Iau M#ie, Sug P#la, etc …) SCZ CA NU AM CENZURAT :d … si nu stie cum sa scape de el + ca primeste cate 1 mesaj automat de la diferite ID cu acelashi continut …. ce sa faca ??? a dat igg la alea dar tot nu scapa …. ziceti rpd

    1. DjLemon

      Am aflat virusul !!!

      htxp://www.ymland.com/schimbare-status <—– asta e dar nu dati click pe el eu am dat dar nu mi sa infectat PC am noroc

  29. alex

    dar io vreau sa trimit virusi unuia pe mess qum fac/:)))) sa ma scap de el dami private msg sa il distrug pe ala dar virus sa numai se aleaga nimic din pc;))

  30. andreigrigoroiu

    hxtp://bit.ly/xXR8ai?Facebook.com-IMG333449.JPG ce virus e asta frate ca ns cum sa scap de el am incercat cu avast malware cu tot si nu merge lam luat de pe fb si il il trimit pe mess

    1. andreigrigoroiu

      nu dati click pe link e un virus

  31. Rzv

    ComboFix 12-02-25.02 – razdy 02/25/2012 21:11:33.1.2 – x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1514 [GMT 2:00]
    Running from: c:\users\razdy\Downloads\ComboFix.exe
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Public\mdm.exe
    c:\users\razdy\AppData\Local\Temp\d5c9e72ccc5e44b1b3dfcb19e233ac7f\YN2BFN3S.dat
    c:\users\razdy\AppData\Roaming\Microsoft\Windows\Recent\Thumbs.db
    c:\windows\system32\tmp6B62.tmp
    c:\windows\system32\tmp6BC0.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-25 to 2012-02-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-25 19:17 . 2012-02-25 19:19 ——– d—–w- c:\users\razdy\AppData\Local\temp
    2012-02-25 19:17 . 2012-02-25 19:17 ——– d—–w- c:\users\Default\AppData\Local\temp
    2012-02-25 08:01 . 2012-02-25 19:18 56200 —-a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C72B7641-66CF-4EF7-BEFD-285C19960132}\offreg.dll
    2012-02-17 16:01 . 2012-02-17 16:01 ——– d—–w- c:\programdata\FLEXnet
    2012-02-17 15:58 . 2012-02-17 15:58 ——– d—–w- c:\program files\Bonjour
    2012-02-17 15:53 . 2012-02-17 15:53 ——– d—–w- c:\program files\Common Files\Macrovision Shared
    2012-02-15 17:19 . 2002-12-02 11:33 32768 —-a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
    2012-02-15 17:19 . 2002-12-05 12:10 155648 —-a-w- c:\program files\Common Files\InstallShield\Professional\RunTime701\Intel32\iuser.dll
    2012-02-15 17:19 . 2002-12-02 13:22 5632 —-a-w- c:\program files\Common Files\InstallShield\Professional\RunTime701\Intel32\DotNetInstaller.exe
    2012-02-15 17:19 . 2002-12-02 11:33 57344 —-a-w- c:\program files\Common Files\InstallShield\Professional\RunTime701\Intel32\ctor.dll
    2012-02-15 17:19 . 2002-12-02 11:33 237568 —-a-w- c:\program files\Common Files\InstallShield\Professional\RunTime701\Intel32\iscript.dll
    2012-02-15 17:19 . 2003-02-27 14:12 696320 —-a-w- c:\program files\Common Files\InstallShield\Professional\RunTime701\Intel32\iKernel.dll
    2012-02-15 17:19 . 2012-02-15 17:19 282756 —-a-w- c:\program files\Common Files\InstallShield\Professional\RunTime701\Intel32\setup.dll
    2012-02-15 17:19 . 2012-02-15 17:19 163972 —-a-w- c:\program files\Common Files\InstallShield\Professional\RunTime701\Intel32\iGdi.dll
    2012-02-08 16:11 . 2012-02-08 16:11 ——– d—–w- c:\program files\Common Files\SWF Studio
    2012-02-01 20:15 . 2012-02-01 20:15 ——– d—–w- c:\windows\EffectResources
    2012-02-01 20:10 . 2006-07-18 14:15 49152 —-a-w- c:\windows\vmsnap3.exe
    2012-02-01 20:10 . 2006-07-04 12:16 49152 —-a-w- c:\windows\Domino.exe
    2012-02-01 20:09 . 2007-03-18 15:41 102400 —-a-w- c:\windows\system32\vvftprpav303.ax
    2012-02-01 20:09 . 2007-03-02 11:22 46592 —-a-w- c:\windows\system32\VvFtCtrl.dll
    2012-02-01 20:09 . 2007-06-23 11:45 480128 —-a-w- c:\windows\system32\drivers\vvftav303.sys
    2012-02-01 20:09 . 2007-10-12 14:59 360448 —-a-w- c:\windows\system32\VM303Prp.Ax
    2012-02-01 20:09 . 2007-03-15 16:12 122880 —-a-w- c:\windows\VM303Cap.exe
    2012-02-01 20:09 . 2005-04-30 16:46 81920 —-a-w- c:\windows\system32\VM303STI.dll
    2012-02-01 20:09 . 2012-02-01 20:09 ——– d—–w- c:\program files\Vimicro
    2012-02-01 20:09 . 2007-05-15 08:14 1472768 —-a-w- c:\windows\system32\drivers\usbVM303.sys
    2012-02-01 20:09 . 2006-11-08 12:25 122880 —-a-w- c:\windows\rm303b.exe
    2012-02-01 20:09 . 2006-03-14 12:28 172032 —-a-w- c:\windows\amcap.exe
    2012-02-01 20:09 . 2012-02-01 20:09 ——– d—–w- c:\users\razdy\AppData\Roaming\InstallShield
    2012-01-27 00:25 . 2012-01-27 00:25 ——– d—–w- c:\users\razdy\AppData\Roaming\Media Player Classic
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-15 19:33 . 2011-11-20 09:38 137416 —-a-w- c:\windows\system32\drivers\avipbb.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    “{7272be4d-474f-43c8-9c65-7e8824ef39b8}”= “c:\program files\eTvOnline.ro\prxtbeTvO.dll” [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{7272be4d-474f-43c8-9c65-7e8824ef39b8}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7272be4d-474f-43c8-9c65-7e8824ef39b8}]
    2011-05-09 08:49 176936 —-a-w- c:\program files\eTvOnline.ro\prxtbeTvO.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    “{7272be4d-474f-43c8-9c65-7e8824ef39b8}”= “c:\program files\eTvOnline.ro\prxtbeTvO.dll” [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{7272be4d-474f-43c8-9c65-7e8824ef39b8}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    “{7272BE4D-474F-43C8-9C65-7E8824EF39B8}”= “c:\program files\eTvOnline.ro\prxtbeTvO.dll” [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{7272be4d-474f-43c8-9c65-7e8824ef39b8}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    “Sidebar”=”c:\program files\Windows Sidebar\sidebar.exe” [2009-07-14 1173504]
    “Messenger (Yahoo!)”=”c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe” [2011-11-23 6497592]
    “uTorrent”=”c:\program files\uTorrent\uTorrent.exe” [2012-02-21 740216]
    “BSRemote”=”c:\program files\BSRemote\BSRemoteServer_32.exe” [2011-07-17 126464]
    “EDU Istorie”=”d:\jocuri\edu vlad\EDU Istorie\games.exe” [2011-10-31 4455930]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    “avgnt”=”c:\program files\Avira\AntiVir Desktop\avgnt.exe” [2011-10-19 258512]
    “SSBkgdUpdate”=”c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” [2003-09-29 155648]
    “OpwareSE4″=”c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe” [2006-03-21 69632]
    “WinampAgent”=”c:\program files\Winamp\winampa.exe” [2011-07-11 74752]
    “PWRISOVM.EXE”=”c:\program files\PowerISO\PWRISOVM.EXE” [2011-11-15 312376]
    “Adobe ARM”=”c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2012-01-03 843712]
    “VMSnap3″=”c:\windows\VMSnap3.exe” [2006-07-18 49152]
    “Domino”=”c:\windows\Domino.exe” [2006-07-04 49152]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    “ConsentPromptBehaviorAdmin”= 5 (0x5)
    “ConsentPromptBehaviorUser”= 3 (0x3)
    “EnableUIADesktopToggle”= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    “aux”=wdmaud.drv
    .
    R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-07-15 14216]
    R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-07-15 8456]
    R3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-02-08 34064]
    R3 vvftav303;vvftav303;c:\windows\system32\drivers\vvftav303.sys [2007-06-23 480128]
    R3 ZSMC0303;USB PC Camera (Vimicro301 Neptune);c:\windows\system32\Drivers\usbVM303.sys [2007-05-15 1472768]
    S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-19 36000]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-10-19 86224]
    S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2011-09-23 641832]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
    .
    .
    — Other Services/Drivers In Memory —
    .
    *NewlyCreated* – WS2IFSL
    .
    .
    ——- Supplementary Scan ——-
    .
    uStart Page = hxxp://www.google.ro/
    mStart Page = hxxp://home.sweetim.com
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Office Excel – c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List – c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print – c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview – c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    IE: Easy-WebPrint Print – c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    IE: Search the Web – c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
    TCP: DhcpNameServer = 193.231.252.1 213.154.124.1
    .
    – – – – ORPHANS REMOVED – – – –
    .
    WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} – (no file)
    HKCU-Run-Microsoft Firevall Engine – c:\users\public\mdm.exe
    .
    .
    .
    ——————— LOCKED REGISTRY KEYS ———————
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ——————— DLLs Loaded Under Running Processes ———————
    .
    – – – – – – – > ‘Explorer.exe'(2720)
    c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
    .
    ———————— Other Running Processes ————————
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    c:\windows\system32\sppsvc.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-02-25 21:23:13 – machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-25 19:23
    .
    Pre-Run: 24,474,341,376 bytes free
    Post-Run: 26,894,692,352 bytes free
    .
    – – End Of File – – 6786E4D403C9AAF266C6AD67AD3CC96F

  32. Vezi Virusul Palevo de pe Yahoo Messenger si solutii de devirusare pe blogul lui Lisandru

    […] scapa de acest virus al yahoo mesenger-ului trebuie urmarita una dintre metodele prezentate la http://www.faravirusi.com […]

  33. marius

    am avast ca antivirus…vad ca metodele mentionate propun diferite antivirusuri.va rog daca puteti sa ma ajutati.am aceeasi problema cu virusul acesta cu foto….un prieten de lista mi-a oferit o solutie…sa apas CTRL + ALT + DELETE – procese – infocard – inchidere proces.dar nu am niciun proces cu numele asta….va rog sa ma ajutati.:|

  34. Valentin

    Ms Mult , Prima metoda functioneaza Perfect !!!

  35. Baban Niculina

    vaiiii eu am virusul de mai bine de 2 luni, mi-am tot facut windowsul, dar problema e ca virusul mi-a ajuns pe cardul de memorie al telefonului si pe un stik, pt. ca am mutat poze si alte chestii cand aveam virusu in PC, cum pot scapa de virusii de pe stik si de pe card ? am antivirusul avast, daca ma poate ajuta cnv va rog contactati-ma la id de messenger : niculina_sexyyy

  36. Virusul Palevo de pe Yahoo Messenger si solutii de devirusare pe blogul lui Lisandru

    […] scapa de acest virus al yahoo mesenger-ului trebuie urmarita una dintre metodele prezentate la http://www.faravirusi.com […]

  37. Lectia de jurnalism: O curva s-a tratat de sifilis pe internet! - Expresul de Buftea

    […] gasit antena3.ro sa-i preia articolul si sa dea sursa articolului… blogul cartitei. Deci nu site-ul tipului care a muncit sa faca articolul si solutia de a scapa de acel virus si care avea 88 de […]

Leave a Reply