Win32/Adware.Virtumonde BQ application

1

Win32/Adware.Virtumonde BQ application

offline
  • Pridružio: 24 Mar 2004
  • Poruke: 646

Pozdrav svima,
Kompjuter mi se pokocio nacisto, explorer se jedva otvara a Nod samo sto se ne rasplace. Ne moze uopste da ocisti ovaj virus! Kao da se mnozi.
Imam ADSL na 256.
Evo prilazem hijack log
Hvala unapred.


Logfile of HijackThis v1.99.1
Scan saved at 23:34:12, on 16.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\explorer.exe
D:\Programi\Programi\Antivirus\Ciscenje virusa\HijackThis\MM5.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: (no name) - {68218620-3D65-43F6-AD47-D38D84B5412A} - C:\WINDOWS\system32\pmnnkif.dll
O2 - BHO: (no name) - {9B396081-19F9-4E88-BD1D-C023328DF5B2} - C:\WINDOWS\system32\vtsts.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Save Flash\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5C.....8527328375
O20 - Winlogon Notify: pmnnkif - C:\WINDOWS\SYSTEM32\pmnnkif.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - (no file)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Rapfibntdnt - Unknown owner - (no file)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

offline
  • Cigarette Smoking Man
  • Pridružio: 14 Feb 2005
  • Poruke: 9113
  • Gde živiš: Beograd

Pozdrav jessica, sad ću da pregledam log pa ti se javljam.. Wink

Dopuna: 17 Apr 2007 0:52

Komp je definitivno zaražen.. Evo ovako ćemo:

Skinuti VundoFix.

- Kliknuti na VundoFix.exe
- Kada se otvori, kliknuti na Scan for Vundo
- Kada se završi skeniranje, kliknuti na Remove Vundo dugme
- Pitaće te da li želiš da ukloniš fajlove, kliknuti Yes
- Kada završi, pitaće te da restartuješ računar, kliknuti OK

Arrow Moguće je da VundoFix neće moći odmah da ukloni neke fajlove.
U tom slučaju VundoFix će se pokrenuti pri butovanju. Jednostavno, čim se VundoFix pojavi nakon reboota kliknuti na Scan for Vundo.

Nakon toga iskopiraj nam sadržaj fajla C:\vundofix.txt ovde i postavi svež HijackThis log, da vidimo šta se dešava..

offline
  • Pridružio: 24 Mar 2004
  • Poruke: 646

Skinula sam VundoFix, medjutim on ne moze da iskenira do kraja jer "pukne" i pokoci se (...not responding).
A evo sta mi Nod prijavljuje pre svakog skeniranja:

application Win32/Adware.Virtumonde.BQ found in operating memory. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. No action can be taken while the file is in memory. Click "Leave" to continue and subsequently run the cleaning of all local disks. System memory infection originated from file C:\WINDOWS\system32\pmnnkif.dll.

I broj inficiranih fajlova se brzo povecava Crying or Very sad
Evo kako to izgleda:


[/img]

Dopuna: 17 Apr 2007 7:31

Cele noci nisam spavala i uspela sam da "ucmekam gada".
Rapha, hvala ti, dao si mi smernicu Wink
Pronasla sam jedan remuval programcic koji se zove VirtumundoBeGone.exe (94.7kb)

[04/17/2007, 7:05:57] - VirtumundoBeGone v1.5 ( "D:\Programi\Programi\Antivirus\Ciscenje virusa\VirtumundoBeGone.exe" )
[04/17/2007, 7:06:01] - Detected System Information:
[04/17/2007, 7:06:01] - Windows Version: 5.1.2600, Service Pack 2
[04/17/2007, 7:06:01] - Current Username: miguel (Admin)
[04/17/2007, 7:06:01] - Windows is in NORMAL mode.
[04/17/2007, 7:06:01] - Searching for Browser Helper Objects:
[04/17/2007, 7:06:01] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/17/2007, 7:06:01] - BHO 2: {0F87BAAC-7BDB-43CB-88D2-A92079AF9A9A} ()
[04/17/2007, 7:06:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/17/2007, 7:06:01] - Checking for HKLM\...\Winlogon\Notify\vtsts
[04/17/2007, 7:06:01] - Found: HKLM\...\Winlogon\Notify\vtsts - This is probably Virtumundo.
[04/17/2007, 7:06:01] - Assigning {0F87BAAC-7BDB-43CB-88D2-A92079AF9A9A} MSEvents Object
[04/17/2007, 7:06:01] - BHO list has been changed! Starting over...
[04/17/2007, 7:06:01] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/17/2007, 7:06:01] - BHO 2: {0F87BAAC-7BDB-43CB-88D2-A92079AF9A9A} (MSEvents Object)
[04/17/2007, 7:06:01] - ALERT: Found MSEvents Object!
[04/17/2007, 7:06:01] - BHO 3: {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} ()
[04/17/2007, 7:06:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/17/2007, 7:06:01] - No filename found. Continuing.
[04/17/2007, 7:06:01] - BHO 4: {68218620-3D65-43F6-AD47-D38D84B5412A} (MSEvents Object)
[04/17/2007, 7:06:01] - ALERT: Found MSEvents Object!
[04/17/2007, 7:06:01] - Finished Searching Browser Helper Objects
[04/17/2007, 7:06:01] - *** Detected MSEvents Object
[04/17/2007, 7:06:01] - Trying to remove MSEvents Object...
[04/17/2007, 7:06:02] - Terminating Process: IEXPLORE.EXE
[04/17/2007, 7:06:03] - Terminating Process: RUNDLL32.EXE
[04/17/2007, 7:06:03] - Disabling Automatic Shell Restart
[04/17/2007, 7:06:03] - Terminating Process: EXPLORER.EXE
[04/17/2007, 7:06:03] - Suspending the NT Session Manager System Service
[04/17/2007, 7:06:03] - Terminating Windows NT Logon/Logoff Manager
[04/17/2007, 7:11:32] - Re-enabling Automatic Shell Restart
[04/17/2007, 7:11:32] - File to disable: C:\WINDOWS\system32\vtsts.dll
[04/17/2007, 7:11:32] - Renaming C:\WINDOWS\system32\vtsts.dll -> C:\WINDOWS\system32\vtsts.dll.vir
[04/17/2007, 7:11:32] - File successfully renamed!
[04/17/2007, 7:11:32] - Removing HKLM\...\Browser Helper Objects\{0F87BAAC-7BDB-43CB-88D2-A92079AF9A9A}
[04/17/2007, 7:11:32] - Removing HKCR\CLSID\{0F87BAAC-7BDB-43CB-88D2-A92079AF9A9A}
[04/17/2007, 7:11:32] - Adding Kill Bit for ActiveX for GUID: {0F87BAAC-7BDB-43CB-88D2-A92079AF9A9A}
[04/17/2007, 7:11:32] - Deleting ATLEvents/MSEvents Registry entries
[04/17/2007, 7:11:32] - Removing HKLM\...\Winlogon\Notify\vtsts
[04/17/2007, 7:11:32] - Searching for Browser Helper Objects:
[04/17/2007, 7:11:32] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/17/2007, 7:11:32] - BHO 2: {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} ()
[04/17/2007, 7:11:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/17/2007, 7:11:32] - No filename found. Continuing.
[04/17/2007, 7:11:32] - BHO 3: {68218620-3D65-43F6-AD47-D38D84B5412A} (MSEvents Object)
[04/17/2007, 7:11:32] - ALERT: Found MSEvents Object!
[04/17/2007, 7:11:32] - Finished Searching Browser Helper Objects
[04/17/2007, 7:11:32] - *** Detected MSEvents Object
[04/17/2007, 7:11:32] - Trying to remove MSEvents Object...
[04/17/2007, 7:11:33] - Terminating Process: IEXPLORE.EXE
[04/17/2007, 7:11:33] - Terminating Process: RUNDLL32.EXE
[04/17/2007, 7:11:33] - Disabling Automatic Shell Restart
[04/17/2007, 7:11:33] - Terminating Process: EXPLORER.EXE
[04/17/2007, 7:11:33] - Suspending the NT Session Manager System Service
[04/17/2007, 7:11:33] - Terminating Windows NT Logon/Logoff Manager
[04/17/2007, 7:11:33] - Re-enabling Automatic Shell Restart
[04/17/2007, 7:11:33] - File to disable: C:\WINDOWS\system32\pmnnkif.dll
[04/17/2007, 7:11:33] - Renaming C:\WINDOWS\system32\pmnnkif.dll -> C:\WINDOWS\system32\pmnnkif.dll.vir
[04/17/2007, 7:11:33] - File successfully renamed!
[04/17/2007, 7:11:33] - Removing HKLM\...\Browser Helper Objects\{68218620-3D65-43F6-AD47-D38D84B5412A}
[04/17/2007, 7:11:33] - Removing HKCR\CLSID\{68218620-3D65-43F6-AD47-D38D84B5412A}
[04/17/2007, 7:11:33] - Adding Kill Bit for ActiveX for GUID: {68218620-3D65-43F6-AD47-D38D84B5412A}
[04/17/2007, 7:11:33] - Deleting ATLEvents/MSEvents Registry entries
[04/17/2007, 7:11:33] - Removing HKLM\...\Winlogon\Notify\pmnnkif
[04/17/2007, 7:11:33] - Searching for Browser Helper Objects:
[04/17/2007, 7:11:33] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/17/2007, 7:11:33] - BHO 2: {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} ()
[04/17/2007, 7:11:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/17/2007, 7:11:33] - No filename found. Continuing.
[04/17/2007, 7:11:33] - Finished Searching Browser Helper Objects
[04/17/2007, 7:11:33] - Finishing up...
[04/17/2007, 7:11:33] - A restart is needed.
[04/17/2007, 7:13:59] - Attempting to Restart via STOP error (Blue Screen!)


A evo i Hijack loga posle "ciscenja"

Logfile of HijackThis v1.99.1
Scan saved at 8:25:10, on 17.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\ISS\BlackICE\blackice.exe
D:\Programi\Programi\Antivirus\Ciscenje virusa\HijackThis\MM5.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Save Flash\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5C.....8527328375
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - (no file)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Rapfibntdnt - Unknown owner - (no file)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe


Pozdrav!

offline
  • Cigarette Smoking Man
  • Pridružio: 14 Feb 2005
  • Poruke: 9113
  • Gde živiš: Beograd

Izvini, na poslu sam, za pola sata ću pregledati ovaj novi log pa ti se javljam.. Smile

Dopuna: 17 Apr 2007 13:42

Lepo, svaka čast.. Wink

Ostalo je nekih "repića" ali ćemo o tome malo kasnije.
Pošto ti je računar bio bukvalno prepun pošasti, bilo bi dobro da uradiš skeniranje sa Ewido Microm za svaki slučaj. To ćeš uraditi na sledeći način:

Skini Ewido micro (8Mb) :
http://downloads.ewido.net/ewido_micro.exe

Kako se radi sa Ewido micro:
- na prvom ekranu odaberi sve particije (štikliraj polja ispred njih)
- klikni na dugme Start Scan
- nakon završenog skeniranja klikni na Save Report i snimi log fajl na sigurno mesto
- klikni na Remove Infections
- iskopiraj nam ovde sadržaj log fajla koji je malopre snimljen

Nakon skeniranja sa Ewidom i postavljanja log fajla, postavi nam i svez log programa HijackThis.

offline
  • Pridružio: 24 Mar 2004
  • Poruke: 646

Hvala Rapha! Skinula sam Ewido-micro i sve kao sto si napisao.
I bilo je jos virusa... Crying or Very sad

Evo i rezultata skeniranja:
__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: Trojan.NSAnti.A
Path: C:\System Volume Information\_restore{7F44A825-E878-4036-ACB7-817E5AC0DCDC}\RP445\A0150454.scr
Risk: High

Name: Heuristic.Win32.Morphine-Crypted
Path: D:\Programi\IGRICE\3D SexVillaxxx\Razbijac.rar/Binaries\fc3DSexVilla.dll
Risk: Questionable

Name: Heuristic.Win32.Morphine-Crypted
Path: D:\Programi\IGRICE\3D SexVillaxxx\Razbijac.rar/Binaries\fc3DSexVillaRun.exe
Risk: Questionable

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\cena.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\djavoli.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\jedandan.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\jedandan2.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\nocu.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\nocu2.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\podaci.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\podaci2.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\posada.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\priprema.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\priprema2.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\Jedrenje\rezime.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/cena.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/djavoli.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/jedandan.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/jedandan2.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/nocu.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/nocu2.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/podaci.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/podaci2.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/posada.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/priprema.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/priprema2.htm
Risk: High

Name: Downloader.Agent.cd
Path: D:\Tekstovi\Knjizevnost\Knjige\Jedrenje oko Balkana\princ.zip/rezime.htm
Risk: High

Name: Adware.BHO
Path: E:\GAMES\New Folder\iWin Games\iWinGamesHookIE.dll
Risk: Medium

Neutral Neutral Neutral

Logfile of HijackThis v1.99.1
Scan saved at 4:11:33, on 18.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Opera\Opera.exe
D:\Programi\Programi\Antivirus\Ciscenje virusa\HijackThis\MM5.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Save Flash\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5C.....8527328375
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

offline
  • Cigarette Smoking Man
  • Pridružio: 14 Feb 2005
  • Poruke: 9113
  • Gde živiš: Beograd

Kao što sam i pretpostavio. Idi opet u HijackThis, štikliraj sledeću liniju:
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
i nakon toga klikni na Fix Checked.

Postavi mi svež HJT log. Reci mi kako se sada ponaša komp?

offline
  • Pridružio: 24 Mar 2004
  • Poruke: 646

Na poslu sam i ne mogu sada da ti posaljem, ali moci cu veceras oko 22h.
Inace kompjuter mi, u odnosu na ono ponasanje preksinoc, radi super. Tada nisam mogla da otvorim ni jedan program, bio se pokocio skroz.
A sada radi lako i brzo. Kao da nemam nikakav virus.
Drug mi kaze da je najbolje da formatiram komp, ali nedavno sam ga formatirala, mrzi me ponovo to da radim. Sta ti mislis, jel treba?
Odoh sada da sljakam. Bices na forumu oko 22h?

offline
  • Cigarette Smoking Man
  • Pridružio: 14 Feb 2005
  • Poruke: 9113
  • Gde živiš: Beograd

Nažalost, neću biti tu večeras ali svakako uradi ono što sam ti napisao i postavi svež log da još jednom pogledam kada dođem kući. Wink

Što se tiče formatiranja, meni je to uvek poslednja varijanta kada bukvalno više ništa ne može da se uradi. Pogotovo u situacijama kada sve lepo može da se sredi, ali ljudima je valjda najlakše da reinstaliraju OS i da se ne bakću sa problemima (u većini slučajeva to su ljudi koji i ne znaju da ih reše). To je kao kada te zaboli zub a ti hoćeš odmah da ga izvadiš.. Wink

offline
  • Pridružio: 24 Mar 2004
  • Poruke: 646

Slazem se s tobom u vezi formatiranja.
Evo saljem i poslednji HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:54:24, on 19.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\ISS\BlackICE\blackice.exe
D:\Programi\Programi\Antivirus\Ciscenje virusa\HijackThis\MM5.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\Save Flash\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5C.....8527328375
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

offline
  • Cigarette Smoking Man
  • Pridružio: 14 Feb 2005
  • Poruke: 9113
  • Gde živiš: Beograd

Log je ok.. Wink
Ostaviću temu otvorenom još dva-tri dana za ne daj Bože, a nakon toga je prebacujem u Arhivu Ambulante.. Wink

Ko je trenutno na forumu
 

Ukupno su 871 korisnika na forumu :: 40 registrovanih, 7 sakrivenih i 824 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., altec.gs, ARM, babaroga, bata melenčan, caesar, cole77, denisnapast2015, DenySRB, djordje92sm, Dorcolac, drpece, Drug pukovnik, goxin, GreenMan, HrcAk47, ILGromovnik, Ilija Grubor, Insan, ivan1973, ivan979, Krusarac, manda87, MegaVLAdaR, Mercury, Mixelotti, nebkv, nedeljkovici, pacika, pera12345, Rakenica, Sale.S, sovanova95, Srki98, Srky Boy, Steeeefan, vathra, vdeki, vobo, Yellow Pinky