|
Poslao: 21 Jan 2007 21:19
|
offline
- cortan
- Građanin
- Pridružio: 21 Jan 2007
- Poruke: 30
- Gde živiš: Sabac
|
Pri skeniranju racunara sa Spyware Doctor-om (trial verzija) pronadjeno je 10 Chaishow infekcija. O cemu se radi i kako da uklonim ovaj adware.Skeniranje sa Ad-Aware i sa Spybot-S.& Destroy pokazuje da je sve cisto...
|
|
|
|
|
|
|
Poslao: 21 Jan 2007 21:39
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Tema prebacena u Ambulantu.
@cortan
Pregledaj teme izdvojene sa Vazno u ovom delu foruma (Ambulanta) i postavi nam ovde log programa HijackThis.
|
|
|
|
|
|
|
Poslao: 21 Jan 2007 23:54
|
offline
- cortan
- Građanin
- Pridružio: 21 Jan 2007
- Poruke: 30
- Gde živiš: Sabac
|
Ucinjeno:
Logfile of HijackThis v1.99.1
Scan saved at 23:51:12, on 21.1.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HDD Thermometer\HDD Thermometer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\SlimBrowser\sbrowser.exe
C:\totalcmd\TOTALCMD.EXE
D:\Download\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com/windowsupdate/v6/V5Con.....1249083948
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - flatcast.com/de/download/NpFv415.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF66E647-B167-4813-80FF-DF47DE2B99F6}: NameServer = 10.5.0.100
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
|
|
|
|
|
|
|
Poslao: 22 Jan 2007 00:05
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Log je cist.
Jesi li siguran da Spyware Doctor nije uspeo da ukloni infekciju?
|
|
|
|
|
|
|
Poslao: 22 Jan 2007 00:28
|
offline
- cortan
- Građanin
- Pridružio: 21 Jan 2007
- Poruke: 30
- Gde živiš: Sabac
|
Koristim free verziju Spyware Doctor-a i nemam mogucnost za brisanje vec samo za skeniranje. Program je instaliran pre 6 meseci i vrsi se samo redovan update sa moje strane - a ovaj adware se pojavio pre 15-tak dana. Inace Sp. Doctor mi je uvek sluzio za detaljno skeniranje i kontrolu cisto da imam uvid da nesto nisam navukao...
|
|
|
|
|
|
|
Poslao: 22 Jan 2007 00:34
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Jel ima mogucnost barem da se vidi log-fajl, tako da saznamo u kojim fajlovima je to nasao?
Ukoliko nema, onda cu morati da te uputim da skines Ewido (6.2mb za skidanje, trial 30 dana): http://www.ewido.net/en/
|
|
|
|
|
|
|
Poslao: 22 Jan 2007 01:08
|
offline
- cortan
- Građanin
- Pridružio: 21 Jan 2007
- Poruke: 30
- Gde živiš: Sabac
|
Location Risk
Caishow HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99} Elevated
Caishow HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}## Elevated
Caishow HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32 Elevated
Caishow HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32## Elevated
Caishow HKCR\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32##ThreadingModel Elevated
Caishow HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99} Elevated
Caishow HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}## Elevated
Caishow HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32 Elevated
Caishow HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32## Elevated
Caishow HKLM\Software\Classes\CLSID\{3C78B8E2-6C4D-11D1-ADE2-0000F8754B99}\InprocServer32##ThreadingModel Elevated
Ako se sta moze videti iz ovoga...
|
|
|
|
|
|
|
Poslao: 22 Jan 2007 01:20
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Malo sam se raspitao, i dobio objasnjenje da je ovo lazna uzbuna od strane free verzije Spyware Doctora.
To sto si postavio su kljucevi u registry bazi.
Posto nije ukazao ni na jedan fajl, sa 99% sigurnosti mogu reci da je u pitanju lazna uzbuna.
|
|
|
|
|
|
|
Poslao: 26 Jan 2007 13:22
|
offline
- cortan
- Građanin
- Pridružio: 21 Jan 2007
- Poruke: 30
- Gde živiš: Sabac
|
Napravio sam malu pauzu da malo proguglam i evo sta kazu:
Description--- Caishow is a program of Chinese origin that installs a browser helper object (BHO) and toolbar in Internet Explorer.
dalje:
Level Description--- Moderate risks are often bundled with functionally unrelated software or installed without adequate notice and consent, and may display unwanted advertising on the user's desktop. Such risks may track users' online browsing habits and transmit non-personally identifying data back to a server in order to target advertising. These risks may be configured to start automatically with the operating system, use an auto-updater that the user cannot control, or install other functionally separate programs without adequate notice and consent.
--------------------------------------------------------------------------------------
Bobby slazem se da je ovo verovatno lazna uzbuna ali opet potezem ovo jer mi browser (slim brow. ili opera) cudno radi pa ne znam da li je ovo vezano za ambulantu ili ne- posto ne bih da otvaram novu temu.O cemu se radi u par reci:
I sa Operom i sa IE (ili Slim brow.) ne mogu da otvaram ruske sajtove da bih skinuo sheme TV-a (monitor.net eserviceinfo itd.). Prvo sam pomislio da su im serveri u pitanju ali nije to. Kod kolege (elektronicara) u blizini sve radi o.k. Inace obojica koristimo bezicni internet i vezani smo za isti AP. (sa istim IP adresama). Ostalo surfovanje je o.k. samo ovi ruski sajtovi su problem-ne mogu da se otvore (nisu mi na crnoj listi). Je li moguce, vracam se na temu-- da ovaj adware pravi problem ili je nesto drugo?
Dopuna: 26 Jan 2007 13:22
Zaboravio sam da pomenem da ne koristim firewall osim onog od windowsa sto ide sa SP2 koji je uvek ukljucen i gde mi nije blokiran bilo kakav dolazni ili odlazni saobracaj.
|
|
|
|
|
|
|
Poslao: 26 Jan 2007 14:13
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Drugi sajt nisam mogao da probam jer nisi ostavio potpunu adresu, a monitor.net sam upravo probao i ne mogu ni ja da mu pristupim.
Prijavljuje mi gresku 403 - da nemam prava pristupa.
Nemam nikakav firewall ukljucen, niti instaliran.
Ajde postavi svez HJT log, da pogledamo koja je sada situacija.
|
|
|
|
|
|
