kako se resiti adware.virtumonde application

kako se resiti adware.virtumonde application

offline
  • Pridružio: 05 Feb 2008
  • Poruke: 6

Evo i loga

Logfile of HijackThis v1.99.1
Scan saved at 12:59:30 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
F:\Programi Instalacije\hub\ApexDC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Bucko\Desktop\ewido_micro.exe
F:\Programi Instalacije\hub\Downloads\HijackThis.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System Terminal Server] smtsvc.exe
O4 - HKLM\..\Run: [34d4c569] rundll32.exe "C:\WINDOWS\system32\lvdgmrkh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Dopuna: 05 Feb 2008 1:29

Zatim sam procesljo programom virtumundoBeGone i log igleda

[02/05/2008, 0:45:17] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Bucko\Desktop\VirtumundoBeGone.exe" )
[02/05/2008, 0:45:19] - Detected System Information:
[02/05/2008, 0:45:19] - Windows Version: 5.1.2600, Service Pack 2
[02/05/2008, 0:45:19] - Current Username: Bucko (Admin)
[02/05/2008, 0:45:19] - Windows is in NORMAL mode.
[02/05/2008, 0:45:19] - Searching for Browser Helper Objects:
[02/05/2008, 0:45:19] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[02/05/2008, 0:45:19] - BHO 2: {65D805BF-A059-4CD5-8C6A-CA425440E0D9} ()
[02/05/2008, 0:45:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/05/2008, 0:45:19] - Checking for HKLM\...\Winlogon\Notify\awvvw
[02/05/2008, 0:45:19] - Key not found: HKLM\...\Winlogon\Notify\awvvw, continuing.
[02/05/2008, 0:45:19] - BHO 3: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[02/05/2008, 0:45:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/05/2008, 0:45:19] - No filename found. Continuing.
[02/05/2008, 0:45:19] - BHO 4: {a05dd66e-a1f4-4b8f-92e4-e8144fbe50cb} ()
[02/05/2008, 0:45:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/05/2008, 0:45:19] - Checking for HKLM\...\Winlogon\Notify\qhlibwev
[02/05/2008, 0:45:19] - Key not found: HKLM\...\Winlogon\Notify\qhlibwev, continuing.
[02/05/2008, 0:45:19] - BHO 5: {AC41D38F-B56D-40AD-94E0-B493D130C959} (CmjBrowserHelperObject Object)
[02/05/2008, 0:45:19] - Finished Searching Browser Helper Objects
[02/05/2008, 0:45:19] - Finishing up...
[02/05/2008, 0:45:19] - Nothing found! Exiting...

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Skini VundoFix sa ovog linka i isprati uputstvo u nastavku..
http://www.atribune.org/ccount/click.php?id=4

* Dvoklikom se startuje fajl VundoFix.exe.
* Izabere opcija Scan for Vundo.
* Posle završenog skeniranja i pojave poruke Done Searching for files klikne se na OK.
* Sada, kada je skeniranje obavljeno potrebno je kliknuti na opciju Remove Vundo.
* Po pojavljivanju upita o uklanjaju Vundo fajlova klikne se na Yes.
* Pokretanje ove opcije učiniće Desktop privremeno praznim u cilju pripreme sistema za uklanjanje Vundo-a.
* Po završetku, pojaviće se obaveštenje o gašnjenju računara, klikne se OK.
* Uključi se računar i podigne sistem iznova.
* Iskopira se sadržaj loga sa putanje C:\vundofix.txt i novi HiJackThis log u poruku na forumu.

offline
  • Pridružio: 05 Feb 2008
  • Poruke: 6

Zatim po nekoj od ranijih vasih preporuka >
Skini Ewido micro (8Mb) :
downloads.ewido.net/ewido_micro.exe

Kako se radi sa Ewido micro:
- na prvom ekranu odaberi sve particije (štikliraj polja ispred njih)
- klikni na dugme Start Scan
- nakon završenog skeniranja klikni na Save Report i snimi log fajl na sigurno mesto
- klikni na Remove Infections
- iskopiraj nam ovde sadržaj log fajla koji je malopre snimljen

I sadrzaj izgleda>
__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Yieldmanager
Path: C:\Documents and Settings\Bucko\Cookies\bucko@ad.yieldmanager[2].txt
Risk: Medium

Name: TrackingCookie.Adbrite
Path: C:\Documents and Settings\Bucko\Cookies\bucko@adbrite[2].txt
Risk: Medium

Name: TrackingCookie.Euroclick
Path: C:\Documents and Settings\Bucko\Cookies\bucko@adopt.euroclick[1].txt
Risk: Medium

Name: TrackingCookie.Bridgetrack
Path: C:\Documents and Settings\Bucko\Cookies\bucko@ads.bridgetrack[1].txt
Risk: Medium

Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\Bucko\Cookies\bucko@advertising[2].txt
Risk: Medium

Name: TrackingCookie.Atdmt
Path: C:\Documents and Settings\Bucko\Cookies\bucko@atdmt[1].txt
Risk: Medium

Name: TrackingCookie.Msn
Path: C:\Documents and Settings\Bucko\Cookies\bucko@auto.search.msn[2].txt
Risk: Medium

Name: TrackingCookie.Clickbank
Path: C:\Documents and Settings\Bucko\Cookies\bucko@clickbank[1].txt
Risk: Medium

Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\Bucko\Cookies\bucko@ehg-accuweather.hitbox[1].txt
Risk: Medium

Name: TrackingCookie.Liveperson
Path: C:\Documents and Settings\Bucko\Cookies\bucko@equs.liveperson[2].txt
Risk: Medium

Name: TrackingCookie.Gemius
Path: C:\Documents and Settings\Bucko\Cookies\bucko@hit.gemius[1].txt
Risk: Medium

Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\Bucko\Cookies\bucko@hitbox[2].txt
Risk: Medium

Name: TrackingCookie.Tracking101
Path: C:\Documents and Settings\Bucko\Cookies\bucko@login.tracking101[2].txt
Risk: Medium

Name: TrackingCookie.Webtrends
Path: C:\Documents and Settings\Bucko\Cookies\bucko@m.webtrends[2].txt
Risk: Medium

Name: TrackingCookie.Adrevolver
Path: C:\Documents and Settings\Bucko\Cookies\bucko@media.adrevolver[1].txt
Risk: Medium

Name: TrackingCookie.Mediaplex
Path: C:\Documents and Settings\Bucko\Cookies\bucko@mediaplex[1].txt
Risk: Medium

Name: TrackingCookie.Revsci
Path: C:\Documents and Settings\Bucko\Cookies\bucko@revsci[2].txt
Risk: Medium

Name: TrackingCookie.Webtrendslive
Path: C:\Documents and Settings\Bucko\Cookies\bucko@statse.webtrendslive[2].txt
Risk: Medium

Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\Bucko\Cookies\bucko@tacoda[2].txt
Risk: Medium

Name: TrackingCookie.Tradedoubler
Path: C:\Documents and Settings\Bucko\Cookies\bucko@tradedoubler[1].txt
Risk: Medium

Name: Adware.SaveNow
Path: HKLM\SOFTWARE\WhenU
Risk: Medium

Name: TrackingCookie.Msn
Path: C:\Documents and Settings\Milance\Cookies\milance@auto.search.msn[2].txt
Risk: Medium

Name: Trojan.Inject.kq
Path: C:\WINDOWS\system32\fcccdaa.dll
Risk: High

Name: Trojan.Inject.kq
Path: C:\WINDOWS\system32\qomnlmj.dll
Risk: High

Name: Downloader.Small.gpz
Path: C:\WINDOWS\system32\vtusssr.dll
Risk: High

Name: Not-A-Virus.PSWTool.Win32.Brutus
Path: F:\My Documents\iznenadj\cr\brutus-aet2.zip/BrutusA2.exe
Risk: Low

Name: Not-A-Virus.PSWTool.Win32.MailPassView.130
Path: F:\My Documents\iznenadj\cr\mailpv.exe
Risk: Low

Name: Not-A-Virus.PSWTool.Win32.MailPassView.130
Path: F:\My Documents\iznenadj\cr\mailpv.zip/mailpv.exe
Risk: Low

Name: Not-A-Virus.PSWTool.Win32.Messen.110
Path: F:\My Documents\iznenadj\cr\mspass.exe
Risk: Low

Name: Not-A-Virus.PSWTool.Win32.Messen.110
Path: F:\My Documents\iznenadj\cr\mspass.zip/mspass.exe
Risk: Low

Name: Adware.PurityScan
Path: F:\Programi Instalacije\MIX RALE\AVI to VCD\Cucusoft_AVI_to_VCD_DVD_v3[1].55.zip/pscan.exe
Risk: Medium

Name: Backdoor.Theef.111
Path: F:\Programi Instalacije\MIX RALE\Microangelo\TNT-MicroAngelo5.0_CRK.zip/TNT-MicroAngelo5.0 CRK.exe
Risk: High

Name: Not-A-Virus.Flooder.IRC.Extreme.821
Path: F:\Programi Instalacije\MIX RALE\mirc\xtreme.zip/sys/dialog1.ini
Risk: Low

Name: Backdoor.Ircflood.s
Path: F:\Programi Instalacije\MIX RALE\mirc\xtreme.zip/sys/dlls/aircdll.dll
Risk: High

Name: Adware.TimeSink
Path: F:\Programi Instalacije\MIX RALE\MrCoolV2\TSUninstaller.exe
Risk: Medium

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Ček.. nisam razumeo poptpuno jasno. Jesi li iskoristio prvo VundoFix pa onda dodatno skenirao sistem Ewidom (na svoju ruku) ili si čistio komp samo sa Ewidom?

Meni ne trebaju logovi od Ewido-a. Nisam ti to tražio. Piše ti u mom prvom postu koji me logovi interesuju i gde se nalaze. To mi kopiraj na forum.

offline
  • Pridružio: 05 Feb 2008
  • Poruke: 6

Prvo sam skenirao ewidom ( na svoju ruku ) , zatim vundofix-om i log izgleda>

VundoFix V6.7.7

Checking Java version...

Scan started at 2:00:40 AM 2/5/2008

Listing files found while scanning....

C:\windows\system32\awvvw.dll
C:\WINDOWS\system32\bmahfqkt.dll
C:\WINDOWS\system32\caxsmfaq.dll
C:\windows\system32\wvvwa.bak1
C:\windows\system32\wvvwa.bak2
C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awvvw.dll
C:\windows\system32\awvvw.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\bmahfqkt.dll
C:\WINDOWS\system32\bmahfqkt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\caxsmfaq.dll
C:\WINDOWS\system32\caxsmfaq.dll Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.bak1
C:\windows\system32\wvvwa.bak1 Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.bak2
C:\windows\system32\wvvwa.bak2 Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini2
C:\windows\system32\wvvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\awvvw.dll
C:\windows\system32\awvvw.dll Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

Dopuna: 05 Feb 2008 2:38

Nakon toga HiJackThis log izgleda>

Logfile of HijackThis v1.99.1
Scan saved at 2:31:06 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
F:\Programi Instalacije\hub\ApexDC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skeniranje\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A813E36-538E-4C52-86D7-2FF8EB419D34} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {bc05ebf4-418e-4e29-f8b4-4f1ae66dd50a} - {a05dd66e-a1f4-4b8f-92e4-e8144fbe50cb} - C:\WINDOWS\system32\qhlibwev.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System Terminal Server] smtsvc.exe
O4 - HKLM\..\Run: [34d4c569] rundll32.exe "C:\WINDOWS\system32\lvdgmrkh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Dopuna: 05 Feb 2008 2:50

Sta dalje raditi??

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Pokreni HijackThis i idi na opciju "Do a system scan only". Pronađi, označi (u kvadratiću pored) svaku od navedenih linija i stisni "Fix checked".

O2 - BHO: (no name) - {3A813E36-538E-4C52-86D7-2FF8EB419D34} - C:\WINDOWS\system32\awvvw.dll (file missing)

O2 - BHO: {bc05ebf4-418e-4e29-f8b4-4f1ae66dd50a} - {a05dd66e-a1f4-4b8f-92e4-e8144fbe50cb} - C:\WINDOWS\system32\qhlibwev.dll

O4 - HKLM\..\Run: [System Terminal Server] smtsvc.exe

O4 - HKLM\..\Run: [34d4c569] rundll32.exe "C:\WINDOWS\system32\lvdgmrkh.dll",b

Zatvori program HijackThis.

---------------------

Korak 2:

---------------------

Pokreni ponovo VundoFix i u (belom) prozoru programa napravi desni klik, misem i izaberi opciju "Add more files?". Kada ti se otvori sledeci prozor copy/paste sledece putanje fajlova - svaku u razlicit box.

C:\WINDOWS\system32\qhlibwev.dll
C:\WINDOWS\system32\smtsvc.exe
C:\WINDOWS\system32\lvdgmrkh.dll

Klikni "Add File(s)", "Close Window", "Remove Vundo".

Ovo ti je ostatak postupka koji ce da te usledi posle ove procedure sa dodavanjem fajlova.
Citat:* Pokretanje ove opcije učiniće Desktop privremeno praznim u cilju pripreme sistema za uklanjanje Vundo-a.
* Po završetku, pojaviće se obaveštenje o gašnjenju računara, klikne se OK.
* Uključi se računar i podigne sistem iznova.


Kad sve zavrsis postavi novi HJT log i VundoFix log da vidimo kako napreduje stvar.

offline
  • Pridružio: 05 Feb 2008
  • Poruke: 6

vudnoFix log>

Beginning removal...

Attempting to delete C:\WINDOWS\system32\lvdgmrkh.dll
C:\WINDOWS\system32\lvdgmrkh.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qhlibwev.dll
C:\WINDOWS\system32\qhlibwev.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\lvdgmrkh.dll
C:\WINDOWS\system32\lvdgmrkh.dll Has been deleted!

Performing Repairs to the registry.
Done!

Dopuna: 05 Feb 2008 11:19

Logfile of HijackThis v1.99.1
Scan saved at 11:17:12 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Programi Instalacije\hub\ApexDC.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Skeniranje\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Dopuna: 05 Feb 2008 11:26

cekam dalja uputstva

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Log je čist tj. ne pokazuje da imaš aktivan još neki malware na sistemu. Ako se javlja još neki konkretan problem izvesti.

btw. Preporučio bih ti da deinstaliraš tu staru verziju Jave koju imaš i da instaliraš novu sa linka > http://www.java.com/en/download/manual.jsp Tako ćeš biti bezbedniji protiv Vundo-a.

offline
  • Pridružio: 05 Feb 2008
  • Poruke: 6

Hvala na pomoci

Ko je trenutno na forumu
 

Ukupno su 1320 korisnika na forumu :: 47 registrovanih, 3 sakrivenih i 1270 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Rade, amaterSRB, Asparagus, Atomski čoban, babaroga, Battlehammer, bladesu, Botovac, Centauro, DeerHunter, dencorr, Georgius, Griffon vulture, havoc995, Ilija Cvorovic, Ivica1102, Karla, kolle.the.kid, Kruger, kunktator, kuntalo, ladro, Lieutenant, loon123, Marko Marković, Mcdado, milan.vukovic, milenko crazy north, Milometer, milutin134, Mixelotti, operniki, pein, rodoljub, slonic_tonic, Srle993, vaso1, vathra, virked, vladaa012, voja64, vukovi, W123, yrraf, YU-UKI, zzapNDjuric99, 79693