|
Poslao: 11 Maj 2008 16:37
|
offline
- Pridružio: 19 Jan 2008
- Poruke: 42
|
Molim pomoc, sta da radim:
stalno mi iskace kad upalim IE neki sajt sa predlogom da daunlodujem antivirus. Sigurno je neki virus u pitanju, molim pogledajte link> http://antiviruspcsuite.com/data/index.php?5e02590.....07540454
A evo sta mi izbacuje haxfix:
HAXFIX logfile - by Marckie
version 5.00.0
2008-05-11 10:30:45.64
running from D:\HaxFix
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
no matching notify keys found
checking for matching services
no matching services found
checking for matching safeboot services
no matching safeboot services found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking iexplore.exe
iexplore.exe is not infected
--- Checking for other Goldun and Haxdoor files ---
no other Haxdoor or Goldun files found
--- Catchme logfile - thank you Gmer ---
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-05-11 10:31:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000b0
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
--- Analysing Catchme logfile ---
no matching regkeys found
Finished!
|
|
|
|
|
|
|
|
|
Poslao: 11 Maj 2008 17:20
|
offline
- Pridružio: 19 Jan 2008
- Poruke: 42
|
Evo sta je hijackthese izbacio: Logfile of HijackThis v1.99.1
Scan saved at 17:17, on 2008-05-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\WFXSVC.EXE
D:\WINDOWS\system32\wfxsnt40.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Documents and Settings\kole\Desktop\New Folder\TTTTA.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2BF731FB-2013-4745-93E1-EBB0832B0B29} - D:\WINDOWS\system32\clusap.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {EB95B62B-9729-4880-A351-01AF1899D78F} - D:\WINDOWS\system32\clusap.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Controller.LNK = D:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: Iz&vezi u Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\system32\WFXSVC.EXE
|
|
|
|
|
|
|
Poslao: 11 Maj 2008 18:15
|
offline
- dr_Bora
- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
Preuzmi program OTMoveIt2 na Desktop.
Dvoklikom pokreni OTMoveIt2.exe
U (levi) prozor programa (ispod Paste List of Files/Folders to Move) iskopiraj sve što se nalazi unutar Kod polja:
D:\WINDOWS\system32\clusap.dll
Klikni MoveIt!
Po završetku procesa, u desnom prozoru programa (ispod Results), će se nalaziti tekst koji je potrebno iskopirati u poruku na forumu.
Ukoliko se pojavi upit:
Confirm ::The system requires a reboot to finish removing files.
Do you want to reboot now?
kliknuti Yes kako bi se kompjuter restartovao i proces bio dovršen.
Nakon ponovnog pokretanja sistema, logfile će se automatski otvoriti u Notepadu.
Potrebno je iskopirati sadržaj tog loga u poruku na forumu.
Takođe, postaviti i svež HijackThis logfile.
|
|
|
|
|
|
|
Poslao: 11 Maj 2008 18:45
|
offline
- Pridružio: 19 Jan 2008
- Poruke: 42
|
evo sta kaze move it: D:\WINDOWS\system32\clusap.dll unregistered successfully.
D:\WINDOWS\system32\clusap.dll moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05112008_184305
a evo sta kaze hijackthese:
Logfile of HijackThis v1.99.1
Scan saved at 18:44, on 2008-05-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\WFXSVC.EXE
D:\Program Files\Symantec\WinFax\WFXMOD32.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\kole\Local Settings\Temporary Internet Files\Content.IE5\DFZFLPKE\OTMoveIt2[1].exe
D:\Documents and Settings\kole\Desktop\New Folder\TTTTA.exe
O2 - BHO: (no name) - {1775A22D-08B2-4624-8C04-5E0E5F4274CB} - D:\WINDOWS\system32\clusap.dll (file missing)
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\system32\WFXSVC.EXE
|
|
|
|
|
|
|
Poslao: 11 Maj 2008 18:58
|
offline
- dr_Bora
- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
Zar je to kompletan HijackThis log?
Pokreni HijackThis, skeniraj i čekiraj sledeću liniju:
O2 - BHO: (no name) - {1775A22D-08B2-4624-8C04-5E0E5F4274CB} - D:\WINDOWS\system32\clusap.dll (file missing)
Klikni Fix checked.
Restartuj kompjuter, postavi novi HT log i reci mi kakvo je sada stanje.
|
|
|
|
|
|
|
Poslao: 11 Maj 2008 20:46
|
offline
- Pridružio: 19 Jan 2008
- Poruke: 42
|
To sto si mi trazio nikako ne mogu da nadjem. Opet sam pustio hijackthese i evo sad rezultata:
Logfile of HijackThis v1.99.1
Scan saved at 20:44, on 2008-05-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\WFXSVC.EXE
D:\Program Files\Symantec\WinFax\WFXMOD32.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Program Files\ESET\nod32kui.exe
D:\Documents and Settings\kole\Desktop\New Folder\TTTTA.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\system32\WFXSVC.EXE
|
|
|
|
|
|
|
Poslao: 11 Maj 2008 20:58
|
offline
- dr_Bora
- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
Ovaj log je i dalje izuzetno čudan.
Jesi li možda radio nešto sa programom HijackThis sem onoga što je pisalo u uputstvima?
Citat:stalno mi iskace kad upalim IE neki sajt sa predlogom da daunlodujem antivirus.
Da li se ovo još uvek događa?
|
|
|
|
|
|
|
Poslao: 12 Maj 2008 01:26
|
offline
- Pridružio: 19 Jan 2008
- Poruke: 42
|
Vise se ne dogadja, sad IE radi normalno, nista ne iskace.
Zasto mislis da je log "cudan", sta je cudno?
Dopuna: 12 Maj 2008 1:26
Cek, jedino sto sam radio sa hijacthese je da sam chekirao sve prozorcice gde pise fix checked, evo sta sad izbacuje:
Logfile of HijackThis v1.99.1
Scan saved at 01:24, on 2008-05-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\WFXSVC.EXE
D:\Program Files\Symantec\WinFax\WFXMOD32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Documents and Settings\kole\Desktop\New Folder\TTTTA.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\system32\WFXSVC.EXE
|
|
|
|
|
|
|
Poslao: 12 Maj 2008 16:50
|
offline
- dr_Bora
- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
U logu nedostaju legitimne linije.
Uputstvo je glasilo:
Citat:Pokreni HijackThis, skeniraj i čekiraj sledeću liniju:
O2 - BHO: (no name) - {1775A22D-08B2-4624-8C04-5E0E5F4274CB} - D:\WINDOWS\system32\clusap.dll (file missing)
Klikni Fix checked.
Znači, samo jednu liniju je trebalo obeležiti i ukloniti.
Pokreni HijackThis, klikni View the list of backups.
Povećaj taj prozor na maksimum i onda napravi screenshot.
Ako ti treba uputstvo za pravljenje screenshota-a:
http://www.mycity.rs/Windows/Pravljenje-screenshota.html
Postavi taj screenshot u idućoj poruci.
|
|
|
|
|
|
