Browseri pri startovanju otvaraju neke linkove

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Kao prvo citao sam teme vezane za problem sa homepage, ali ovo ocito nije taj slucaj.
Kod mene, Homepage mogu da menjam i kada kliknem na kucivu (precicu za home page) otvara mi se pravi link.

Ali pri startovanju browsera otvaraju mi se sledece strane....
Da stvar bude gora i da otvorim novu temu je ta sto se to dogadja ne samo kod IE, vec i kod FF-a i kod opere ! ! !

Nod32 kaze da je sve OK.
Ad-aware 6.0 ja nasao nesto malo i to sam poobrisao.

Evo kako izgleda FireFox




dakle homepage nije izmenjen i mogu ga komotno menjati.... pritisnem alt+home otvara mi se google i to je sve normalno. Jedino nije normalno sto se otvaraju ovi linkovi.

Idemo dalje
IE



Isto kao i FF. homepage je slobodan, otvara se, mogu da ga menjam samo se pri startovanju otvara ovaj link

Dalje
Opera


Sve isto kao i FF i kao IE

E sad, od predloga kako ovo srediti mene zanima i sta se ovo desilo
NOD mi prica da sam paranoican, kao i Ad-aware 6.0
Neki pricaju da je FF bezbedan kao i opera a pokazali su se isto kao i daleko pljuvaniji IE.

Meni ovako u globalu deluje da su svi, od WIN pa preko NODa i FF do IE busni kao svajcarski sir

P.S.
Ako mislite da je ovo vise za zastitu prebacite, meni vise deluje kao problem kod browsera narocito ako se uzme da je to globalni problem a ne samo kod IE-a

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Prebacujem temu u Ambulantu

Dopuna: 27 Mar 2007 16:27

Da objasnim zasto sam prebacio u Ambulantu.
Postoji kategorija malwarea koji se zovu DNS changers, i nema veze koji browser da koristis, tvoj browser dobija pogresne adrese pri DNS lockupu.

Imas ovde uputstvo za HJT:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/1-H.....tanje.html

Postavi nam log ovde, pa da vidimo sta i kako dalje.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

hajde da krenemo ...



Logfile of HijackThis v1.99.1
Scan saved at 4:33:04 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\PeerWeb DC++\PeerWeb DC++.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Documents and Settings\Pedja\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sbb.rs:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinMySQLadmin.lnk = C:\Program Files\MySql\bin\winmysqladmin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RapidShare-Download - res://C:\DOCUME~1\Pedja\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Docs\more-rapid.exe/RsMenExt.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySql - Unknown owner - C:/Program Files/MySql/bin/mysqld-nt.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Dopuna: 27 Mar 2007 16:36

P.S. samo da dodam, da sam ranije imao problem (bas ranije pre mozda 3-4 godine) sa IE ali to je bilo sasvim drugo.... nisam mogao da promenim homepage, bilo je onako zasivljena opcija (da tako kazem).
Sada je ovo totalno drugacij, sve mogu, samo sto se ovi linkovi (ne)otvaraju

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ajde promeni ima EXE fajl iz HijackThis.exe u nesto drugo, recimo fg.exe, pa napravi novi log.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Evo sada se zove fg.exe


Logfile of HijackThis v1.99.1
Scan saved at 4:54:04 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\PeerWeb DC++\PeerWeb DC++.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Documents and Settings\Pedja\Desktop\New Folder\fg.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sbb.rs:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinMySQLadmin.lnk = C:\Program Files\MySql\bin\winmysqladmin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RapidShare-Download - res://C:\DOCUME~1\Pedja\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Docs\more-rapid.exe/RsMenExt.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySql - Unknown owner - C:/Program Files/MySql/bin/mysqld-nt.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

I dalje nista...
Jedino sto mi je cudno je sto imas i Apache i IIS pokrenute (barem deo IIS-a).

Uradi sledeće:
Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.

Iskopiraj nam ovde sadrzaj ta dva fajla koja smo malopre snimili

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nece ?!


Probao sam preko svih browsera da svucem (rekoh da nije mozda neki nesto otupaveo pa ne svuce ceo file i slicno...) vise puta i identicna greska...


A sto se tice apache i IIS nista ne brini, ja sam ih tako stavio

Da nije ovo mozda neki virus... kao AdobeR.exe...
bas mi je cudno to sto svaki browser trazi svojeime.exe file ?!

Adober koliko se secam pravi exe fajlove u svakom folderu a naziv fajla je kao i naziv foldera.... i ovde je nesto vrlo slicno... exe file trazi, naziv fajla i foldera su skoro identicni...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Postoje infekcije koje sprecavaju GMER da se startuje.
Probaj IceSword:
http://www.mycity.rs/AV-Objavljeni-radovi/Uklanjan.....Sword.html
Pojavice ti se crvene linije sigurno zbog antivirusa, interesuju nas one koje ne pripadaju NOD-u.

Ukoliko nece ni on, probaj bilo koji sa sledece liste za kog vidis da je dobio 5 zvezdica u koloni Cost/Rating:
http://www.antirootkit.com/software/index.htm

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

evo hoce DarkSpy
samo sta da ti kopiram ? Tacnije izgleda moram praviti slike, pa sta da slikam ... (ne vidim nikakve opcije kopiranja)

Dopuna: 27 Mar 2007 17:43

P.S. evo hoce i RootKit Unhooker.... vidim da on ima neki meni i da ima skeniranje, mozda bolje njega da koristim ???

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Moze Rootkit Unhooker, ako se ne varam on ima opciju za snimanje loga u tekst.