Prvi put se srecem sa ovim

1

Prvi put se srecem sa ovim

offline
  • Pridružio: 01 Dec 2007
  • Poruke: 307

Odjednom mi se u IE promenila default stranica u neku koja mi javlja da mi je sistem zarazen i nudi mi programe koji ce to da otklone ali koji se naravno placaju, ja ponovo vratim moju stranicu ali on uporno sam menja. Nod je nasao par virusa i ocistio ih ali opet isto, Ad-Aware SE Professional je takodje nasao i ocistio ali opet isto kao da se uvek vraca to, isto imam i keio PF ali on nije nista prijavio. Onda sam instalirao spybot i on je nasao dosta toga vidite na slikama





posle ciscenja sa spybot-om sve se vratilo da kazem u normalu pa mene interesuje sledece:

1. kako vam se cine rezultati?
2. da li sam se resio tih stvari ili negde cekaju u tisini pa da opet napadnu?
3. da li mi skeniraju podatke i salju na net?

Dosta sam neiskusan sto se tice ovih stvari, jer do pre mesec dana sam bio na dial up-u pa nisam ni isao na internet, sad kad sam uzeo adsl 512/64 visom non stop.

Pozdrav

Logfile of HijackThis v1.99.1
Scan saved at 21:44:08, on 23.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files2\Pilot Group LLC\Hide Folder 3.0\HF30Service.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files2\D-Tools\daemon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
D:\Install\~ INSTALACIJA NOVOG WIN XP\A INSTALIRAO SAM NA NOV WIN\DU Meter\DUMeter.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files2\NetLimiter 2 Pro\nlsvc.exe
C:\PROGRA~1\TIADSL~1\bin\win2k\tidslmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\gigabyte\RCService\RCService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files2\KEMailKb\KEMailKb.EXE
C:\Program Files2\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files2\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~2\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\VLADA\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sezampro.rs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~2\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\fgiebar.dll
O3 - Toolbar: IE Custom Tools - {F2BADA0D-FD61-45EF-A994-64A073FD6613} - (no file)
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files2\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DU Meter] D:\Install\~ INSTALACIJA NOVOG WIN XP\A INSTALIRAO SAM NA NOV WIN\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\bin\win2k\tidslmon.exe -b
O4 - HKLM\..\Run: [VirusProtect 3.9] "C:\Program Files\VirusProtect 3.9\VirusProtect 3.9.exe" /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ToughTrucks_Setup.exe] D:\DOWNLO~1\TOUGHT~1.EXE /r
O4 - HKCU\..\Run: [Wheel_of_Fortune_2_Setup.exe] D:\DOWNLO~1\WHEEL_~1.EXE /r
O4 - Startup: KEMailKb.lnk = C:\Program Files2\KEMailKb\KEMailKb.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~2\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~2\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5400568D-292A-4311-9707-8F9FFCCF1DB8}: NameServer = 77.105.0.18 77.105.0.19
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: HF30Service - Unknown owner - C:\Program Files2\Pilot Group LLC\Hide Folder 3.0\HF30Service.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files2\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files2\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Ima nekih ostataka. Moguće da su u pitanju zaostali reg ključevi koje AV/AS sofver nije u potpunosti očistio.

Prvo:

Skeniraj HJT-om i štikliraj polja ispred sledećih linija:

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O16 - DPF: {33331111-1111-1111-1111-615111193427} -


Klikni Fix Checked.

----------------------

Zatim isprati ovo uputstvo detaljno:

1) Preuzmi program SmitfraudFix sa ovog linka.

2.) Extract-uj program na desktop. (Takodje na ovaj način pripremi i program Hijack This koje će se kasnije koristiti)

3.) Restartuj računar i podigni sistem u Safe Mode-u. [ Safe Mode info link ]

4.) Pronadji na desktop-u folder gde si raspakovao SmitfraudFix program i dvoklikom pokreni fajl SmitfraudFix.cmd.
Kada se alat za uklanjanje prvi put startuje pokazaće ti se ekran za odobrenje. Jednostavno pritisni bilo koje dugme na tastaturi da bi prešao na sledeći nivo.

5.)



6.) Program će početi sa čišćenjem kompjutera. Posle završenog čišćenja SmitfraudFix-om
pokrenuće ti se Windows-ov program Disk Cleanup.



Nakon sto SmitFraudFix zavrsi svoj posao, postavi nam ovde log koji se nalazi na C:\rapport.txt i svez HJT log.

offline
  • Pridružio: 01 Dec 2007
  • Poruke: 307

Samo mi nije jasno sta ti znaci svez HJT log, da li mislis da ponovo skeniram sa TR3 i da te nove podatke pastujem na sajt?

Dopuna: 23 Dec 2007 23:08

Jos nesto nakon sto SmitFraudFix zavrsi svoj posao, restartujem racunar i onda postavim log koji se nalazi na C:\rapport.txt i svez HJT log.

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

v-djuric ::Samo mi nije jasno sta ti znaci svez HJT log, da li mislis da ponovo skeniram sa TR3 i da te nove podatke pastujem na sajt?
Svež log znači novo skeniranje HijackThis-om da bih video promene u odnosu na staro.

v-djuric ::Jos nesto nakon sto SmitFraudFix zavrsi svoj posao, restartujem racunar i onda postavim log koji se nalazi na C:\rapport.txt i svez HJT log.
Baš tako.

offline
  • Pridružio: 01 Dec 2007
  • Poruke: 307

Logfile of HijackThis v1.99.1
Scan saved at 23:50:19, on 23.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files2\Pilot Group LLC\Hide Folder 3.0\HF30Service.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files2\D-Tools\daemon.exe
C:\Program Files2\NetLimiter 2 Pro\nlsvc.exe
C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\gigabyte\RCService\RCService.exe
D:\Install\~ INSTALACIJA NOVOG WIN XP\A INSTALIRAO SAM NA NOV WIN\DU Meter\DUMeter.exe
C:\PROGRA~1\TIADSL~1\bin\win2k\tidslmon.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files2\NetLimiter 2 Pro\NLClient.exe
C:\Program Files2\KEMailKb\KEMailKb.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files2\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\VLADA\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sezampro.rs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~2\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files2\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DU Meter] D:\Install\~ INSTALACIJA NOVOG WIN XP\A INSTALIRAO SAM NA NOV WIN\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\bin\win2k\tidslmon.exe -b
O4 - HKLM\..\Run: [VirusProtect 3.9] "C:\Program Files\VirusProtect 3.9\VirusProtect 3.9.exe" /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ToughTrucks_Setup.exe] D:\DOWNLO~1\TOUGHT~1.EXE /r
O4 - HKCU\..\Run: [Wheel_of_Fortune_2_Setup.exe] D:\DOWNLO~1\WHEEL_~1.EXE /r
O4 - Startup: KEMailKb.lnk = C:\Program Files2\KEMailKb\KEMailKb.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~2\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~2\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{5400568D-292A-4311-9707-8F9FFCCF1DB8}: NameServer = 77.105.0.19 77.105.0.18
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: HF30Service - Unknown owner - C:\Program Files2\Pilot Group LLC\Hide Folder 3.0\HF30Service.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files2\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files2\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



SmitFraudFix v2.274

Scan done at 23:14:37,87, ФЁ¦ 23.12.2007
Run from C:\Documents and Settings\VLADA\Desktop\New Folder (2)\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}"="duhr"

[HKEY_CLASSES_ROOT\CLSID\{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}\InProcServer32]
@="C:\WINDOWS\system32\bdzzzcl.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}\InProcServer32]
@="C:\WINDOWS\system32\bdzzzcl.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Documents and Settings\VLADA\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusProtect 3.9.lnk Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}"="duhr"

[HKEY_CLASSES_ROOT\CLSID\{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}\InProcServer32]
@="C:\WINDOWS\system32\bdzzzcl.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}\InProcServer32]
@="C:\WINDOWS\system32\bdzzzcl.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End


Ja mislim da je to to sto si trazio.

Imam jos jedno pitanje, s tim sto sam bio ili sam jos uvek zarazen to ces videti, da li oni skidaju odredjene ekstenzije sa kompa npr. exe,jpg... ili mogu sa svog da ulaze u moj i da biraju sta hoce da ukradu.

Sto se tice kradje broja i sifre kreditne kartice, da li to kradu kad nesto placas preko interneta i ostavljas svoje podatke ili i ako u npr word doc. imas ispisane neke sifre itd.

Pozdrav i hvala puno na brzim odgovorima.

Dopuna: 24 Dec 2007 0:07

Primetio sam da ovo jos stoji u novom skeniranju mada ga u PF nema, taj sam i skinuo da me kao spase Sad

O4 - HKLM\..\Run: [VirusProtect 3.9] "C:\Program Files\VirusProtect 3.9\VirusProtect 3.9.exe" /h

Dopuna: 24 Dec 2007 0:14

Jos nesto sam zaboravio, kad sam sve zavrsio u safe modu i kad sam restartovao racunar, Ad-Aware SE Professional mi je prijavio 14 registry modification detected, onako za svaku posebno mi je iskocio prozor i pita da li da prihvati ili ne, ja sam ih sve zabranio.
Jel sam dobro uradio ili ne?

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Reci mi šta ti je ovo i zašto se startuje sa druge particije iz download foldera ?
O4 - HKCU\..\Run: [ToughTrucks_Setup.exe] D:\DOWNLO~1\TOUGHT~1.EXE /r
O4 - HKCU\..\Run: [Wheel_of_Fortune_2_Setup.exe] D:\DOWNLO~1\WHEEL_~1.EXE /r

---------------------

Prevideo sam ovaj AdWatch. Zato ćeš ga sada isključiti. Uputstvo ti je ispod.

AdWatch


Pokrenite AdAware SE.
Kliknite na AdWatch.
Kliknite na Tools and Preferences.
Destiklirajte Active i Automatic.

Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsimo ciscenje.
------------------------------

Šta da ti kažem.. Ponovi postupak koji sam ti napisao. Pregledaću kasnije i napisati ti šta eventualno treba dalje.

offline
  • Pridružio: 01 Dec 2007
  • Poruke: 307

DeM14n ::Reci mi šta ti je ovo i zašto se startuje sa druge particije iz download foldera ?
O4 - HKCU\..\Run: [ToughTrucks_Setup.exe] D:\DOWNLO~1\TOUGHT~1.EXE /r
O4 - HKCU\..\Run: [Wheel_of_Fortune_2_Setup.exe] D:\DOWNLO~1\WHEEL_~1.EXE /r


Na D particiji mi se nalazi folder gde ide ono sto skidam sa neta, ja sam ga nazvao download, a ta dva exe instalaciona fajla su dve demo igrice koje sam skinuo sa zvanicnih sajtova za te igrice.

Iskljucio sam ad-aware da li treba u safe modu da ga posebno iskljucujem.

Kad kazes da ponovim postupak mislis na sve iz pocetka i Logfile of HijackThis v1.99.1 i SmitFraudFix v2.274.

Kad sam kod SmitFraudFix v2.274 na kraju pita da ocisti registre prvi put sam rekao da, da li tako treba.

I jos jedna stvar kad radim skeniranja, nista od programa nesme da je aktivno, ne racunam safe mode, npr skidanje sa neta, winamp itd?

Dopuna: 24 Dec 2007 1:28

Kazi mi jos nesto, citao sam ove teme i u objasnjenjima je bilo da se nod treba iskljuciti kad se skenira SmitFraudFix v2.274 i da se posle skeniranja HijackThis v1.99.1 i cekiranja nekih fajlova radi uklanjanja, pre restarta system restore gasi, pa me interesuje posto verovatno ponovo treba sve da radim, koristim nod32, kerio, ad-aware, da li sve da ih ugasim i uradim nova skeniranja i da li da iskljucim system restore?

Dopuna: 24 Dec 2007 2:00

Jos sam nesto procitao da bi spybot trebalo iskljuciti kada se rade skeniranja?

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Da ne komplikujemo bespotrebno, ok ?

Poenta je da iskoristiš taj alat SmitFtraudFix kako bi obrisao ostatke koje ti softver kojim si ranije čistio pc nije obrisao. Bitna stvar je da ne dozvoliš AdWatch-u da ti vrati te registry ključeve po ponovonom startu sistema je si onda džaba čistio. Napisao sam ti kako to da uradiš.

Što se uputstva koje si čitao tiče ne moraš sve da pratiš bukvalno. AV, FW i ostale programe isključuješ ako prave problem pri skidanju ovog programa ili onemogućavaju SmitFraudFix da završi posao. Sistem restore se na ovom forumu ne dira dok se ne završi čišćenje jer je to nekad jedina opcija ako nešto krene po zlu pa trebaš da vratiš sistem na ranije stanje. Sistem restore se briše na kraju kako bi se izbrisale kopije malware-a koje se nalaze u System Volume Information folderu.

offline
  • Pridružio: 01 Dec 2007
  • Poruke: 307

Evo uradim sam kako si rekao, ugasio sam adwatch i skenirao prvi put

Logfile of HijackThis v1.99.1
Scan saved at 13:54:26, on 24.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files2\D-Tools\daemon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\TIADSL~1\bin\win2k\tidslmon.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files2\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files2\Pilot Group LLC\Hide Folder 3.0\HF30Service.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files2\KEMailKb\KEMailKb.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files2\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\gigabyte\RCService\RCService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files2\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\VLADA\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sezampro.rs/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~2\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files2\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\bin\win2k\tidslmon.exe -b
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files2\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: KEMailKb.lnk = C:\Program Files2\KEMailKb\KEMailKb.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~2\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~2\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: HF30Service - Unknown owner - C:\Program Files2\Pilot Group LLC\Hide Folder 3.0\HF30Service.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files2\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files2\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe





Onda iz safe moda,





SmitFraudFix v2.274

Scan done at 13:59:48,48, ШЦФ 24.12.2007
Run from C:\Documents and Settings\VLADA\Desktop\New Folder (2)\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}"="duhr"

[HKEY_CLASSES_ROOT\CLSID\{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}\InProcServer32]
@="C:\WINDOWS\system32\bdzzzcl.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}\InProcServer32]
@="C:\WINDOWS\system32\bdzzzcl.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}"="duhr"

[HKEY_CLASSES_ROOT\CLSID\{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}\InProcServer32]
@="C:\WINDOWS\system32\bdzzzcl.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}\InProcServer32]
@="C:\WINDOWS\system32\bdzzzcl.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End




Restart i nakon paljenja, adwatch se sam ukljucio i izbacio sledecih 6 prozora koje sam blokirao.
















Posle toga sam opet iskljucio adwatch i uradi kontrolno skeniranje



Logfile of HijackThis v1.99.1
Scan saved at 14:11:15, on 24.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files2\D-Tools\daemon.exe
C:\Program Files2\Pilot Group LLC\Hide Folder 3.0\HF30Service.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\TIADSL~1\bin\win2k\tidslmon.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files2\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files2\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\gigabyte\RCService\RCService.exe
C:\Program Files2\KEMailKb\KEMailKb.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files2\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files2\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\VLADA\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sezampro.rs/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~2\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files2\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\TIADSL~1\bin\win2k\tidslmon.exe -b
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~2\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [DU Meter] D:\Install\~ INSTALACIJA NOVOG WIN XP\A INSTALIRAO SAM NA NOV WIN\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [VirusProtect 3.9] "C:\Program Files\VirusProtect 3.9\VirusProtect 3.9.exe" /h
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: KEMailKb.lnk = C:\Program Files2\KEMailKb\KEMailKb.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~2\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~2\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: HF30Service - Unknown owner - C:\Program Files2\Pilot Group LLC\Hide Folder 3.0\HF30Service.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files2\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files2\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


Eto toliko. Pozdrav

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Pokreni HJT, štikliraj i obriši ovaj unos:
O4 - HKLM\..\Run: [VirusProtect 3.9] "C:\Program Files\VirusProtect 3.9\VirusProtect 3.9.exe" /h

U slučaju da ti se ponovo pojavi ovakav identičan prozor
v-djuric ::
izaberi opciju Accept.

Uključi prikaz skrivenih fajlova i proveri da li u Program Files ima zaostalog foldera koji se zove VirusProtect 3.9. Ako se nalazi tamo briši ga kompletno.

Kada to završiš ostaje ti da isključiš system restore > restartuješ pc > pa zatim uključiš system restore i ako želiš (preporuka) napraviš novu tačku za oporavak sistema.

Uputstvo kao se isključuje i uključuje system restore ti je ispod.
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kak.....WinXP.html

Ko je trenutno na forumu
 

Ukupno su 858 korisnika na forumu :: 21 registrovanih, 4 sakrivenih i 833 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Aleksandar Tomić, Apok, Bane san, bozo13, Bubimir, croato, Dorcolac, FileFinder, ivan1973, jackreacher011011, ladro, ljuba, operniki, sevenino, stegonosa, Trpe Grozni, Vatreni Zmaj, W123, Zimbabwe, 79693