Problem sa Smitfraudovima i WhenU i josh mnogim drugim

2

Problem sa Smitfraudovima i WhenU i josh mnogim drugim

offline
  • potex 
  • Novi MyCity građanin
  • Pridružio: 10 Sep 2006
  • Poruke: 23
  • Gde živiš: Beograd

1)Nashao sam C:\WINDOWS\SYSTEM32\winwly32.dll i poslao na analizu.

A ovaj: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = multimedia-search.com/, ukoliko se misli na homepage, ja sam stavio. Ovi ostali nema nigde...

2)Ni pre chishchenja nisam imao Daemon. Jesam ga instalirao jednom, i kad sam video da je s****e obrisao Control Panel/Add or Remove Programs, i obrisao folder u Program Files.

3)Ne znam na shta mislish. Da li sam ishao na Search, pa trazhio ili...?

4)Ne znam koji mmi se prikazuje, a koji ne. Ovaj 888toolbar se instalira sam u Internet Explorer i ima dugme Uninstall, odem na Add/Remove i obrishem ga, ali pre toga moram da zatvorim sve I. explorer prozore.

ismini, i ishost su mi se prikazivali (granali) u Process Explorer programu, ismini je bio grana ishosta, pa kad kill jedan onda se zamene pa je ishost grana isminija. Takodje su se prikazivali u Task Manageru

Ovaj u Common Files se prikazuje u Widows Task Manageru kao Update.exe.

Do nedavno mi se kada pokrenem I.explorer menjala homepage (www.multimedia-search.com) u ieupdate.com i izlazila mi je poruka da mi je komp zarazhen najopasnijim virusom na netu i da treba da skinem System Doctor sa linka koji se nalazio zajedno sa upozorenjem ispod Google Toolbar-a.

Obrisao sam Morpheus.
Za ponovni postupak odem u Safe Mode, i uradim prema uputstvu???

Dopuna: 05 Dec 2006 16:32

Od kad sam juche uradio prema tvom uputstvu 888Toolbar-a nema.

Dopuna: 05 Dec 2006 16:35

Od kad sam juche uradio prema tvom uputstvu 888Toolbar-a nema. I ima neki cidaemon.exe u Task Manageru i nalazi se na lokaciji C:\WINDOWS\SYSTEM32\cidaemon.exe... neshto mi je sumnjiv jer se od skoro pocheo pojavljivati u Task Manager-u.

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Ok vidim da saradjujemo na ovome .. Wink

Evo ti odgovora.

1. Winwly32.dll je Trojan.Win32.Agent.vg

OK za Home Page ukoliko si ga sam postavio - ne diraj normalnu R0 liniju.

2. Obriši onda ključeve vezane za program Daemon Tools ukoliko ga vise nemaš i ne koristiš. Imam informaciju da neki instaleri ovog software-a sadrže adware u sebi i uslovljavaju instalaciju programa instaliranjem i njih zajedno sa programom. Moguće je da ti odatle potiče WhenU. Sredi i njega - naveo sam ti linije gore takodje.

3. Da. Na to mislim. Potraži ih vizuelno ili preko Search opcije u Windows-u. Vidi sliku za podešavanje te opcije.
http://i13.tinypic.com/4060hs7.png
Uputio sam te da uključiš da ti se vide skriveni fajlovi i extenzije da bi lakše vizuelno našao to.
Kad ideš preko Search-a moraš da u pretrazi uključiš ove opcije koje sam slikao. Normalno da tražiš na "All Files and Folders" Wink

Evo ako slučajno neznaš to pojasnim ti na blic:

My Computer -> izabereš Tools menu i klik na Folder Options.
Izaberi View tab.
Nadješ Hidden files and folders čekiraš opciju Show hidden files and folders.
Deštikliraj opciju Hide file extensions for known types.

Slikano:
https://www.mycity.rs/must-login.png

4. 888Toolbar je izgleda bio sadrzan u ona dva fajla koja si nam ranije poslao na analizu, mada malo je misterija nestanak fajla 888Bar.dll. Sumnjamo da se preimenova u system.dll.. I njega (888Bar.dll) potraži za svaki slučaj.

Kada su ismini i ishost nestali ? Jel su nestali kada si uradio Fix Checked u HJT-u ili ranije ? Pogledaj to opet za svaki slučaj. Ok ?

C:\WINDOWS\SYSTEM32\cidaemon.exe - legitiman proces po putanji koju si naveo.

Info o procesu:
http://infinite.on.neobee.net/tasklistlett/c.htm
http://www.liutilities.com/products/wintaskspro/processlibrary/cidaemon/

Ajd kad ovo proveriš pusti log i odgovori mi na ona pitanja - pa idemo dalje.

offline
  • potex 
  • Novi MyCity građanin
  • Pridružio: 10 Sep 2006
  • Poruke: 23
  • Gde živiš: Beograd

Sve to da radim u Safe Modu?

Dopuna: 05 Dec 2006 20:37

SmitFraudFix v2.128

Scan done at 20:16:08.21, Tue 12/05/2006
Run from C:\Documents and Settings\Nemanja\My Documents\My Completed Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


HJ log:

Logfile of HijackThis v1.99.1
Scan saved at 20:37:47, on 5.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\{38A5D4BA-0647-2074-0216-06031401017d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Nemanja\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = multimedia-search.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - D:\Programmen Files\Authorization\YuMp3ComLogin.exe
O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - D:\Programmen Files\Authorization\YuMp3ComLogin.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - support.asus.com/common/asusTek_sys_ctrl.cab
O20 - Winlogon Notify: winwly32 - C:\WINDOWS\SYSTEM32\winwly32.dll
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe (file missing)
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Dopuna: 05 Dec 2006 21:30

1)Meni je Daemon trazhio da instalira neki njegov Toolbar i kada se instalirao iskochio mi je prozor NOD 32 sa upozorenjem infekcije. Kliknuo sam Terminate ali ochigledno nije pomoglo...

2)Imam samo system.drv, nemam system.dll, 888 je verovatno je bio sa onim ismini ili ishost

3)ismini i ishost su nestali kad sam uradio Fix cheked

4)Ja sam ukljuchio ovaj cidaemon.exe, kada sam ukljuchio indexing service C i D particije

Da li da obrishem winwly32.dll, i iz Sfe Moda ili iz Normal???

Dopuna: 05 Dec 2006 21:33

Nemam pojma otkud mi Morpheus:
"O4 - Global Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe"

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Ne znam ni ja odakle to Morpheus P2P ponovo.. To je stvarno misterija. Videćemo kad se konsultujem sa bobby-jem šta dalje..

Mogu ja tebe da pitam nešto ali iskreno da mi odgovoriš ?

Drugi log sa SF-om

Citat:Scan done at 20:16:08.21, Tue 12/05/2006
Run from C:\Documents and Settings\Nemanja\My Documents\My Completed Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode


Prvi log sa SF-om

Citat:Scan done at 23:18:59,43, pon 04.12.2006
Run from C:\Documents and Settings\Nemanja\My Documents\My Completed Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode


Jesi li editovao logove kada si mi ih slao ovde ?

offline
  • potex 
  • Novi MyCity građanin
  • Pridružio: 10 Sep 2006
  • Poruke: 23
  • Gde živiš: Beograd

Ja ne vidim nikakvu razliku osim formata datuma, nishta nisam editovao. Kad mi da log ja selektujem sve, onda Copy, pa Paste ovde.

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Nismo se razumeli izgleda a i zamolio bih te da me čitaš pažljivo jer ovo smo mogli da rešimo ranije da si me poslušao i isključio sve nepotrebne programe i njihovu "real time" zaštitu.

AdWatch nam nije dozvolio edit registry baze. Evo ti uputstvo kako da to isključiš.

AdWatch

Pokrenite AdAware SE.
Kliknite na AdWatch.
Kliknite na Tools and Preferences.
Destiklirajte Active i Automatic.


Ove opcije uključićeš kada kada zavrsimo ciscenje.

Idemo sad lepo polako i da se pratimo. Ok ?

(Podrazumevam da si sada pre čisćenja uključio opcije za pregled skrivenih fajlova i extenzija kao što sam ti gore opisao..)

1.)Isključio si AdWatch

2.) Pronadji sve HijackThis linije koje sam ti do sada ovde naveo označi i stisni "Fix Checked"
(upotrebu programa objasnio sam gore već)

3.) Restartuj računar i sada udji u safe mode.

4.) Nadji i obriši ovaj fajl ako ga Hijack This nije obrisao.

C:\WINDOWS\SYSTEM32\winwly32.dll

Mozda ce ti trebati za to i program KillBox ako ne može drugačije da se obriše.
Preuzmi ga odavde da bi obrisao "C:\WINDOWS\SYSTEM32\winwly32.dll"

Potrebno je odabrati opciju Delete on reboot i u polje "Full Path of File to Delete" uneti punu putanju do fajla.

5.) Potraži i ove fajlove i ako ih nadješ briši:

C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Common Files\{38A5D4BA-0647-2074-0216-06031401017d}\ (znači ceo folder)


6.) Resetuj rečunar i podigni sistem normalno.

Isključi sve nepotrebne programe i napravi nov HijackThis (sa promenjenim imenom programa) i zatim nam pusti log ovde za dalje.

offline
  • potex 
  • Novi MyCity građanin
  • Pridružio: 10 Sep 2006
  • Poruke: 23
  • Gde živiš: Beograd

Evo HJ log, mislim da smo ih se konachno reshili (ppp da ne baksuziram). Nisam obrisao kjucheve, hehe... onda sam skenirao i obrisao ih sa CCleaner-om, i to je to, evo sad log:

Logfile of HijackThis v1.99.1
Scan saved at 21:49:17, on 6.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nemanja\Desktop\Skeniranje\skeniranje.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = multimedia-search.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - D:\Programmen Files\Authorization\YuMp3ComLogin.exe
O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - D:\Programmen Files\Authorization\YuMp3ComLogin.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - support.asus.com/common/asusTek_sys_ctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DCB6E5E-FEDD-43E9-BDB1-1FC4110DDC08}: NameServer = 194.247.192.33 194.247.192.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{1DCB6E5E-FEDD-43E9-BDB1-1FC4110DDC08}: NameServer = 194.247.192.33 194.247.192.1
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe (file missing)
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24130
  • Gde živiš: Wien

Skeniraj ponovo sa HJT-om i stikliraj sledecu liniju:
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)

Nakon toga klikni Fix Checked.

btw. Sta ti se desilo sa nVidia drajverima? Jesi li ih deinstalirao?

offline
  • potex 
  • Novi MyCity građanin
  • Pridružio: 10 Sep 2006
  • Poruke: 23
  • Gde živiš: Beograd

Drajvere nisam pipnuo, sve radi OK, i ja sam instalirao ovj Steam, evo HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:23:55, on 7.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nemanja\Desktop\Skeniranje\skeniranje.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = multimedia-search.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - D:\Programmen Files\Authorization\YuMp3ComLogin.exe
O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - D:\Programmen Files\Authorization\YuMp3ComLogin.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - support.asus.com/common/asusTek_sys_ctrl.cab
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe (file missing)
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24130
  • Gde živiš: Wien

Rekao bih da je sve OK, osim sto mi bode oci onaj cr*ck za NOD32 (D_V_T) Smile

Ko je trenutno na forumu
 

Ukupno su 493 korisnika na forumu :: 16 registrovanih, 2 sakrivenih i 475 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _commandos_, ALBION101, brundo65, cikadeda, dragoljub11987, FOX2, goxin, ILGromovnik, Majstorr, Miskohd, nenad812, Raptor1, sabros, Taso2, vasa.93, Živković