Sestra je donela laptop koji je pun virusa, sporo radi, gasi se, cudno se ponasa, pokusao sam da skeniram sa spybot-om ali, on nadje dosta toga, ali se u toku skeniranja ugasi laptop (nadje keyloggers i adware). Nadam se da cu resiti problem.
Evo tu su logovi :

O2 - BHO: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\\GenericAskToolbar.dll (Ask)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.1\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.1\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {687578B9-7132-4A7A-80E4-30EE31099E03} - No CLSID value found.
O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4:64bit: - HKLM..\Run: [TNOD UP] C:\Program Files (x86)\TNod User & Password Finder\TNODUP.exe (Tukero[X]Team)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\\Updater\Updater.exe (Ask)
O4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 10.2.0)
O16 - DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.7.0_02)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer =
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D3CBBE2D-8B61-4E75-B5B0-0C909985CE7C}: DhcpNameServer =
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\SysWOW64\MPK\mpk.exe) - C:\Windows\SysWOW64\MPK\MPK.exe ()
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/05/15 09:41:40 | 000,000,016 | -H-- | M] () - G:\AUTORUN.INF -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\ [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\ [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

========== Files - Modified Within 30 Days ==========

[2012/06/17 14:26:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/06/17 14:19:25 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Nadja\Desktop\OTL.exe
[2012/06/17 14:16:09 | 000,015,872 | ---- | M] () -- C:\Users\Nadja\Desktop\pr6432.exe
[2012/06/17 14:13:02 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/17 14:12:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/17 14:12:14 | 1506,803,712 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/17 13:47:21 | 000,001,262 | ---- | M] () -- C:\Users\Nadja\Desktop\Spybot - Search & Destroy.lnk
[2012/06/17 13:43:58 | 000,337,736 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/06/17 13:38:00 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/17 13:37:07 | 000,001,039 | ---- | M] () -- C:\Users\Nadja\Desktop\KMPlayer.lnk
[2012/06/17 13:35:10 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/06/17 13:35:10 | 000,624,178 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/06/17 13:35:10 | 000,106,522 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/06/17 13:29:07 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/06/17 11:03:17 | 000,023,680 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/17 11:03:17 | 000,023,680 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/14 12:02:49 | 000,124,803 | ---- | M] () -- C:\Users\Nadja\Desktop\223847_416759108369213_2987758_n.jpg
[2012/06/13 15:29:00 | 000,001,860 | ---- | M] () -- C:\Users\Public\Desktop\Update NOD32 license.lnk
[2012/06/13 15:21:49 | 001,018,311 | ---- | M] () -- C:\Users\Nadja\Desktop\TNod-1.4.2-final-setup.rar
[2012/06/13 15:18:26 | 000,001,166 | ---- | M] () -- C:\Users\Public\Desktop\TeamViewer 7.lnk
[2012/06/03 07:23:11 | 001,669,327 | ---- | M] () -- C:\Users\Nadja\Desktop\Windows Loader
[2012/05/25 00:05:47 | 000,403,157 | ---- | M] () -- C:\Users\Nadja\Desktop\bolnica i ja 004.jpg.part
[2012/05/20 17:16:24 | 031,904,672 | ---- | M] (Pacific Gold Coast Corp.) -- C:\Users\Nadja\Desktop\leadtoolseprint5pro.exe
[2012/05/19 00:16:42 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2012/05/18 16:21:52 | 002,935,535 | ---- | M] () -- C:\Users\Nadja\Desktop\150 zadnja.jpg
[1 C:\Users\Nadja\Documents\*.tmp files -> C:\Users\Nadja\Documents\*.tmp -> ]

< End of report >


Dopuna: 17 Jun 2012 14:43

E da, imam ESET Smart Security 5 na laptopu, medjutim gasi se, nema ga u tray-u i ne funkcionise, a ne mogu da ga obrisem izbacuje mi da nemam access nekim keyovima u registry bazi. :O

  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

U toku rješavanja slučaja, zamolio bih te da se pridržavaš sledećeg:
Detaljno čitati moja uputstva ( ili uputstva kolega koji će me zamjenjivati) i raditi isključivo po njima;
Ne tražiti istovremeno pomoć na drugom mjestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budeš dobio uputstvo;
U toku intervencije ne koristiti USB memorijske uređaje, dok to ne budem zatražio;
Ukoliko ne odgovorim u roku od 48h, osvježi temu novim post-om;
Ukoliko se ne javiš u roku od 5 dana, zatvorićemo slučaj.

Za više informacija o pravilima Ambulante MyCity foruma: LINK

Arrow Korak 1

Idi u Start -> Control Panel -> Programs and Features i deinstaliraj sljedeće programe:

YouTube Downloader Toolbar v5.1
Ask Toolbar
KMPlayer Toolbar Updater
TNod User & Password Finder

Arrow Korak 2

NOD si pokušao da ukloniš kroz Programs and Features aplet?

Idi u Start -> Control Panel -> Programs and Features i pokušaj da deinstaliraš ESET Smart Security.

Isprati uputstvo za uklanjanje ostataka NOD-a koje se nalazi na sljedećem linku:

Uputstvo za ulazak u Safe Mode se nalazi ovdje:

Kada to završiš vrati se u normalni režim.

Arrow Korak 3

Ponovo pokreni program OTL dvoklikom na ikonu.

U bijeli okvir prozora gdje piše Custom Scans/Fixes iskopirati sljedeći tekst:

C:\Documents and Settings\All Users\Application Data\MPK

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\SysWOW64\MPK\mpk.exe) - C:\Windows\SysWOW64\MPK\MPK.exe ()


Klikni taster Run Fix;

Izvještaj koji dobiješ iskopiraj ovde u poruci.

Arrow Korak 4

Ponovo porkeni OTL, klikni na Run Scan i postavi mi svježi OTL izvještaj.

  • Luka Varagic
  • Pridružio: 08 Jul 2008
  • Poruke: 181
  • Gde živiš: Pirot

Vazi, postovacu pravila naravno.

Nod32 ne mogu da obrisem (slika)

[url= 1[/url]

< End of report >

[url= 2[/url]

  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Reci mi da li si ispratio uputstvo za uklanjanje ostataka NOD-a?

  • Luka Varagic
  • Pridružio: 08 Jul 2008
  • Poruke: 181
  • Gde živiš: Pirot

Evo sad sam obrisao NOD kao sto je opisano u onom uputstvu, uspesno. Smile

  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Prije ili poslije postavljanja novog OTL izvještaja?

  • Luka Varagic
  • Pridružio: 08 Jul 2008
  • Poruke: 181
  • Gde živiš: Pirot

Napisano: 17 Jun 2012 21:58

Ufff, al sam glup. Posle izvestaja sam obrisao. Evo nov izvestaj :

< End of report >


Izvinjavam se.

Dopuna: 17 Jun 2012 22:00

Obrisao = Postavio*

  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building

Ništa. Smile

Arrow Korak 1

Ponovo pokreni program OTL dvoklikom na ikonu.

U bijeli okvir prozora gdje piše Custom Scans/Fixes iskopirati sljedeći tekst:


IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" ={searchTerms}&SearchSource=4&ctid=CT3072253
FF - "{searchTerms}"
2012/06/17 13:38:32 | 000,000,000 | ---D | M] (KMPlayer Toolbar) -- C:\Users\Nadja\AppData\Roaming\Mozilla\Firefox\Profiles\g3bdtscv.default\extensions\
[2012/02/13 13:56:00 | 000,000,925 | ---- | M] () -- C:\Users\Nadja\AppData\Roaming\Mozilla\Firefox\Profiles\g3bdtscv.default\searchplugins\conduit.xml
[2012/03/25 03:02:34 | 000,000,000 | ---D | M] (YouTube Downloader Toolbar) -- C:\PROGRAM FILES (X86)\YOUTUBE DOWNLOADER TOOLBAR\FF
O2 - BHO: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.1\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\\Updater\Updater.exe (Ask)
O4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe File not found

Klikni taster Run Fix;

Izvještaj koji dobiješ iskopiraj ovde u poruci.

Arrow Korak 2

Preuzmi instalaciju za program Malwarebytes Anti-Malware sa sljedećeg linka:

Dvoklikom pokreni instalaciju - na samom kraju procesa, proveri da su obilježene opcije:
Update Malwarebytes' Anti-Malware;
Launch Malwarebytes Anti-Malware;

a zatim klikni Finish.

Nakon završenog ažuriranja program će se pokrenuti.

Izaberi opciju Perform Quick Scan i klikni Scan.

Po završetku procesa klikni OK, Show Results: u listi detektovanog malware-a, obilježi sve stavke i klikni Remove Selected.

Po završetku procesa, lizvještaj će se otvoriti u Notepad-u i iskopiraj ga u temu na forumu.
Ukoliko program zatraži restart kako bi se završio proces čišćenja, obavezno ga dozvoliti.

Napomena: ako dođe do restarta na kraju procesa čišćenja, izvještaj će biti dostupan na Logs kartici (obeleži ga i klikni Open).

  • Luka Varagic
  • Pridružio: 08 Jul 2008
  • Poruke: 181
  • Gde živiš: Pirot


Pise da nema Malwera po zavrsetku skeniranja sa Malwarebytes'

  • Pridružio: 26 Avg 2010
  • Poruke: 10622
  • Gde živiš: Hypnos Control Room, Tokyo Metropolitan Government Building


Kakvo je sad stanje sistema?

Na laptopu je bio instaliran keylogger pa kad budeš vraćao laptop sestri obavezno joj napomeni da promijeni svoje lozinke na sajtovima koje koristi.


Sada je potrebno da instaliraš AV program.
Ukoliko nemaš novaca ili ne želiš da ga izdvojiš za neki komercijalni AV program, na raspolaganju ti se nalaze kvalitetni besplatni AV programi poput Avast Free, AVG Free, Avira Free, Microsoft Security Essentials, Panda Cloud AV, itd.
Nemoj koristiti piratske verzije AV programa!!!


Postavi mi novi OTL izvještaj.

