Trojan

1

Trojan

offline
  • Dom 
  • Novi MyCity građanin
  • Pridružio: 29 Jan 2007
  • Poruke: 17

Imam instaliran f-secure i on mi svakih sat vremena javlja da imam virus i to trojan-downloader.swizzor.dv. Poruka se javlja tacno u 8.00, 9.00,... i tako dalje. Ako pomjerim sat na racunaru na npr. 7.59 za minut ce da mi javi da se pojavio virus koji sam naveo. Onda mi predlaze da ga izbrisem i on to uspjesno uradi ali posle sat vremena isto. Daje mi i putanju gdje se nalazi i to je neki temp folder ali to mnogo ne znaci jer ne znam odakle se generise. Ako izaberem dezinfekciju kad antivirus pristupi tome fajlu on mjenja ime, ondnosno extenziju. Postaje neki oxe fajl a prije toga je exe. Ako mu obrisem tu ekstenziju i vratim na staru ponovo mi se javlja poruka da je nadjen virus. Posto mogu pomocu sata da tacno znam kad ce se pojaviti posmatrao sam task menager i vidio sam da u momentu kad nastaje taj "virusni fajl" u izvrsavanju je iexplorer.exe. Inace kad nema interneta nema ni poruke o postojanju virusa

offline
  • Cigarette Smoking Man
  • Pridružio: 14 Feb 2005
  • Poruke: 9113
  • Gde živiš: Beograd

Pozdrav, pročitaj ovu temu: http://www.mycity.rs/Ambulanta/Procitati-pre-otvaranja-teme.html i postavi nam HijackThis log...

offline
  • Dom 
  • Novi MyCity građanin
  • Pridružio: 29 Jan 2007
  • Poruke: 17

Logfile of HijackThis v1.99.1
Scan saved at 5:00:10 PM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\r_server.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\WINDOWS\system32\flcss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Vlado\Desktop\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SIZE DEBUG BALM BOLD] C:\Documents and Settings\All Users\Application Data\Hecksendsizedebug\Showowns.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Anti-FunLove] C:\WINDOWS\system32\flcss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Close chic] C:\DOCUME~1\Vlado\APPLIC~1\JUGSFO~1\iso thunk.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{05993644-1748-4F70-9071-7C71D4BACC2E}: NameServer = 172.16.1.5,172.16.1.15
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)

Dopuna: 29 Jan 2007 14:55

Ovo je posto se pojavi poruka o virusu. Izvinjavam se sto nisam odmah procitao upustvo

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Dok se rapha ne pojavi sa daljim uputstvima, ja bih te zamolio da nam spakujes u jedan ZIP sledece fajlove i uploadujes ih za analizu.
Link za upload:
http://www.mycity.rs/ambulanta-upload.php

Fajlovi koji su nam sumnjivi:

C:\WINDOWS\system32\r_server.exe
C:\Documents and Settings\All Users\Application Data\Hecksendsizedebug\Showowns.exe
C:\DOCUME~1\Vlado\APPLIC~1\JUGSFO~1\iso thunk.exe

Kod ovog zadnjeg imena foldera su data u skracenoj formi, dok ces ti imena koristeci Explorer videti u dugackoj formi. Nadam se da nece biti tesko da nadjes koja su "dugacka imena" tih foldera.
Primer:
DOCUME~1 je u stvari Documents and Settings
APPLIC~1 je Application Data
Zadnju skracenicu ne mogu da pogadjam napamet, ali mislim da ces lako prepoznati ime foldera iz onih par slova koja se ovde vide (JUGSFO~1).

offline
  • Dom 
  • Novi MyCity građanin
  • Pridružio: 29 Jan 2007
  • Poruke: 17

Uploadovao sam 2 fajla od 3 koje ste trazili. Drugi po redu nijesam nasao
C:\Documents and Settings\All Users\Application Data\Hecksendsizedebug\Showowns.exe.
Postoji folder Hecksendsizedebug ali ne i fajl Showowns.exe ni onda kada imam poruku o virusu

Dopuna: 30 Jan 2007 9:23

E da, hvala unaprijed pa i ako ne rijesite problem zbog truda

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Ima li bilo kog fajla u folderu Hecksendsizedebug ?

offline
  • Dom 
  • Novi MyCity građanin
  • Pridružio: 29 Jan 2007
  • Poruke: 17

Nema vala ni jedan jedini

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini program NoLop:
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16
(potrebno je skrolovati malo niže, pošto ide prvo HJT, pa reklama, pa NoLop)


Ugasi sve ostale programe koji su pokrenuti u "pozadini"
Dupli klik na NoLop.exe
Klikni na Search and Destroy
Kada je skeniranje završeno, u slučaju da si zaražen, tražiće da restartuješ računar
Klikni na REBOOT
Trebalo bi da se pojavi NoLop pop-up poruka, ako ne-ponovo dupli klik na NoLop.exe da bi čišćenje bilo završeno
Nakon toga, postuj nam sadržaj C:\NoLop.log i svež HijackThis log


Arrow Napomena: Ako se pojavi greška, da mscomctl.ocx ili neki od fajlova nisu tačno registrovani, downloaduj ovaj fajl u svoj system32 folder i onda pokreni program:

http://www.boletrice.com/downloads/mscomctl.ocx

Sada je potrebno obrisati kompletne foldere:

C:\Documents and Settings\All Users\Application Data\Hecksendsizedebug\
C:\DOCUME~1\Vlado\APPLIC~1\JUGSFO~1\

Otvori Task Manager, kartica Processes i ubij proces r_server.exe
Nakon toga na disku obrisi fajl C:\WINDOWS\system32\r_server.exe

Ovaj zadnji fajl je Remote Administrator tool koji drugoj osobi daje kontrolu nad tvojim kompom kao da se nalazi ispred njega. Ukoliko si sam instalirao taj program da bi ti neko asistirao u nekom poslu, onda nemoj obrisati fajl C:\WINDOWS\system32\r_server.exe.

offline
  • Dom 
  • Novi MyCity građanin
  • Pridružio: 29 Jan 2007
  • Poruke: 17

Problem je rijesen. Hvala puno. Evo i logova.

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Vlado\Desktop
[1/30/2007]
[2:52:55 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AA5C33C99163A569.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Ahead
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\F-secure
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Winzip -- EMPTY Directory
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Gordana\Application Data\Datalayer
C:\Documents and Settings\Gordana\Application Data\Identities
C:\Documents and Settings\Gordana\Application Data\Microsoft
C:\Documents and Settings\Gordana\Application Data\Nokia
C:\Documents and Settings\Gordana\Application Data\Nokia Multimedia Player
C:\Documents and Settings\Gordana\Application Data\Pc Suite
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Mila\Application Data\Adobe
C:\Documents and Settings\Mila\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Mila\Application Data\Identities
C:\Documents and Settings\Mila\Application Data\Microsoft
C:\Documents and Settings\Mila\Application Data\Pc Suite
C:\Documents and Settings\Mila\Application Data\Template
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Sveto\Application Data\Adobe
C:\Documents and Settings\Sveto\Application Data\Identities
C:\Documents and Settings\Sveto\Application Data\Intervideo
C:\Documents and Settings\Sveto\Application Data\Macromedia
C:\Documents and Settings\Sveto\Application Data\Microsoft
C:\Documents and Settings\Sveto\Application Data\Pc Suite
C:\Documents and Settings\Vlado\Application Data\Adobe
C:\Documents and Settings\Vlado\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Vlado\Application Data\Avg7
C:\Documents and Settings\Vlado\Application Data\F-secure
C:\Documents and Settings\Vlado\Application Data\Google
C:\Documents and Settings\Vlado\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Vlado\Application Data\Identities
C:\Documents and Settings\Vlado\Application Data\Idmcomp
C:\Documents and Settings\Vlado\Application Data\Macromedia
C:\Documents and Settings\Vlado\Application Data\Microsoft
C:\Documents and Settings\Vlado\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Vlado\Application Data\Nokia Multimedia Player
C:\Documents and Settings\Vlado\Application Data\Pc Suite
C:\Documents and Settings\Vlado\Application Data\Publish Providers -- EMPTY Directory
C:\Documents and Settings\Vlado\Application Data\Sony




Logfile of HijackThis v1.99.1
Scan saved at 3:15:38 PM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\flcss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\r_server.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Vlado\Desktop\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SIZE DEBUG BALM BOLD] C:\Documents and Settings\All Users\Application Data\Hecksendsizedebug\Showowns.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Anti-FunLove] C:\WINDOWS\system32\flcss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Close chic] C:\DOCUME~1\Vlado\APPLIC~1\JUGSFO~1\iso thunk.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NoLop.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{05993644-1748-4F70-9071-7C71D4BACC2E}: NameServer = 172.16.1.5,172.16.1.15
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

HJT log pokazuje da su oni folderi jos uvek prisutni.
Mislim na foldere za koje sam ti rekao da ih obrises.
Isto i za fajl r_server.exe - nije ubijen iz Task Managera i jos uvek je aktivan.

Ukoliko si siguran da si ih obrisao, ajde onda restartuj racunar i postavi nov HJT log.

03 Feb 2007 16:00 bobby Zaključavanje topica Razlog: : Javiti se na PP ukoliko je potrebno otkljucavanje teme  
Ko je trenutno na forumu
 

Ukupno su 861 korisnika na forumu :: 51 registrovanih, 5 sakrivenih i 805 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 8u47, A.R.Chafee.Jr., aleksmajstor, Andrija357, Apok, babaroga, Bane san, Ben Roj, Bobrock1, Brana01, BRATORIII, CikaKURE, Dannyboy, Denaya, Dimitrise93, Dvojac005, FileFinder, FOX, Georgius, HogarStrashni, hologram, ILGromovnik, ivan979, ivica976, Joja, Kubovac, kybonacci, laurusri, Luka Blažević, M1los, Mihajlo, milanovic, milenko crazy north, Miškić, moldway, Motocar, ruma, sap, Sirius, slonic_tonic, Srle993, ss10, Steeeefan, trajkoni018, vathra, VJ, Vlada78, VP6919, W123, zbazin, zillbg