http://storageprotector.com/ - lepo me izmucio :)

1

http://storageprotector.com/ - lepo me izmucio :)

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje



Kada kliknes na bilo sto. ide na ovu adresu i zelo da skine neki program:

http://storageprotector.com/clean/?p=61&gai=s5rk_s6_4_p61&gli=mypc_mydocs_winillegal&gff=68660_a4f6fc16+E70ED4955DE44C2F9CD6E7E71E2A7738

NE KLIKATI BEZVEZE !

Sje#bao ni je Spybot, a i antivirus !
Nije mi dozvolio da ga reinstalram. Citao sam po forumi ( sa drugog PC a), i postupio nekako ovako:





Citat:Logfile of HijackThis v1.99.1
Scan saved at 13:25:18, on 07.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\FSI\F-Prot\F-StopW .EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\WINDOWS\system32\NOTEPAD.EXE
N:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.balkan.enliveninternational.com/rep.asp
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: BORGChat.lnk = C:\Program Files\BORGChat\BORGChat.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: CLP-300 Status Monitor Service (SM_clp300_FUService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe






Citat:ComboFix 08-02.05.3 - LEO 2 2008-02-07 13:30:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.735 [GMT 1:00]
Running from: N:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\xxyvvtu.dll
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\alhqptfr.dll
C:\WINDOWS\system32\axxuejki.ini
C:\WINDOWS\system32\ayxcufut.ini
C:\WINDOWS\system32\bjdkjggm.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\ddcyw.exe
C:\WINDOWS\system32\ffwkujca.ini
C:\WINDOWS\system32\gehcptne.dll
C:\WINDOWS\system32\hcyxqhfn.dll
C:\WINDOWS\system32\ihulpodu.dll
C:\WINDOWS\system32\ikjeuxxa.dll
C:\WINDOWS\system32\jiaoyasr.ini
C:\WINDOWS\system32\jraprkrv.dll
C:\WINDOWS\system32\jyxumsbw.ini
C:\WINDOWS\system32\lbhtypox.dll
C:\WINDOWS\system32\lbhtypox.dll . . . . failed to delete
C:\WINDOWS\system32\lbhtypox.dllbox
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\miynwsjx.dll
C:\WINDOWS\system32\ownugidm.dll
C:\WINDOWS\system32\qkpqqvak.dll
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\rprykxbf.dll
C:\WINDOWS\system32\rsayoaij.dll
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE.EXE
C:\WINDOWS\system32\tgajddpy.dll
C:\WINDOWS\system32\tufucxya.dll
C:\WINDOWS\system32\vmywqwyl.dll
C:\WINDOWS\system32\wbsmuxyj.dll
C:\WINDOWS\system32\whhsvkxd.dll
C:\WINDOWS\system32\wiwkvnve.dll
C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.ini2
C:\WINDOWS\system32\xkhvdhtf.dll
C:\WINDOWS\system32\xmpufbon.dll
C:\WINDOWS\system32\xxxykbwm.ini
C:\WINDOWS\system32\xxyvvtu.dll
C:\WINDOWS\system32\ypddjagt.ini
C:\WINDOWS\system32\yqiiyybh.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 11:24 . 2008-02-07 11:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-07 11:23 . 2008-02-07 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 10:59 . 2008-02-06 10:59 90,688 --a------ C:\WINDOWS\system32\mwbkyxxx.dll
2008-02-05 10:59 . 2008-02-07 13:44 163,904 --a------ C:\WINDOWS\system32\lbhtypox.dll
2008-01-24 15:29 . 2008-01-24 15:29 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-24 15:29 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-24 15:28 . 2008-01-24 15:30 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-24 15:28 . 2008-02-07 11:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 09:30 . 2008-01-23 09:30 <DIR> d-------- C:\Program Files\MyPlayCity.com
2008-01-18 14:08 . 2008-01-18 14:09 2,670,049 --a------ C:\Microsoft Word - LYONESS SR so pris 2..pdf
2008-01-17 16:59 . 2008-01-17 16:59 1,383,700 --a------ C:\LYONESS SR duola za PRINT..pdf
2008-01-17 13:58 . 2008-01-17 13:58 256,267 --a------ C:\Kupujuci za svoje potrebe u dosta trgovina,hotela,benzinski pumpi-ako kupuje koga Vi Uclanite ili ako kupuju oni koje su uclani.pdf
2008-01-17 11:48 . 2008-01-17 11:48 63,805 --a------ C:\WINDOWS\system32\TripPilot THE SECRET OF SHOPPING.pdf
2008-01-11 14:13 . 2008-01-11 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-01-11 12:06 . 2008-01-11 12:06 <DIR> d-------- C:\Program Files\Windows Live
2008-01-11 12:06 . 2008-01-31 15:12 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-01-11 11:10 . 2008-01-11 11:10 140,288 --a------ C:\WINDOWS\~GLC0001.TMP
2008-01-11 11:06 . 2008-01-11 11:10 <DIR> d-------- C:\Program Files\Sebran
2008-01-11 11:06 . 2008-01-11 11:06 140,288 --a------ C:\WINDOWS\~GLC0000.TMP
2008-01-11 11:06 . 2004-08-23 17:51 109,472 --a------ C:\WINDOWS\system32\Sebran3_.ttf
2008-01-11 11:06 . 2003-11-12 23:38 31,732 --a------ C:\WINDOWS\system32\SEBRS___.TTF
2008-01-10 16:06 . 2008-01-10 16:07 122 --a------ C:\WINDOWS\system32\noruns.reg
2008-01-10 08:58 . 2008-02-07 12:34 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-09 16:49 . 2008-01-09 16:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 16:34 . 2008-01-09 16:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-01-09 16:29 . 2008-01-09 15:26 72,192 -rahs---- C:\WINDOWS\system32\sntsvc.exe
2008-01-09 16:29 . 2008-01-09 16:29 244 --ah----- C:\sqmnoopt00.sqm
2008-01-09 16:29 . 2008-01-09 16:29 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 11:20 --------- d-----w C:\Program Files\NewSoft
2008-02-07 10:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 10:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 20:27 --------- d-----w C:\Program Files\Trillian
2008-02-04 14:06 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\Skype
2008-01-31 14:12 --------- d-----w C:\Program Files\MSN Messenger
2008-01-30 14:40 --------- d-----w C:\Program Files\FastStone Screen Capture
2008-01-11 10:10 140,288 ----a-w C:\WINDOWS\~GLC0001.TMP
2008-01-11 10:06 140,288 ----a-w C:\WINDOWS\~GLC0000.TMP
2008-01-10 13:19 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\U3
2008-01-10 08:04 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-08 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-27 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-14 11:01 --------- d-----w C:\Program Files\Google
2007-12-13 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-12-13 15:15 --------- d-----w C:\Program Files\EPSON
2007-11-22 13:55 336 ----a-w C:\Program Files\temp995.bat
.
<pre>
----a-w            45,056 2008-02-07 11:34:44  C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w           323,584 2008-02-04 16:09:15  C:\Program Files\FSI\F-Prot\F-Sched .exe
----a-w           290,816 2008-02-07 11:34:40  C:\Program Files\FSI\F-Prot\F-StopW .EXE
----a-w         1,460,560 2008-02-07 08:42:37  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2008-02-07 11:34:47  C:\WINDOWS\system32\ctfmon .exe
----a-w            98,304 2008-01-24 07:48:09  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE .EXE
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-07 13:44 163904 --a------ C:\WINDOWS\system32\lbhtypox.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-StopW"="C:\Program Files\FSI\F-Prot\F-StopW.EXE" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2006-12-19 14:41:18 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lbhtypox]
lbhtypox.dll 2008-02-07 13:44 163904 C:\WINDOWS\system32\lbhtypox.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"Samsung PanelMgr"=C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
"EPSON Stylus Photo R240 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"

R0 FPA_RTP;FPA_RTP;C:\WINDOWS\system32\Drivers\FSTOPW.SYS [2003-09-29 13:16]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-08-05 07:14]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
S3 SM_clp300_FUService;CLP-300 Status Monitor Service;"C:\Program Files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-24 15:29]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10c1699d-81ec-11db-bc15-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74212c89-81ed-11db-a5f9-00104b957563}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{842c296e-70b1-11dc-9eec-000d87a7d210}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 16:41:14 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 13:49:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\lbhtypox.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\lbhtypox.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\BORGChat\BORGChat.exe
.
**************************************************************************
.
Completion time: 2008-02-07 13:51:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 12:51:46
.
2008-01-10 08:05:02 --- E O F ---




Jos i ovo na kraju :







Jesam li ga sredio ??

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

neka me ispravi neko ako gresim, ali si hijack log trebao da uradis posle combofix-a...ajde pogledacu ovo jos malo pa cu da ti napisem....

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje

Citat:Logfile of HijackThis v1.99.1
Scan saved at 15:01:14, on 07.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\BORGChat\BORGChat.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Softwin\BitDefender10\bdlite.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\LEO 2\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.balkan.enliveninternational.com/rep.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: BORGChat.lnk = C:\Program Files\BORGChat\BORGChat.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: CLP-300 Status Monitor Service (SM_clp300_FUService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)




Evo...


Instalirao sam Bit defender 10, nije bas ....

Dopuna: 07 Feb 2008 15:47

Citat:It seems this storageprotector.com malware has been spreading for a month and there is not a cure yet. Still looking for instructions all over the world. Just wondering if I can reinstall the OS to get rid of it to avoid the pain.

Symptoms:

Many different fake system warnings, the one on the startup is this:
Important : Potential errors found in the system.
During a scan of files at system startup, potential errors in the system registry were found.
p-07-0100 irql: 1f SYSVER 0xff0024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED


Icons on Desktop - If i delete them, they come back moments after.
Icon1 : "Windows Update" with target location of -> "http://storageprotector.com"
Icon2 : "Help and Support Center" with target of -> "http://storageprotector.com"

over 5000 files have spread in Drive C.... " .tmp " " .sqm " files extensions


http://forum.bitdefender.com/index.php?showtopic=3984





Da sasvim tacno !!!!


A ja sam se cudio odakle mi ti fajlovi u Document and setings ..bilo ih je na stotine.......

Izbrisali su se posle ovogagore, nemam nijedam da vam pokazem Smile

srecom Mr. Green Mr. Green Mr. Green

Dopuna: 07 Feb 2008 16:08

Citat:file zipped: C:\WINDOWS\system32\ddcyw.dll -> catchme.zip -> ddcyw.dll ( 336896 bytes )

PE file "C:\WINDOWS\system32\ddcyw.dll" killed successfully

file zipped: C:\WINDOWS\system32\lbhtypox.dll -> catchme.zip -> lbhtypox.dll ( 163904 bytes )

PE file "C:\WINDOWS\system32\lbhtypox.dll" killed successfully

file zipped: C:\WINDOWS\system32\xxyvvtu.dll -> catchme.zip -> xxyvvtu.dll ( 37888 bytes )

PE file "C:\WINDOWS\system32\xxyvvtu.dll" killed successfully





A Bit defender jos uvek vristi na svasta, uklucim printer, neki program...

Gde li sam ovo pokupio da mi je znati........ Confused Confused Confused

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

bunile su me ove linije, gde se fajlovi pojavljuju sa jednim blankom:
C:\Program Files\FSI\F-Prot\F-StopW .EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe

gde se kaze da svi xxx .exe fajlovi su vundo infekcije...a vidim ti si ga koristio...

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje

Da da, ali mimam isti F secure na drugom PC u, a taj je PC sasvim cist.
Karantin file cCombofixa je tezak 12 MB i prepun virusa ....

Hteo sam da ga zipujem i da ti ga posaljem, al mi Bit defender sve izbrisao i rar fajlu Smile


Evo kako to izgleda, da ih brisem li ?



offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

па за сада немој,не би требало да нашкоди сад, видећу да ли треба да се аплоадује и шта даље...

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje

OK, hvala, idem kuci sad...


POZDRAV

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

postavi nov log combofix-a, izgleda da nismo gotovi, da vidimo trenutno stanje...

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje

Instalirao sam Aviru, skenirao, pronasla je 36 virusa.

Dosta njih je bilo sa imenov Vundo..

Postavi cu u ponedeljak, kad budem iso na posao.

Dopuna: 11 Feb 2008 9:55

Citat:ComboFix 08-02.05.3 - LEO 2 2008-02-11 9:33:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.683 [GMT 1:00]
Running from: C:\Documents and Settings\LEO 2\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-08 13:00 . 2007-11-27 22:51 35,216 --a------ C:\WINDOWS\system32\drivers\TMPassthru.sys
2008-02-08 12:47 . 2008-02-08 12:47 <DIR> d-------- C:\Program Files\Avira
2008-02-08 12:47 . 2008-02-08 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-08 12:22 . 2008-02-08 12:22 250 --a------ C:\WINDOWS\gmer.ini
2008-02-08 11:31 . 2008-02-08 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-08 11:17 . 2007-04-10 10:31 332,672 --a------ C:\WINDOWS\system32\WgaTray1.exe
2008-02-08 11:17 . 2007-04-10 10:31 332,672 --a------ C:\WINDOWS\system32\wgatray.exe.bak
2008-02-08 11:17 . 2007-04-10 10:30 200,064 --a------ C:\WINDOWS\system32\WgaLogon1.dll
2008-02-08 11:17 . 2007-04-10 10:30 200,064 --a------ C:\WINDOWS\system32\wgalogon.dll.bak
2008-02-08 11:09 . 2008-02-08 11:09 22 --a------ C:\WINDOWS\system32\ati64hlp.stb
2008-02-08 11:00 . 2008-02-08 11:01 <DIR> d-------- C:\Program Files\CCleaner
2008-02-08 10:46 . 2004-03-03 12:00 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-02-08 10:46 . 2004-03-03 06:09 290,816 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2008-02-07 14:41 . 2008-02-11 09:36 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-02-07 14:39 . 2008-02-07 14:39 <DIR> d-------- C:\Documents and Settings\LEO 2\Application Data\Bitdefender
2008-02-07 14:38 . 2008-02-07 14:38 <DIR> d-------- C:\Program Files\Softwin
2008-02-07 14:38 . 2008-02-07 14:39 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-02-07 14:38 . 2008-02-07 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-02-07 13:56 . 2008-02-09 09:15 <DIR> d-------- C:\VundoFix Backups
2008-02-07 13:26 . 2004-08-04 13:00 388,608 --a------ C:\kmd.exe
2008-02-07 11:24 . 2008-02-07 11:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-07 11:23 . 2008-02-07 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-24 15:29 . 2008-01-24 15:29 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-24 15:29 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-24 15:28 . 2008-01-24 15:30 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-24 15:28 . 2008-02-07 11:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 09:30 . 2008-01-23 09:30 <DIR> d-------- C:\Program Files\MyPlayCity.com
2008-01-18 14:08 . 2008-01-18 14:09 2,670,049 --a------ C:\Microsoft Word - LYONESS SR so pris 2..pdf
2008-01-17 16:59 . 2008-01-17 16:59 1,383,700 --a------ C:\LYONESS SR duola za PRINT..pdf
2008-01-17 13:58 . 2008-01-17 13:58 256,267 --a------ C:\Kupujuci za svoje potreb koje su uclani.pdf
2008-01-11 14:13 . 2008-01-11 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-01-11 12:06 . 2008-01-11 12:06 <DIR> d-------- C:\Program Files\Windows Live
2008-01-11 12:06 . 2008-01-31 15:12 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-01-11 11:10 . 2008-01-11 11:10 140,288 --a------ C:\WINDOWS\~GLC0001.TMP
2008-01-11 11:06 . 2008-01-11 11:10 <DIR> d-------- C:\Program Files\Sebran
2008-01-11 11:06 . 2008-01-11 11:06 140,288 --a------ C:\WINDOWS\~GLC0000.TMP
2008-01-11 11:06 . 2004-08-23 17:51 109,472 --a------ C:\WINDOWS\system32\Sebran3_.ttf
2008-01-11 11:06 . 2003-11-12 23:38 31,732 --a------ C:\WINDOWS\system32\SEBRS___.TTF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 18:22 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\Skype
2008-02-08 12:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 12:00 --------- d-----w C:\Program Files\Trend Micro
2008-02-08 09:46 --------- d-----w C:\Program Files\ATI Technologies
2008-02-08 09:26 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\ATI
2008-02-08 09:25 --------- d-----w C:\Program Files\Trillian
2008-02-08 08:48 --------- d-----w C:\Program Files\Opera
2008-02-07 13:36 --------- d-----w C:\Program Files\MSN Messenger
2008-02-07 13:35 --------- d-----w C:\Program Files\NewSoft
2008-02-07 11:34 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2008-02-07 10:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 10:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 14:40 --------- d-----w C:\Program Files\FastStone Screen Capture
2008-01-11 10:10 140,288 ----a-w C:\WINDOWS\~GLC0001.TMP
2008-01-11 10:06 140,288 ----a-w C:\WINDOWS\~GLC0000.TMP
2008-01-10 13:19 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\U3
2008-01-10 08:04 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-09 15:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-01-08 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-27 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-14 11:01 --------- d-----w C:\Program Files\Google
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-13 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-12-13 15:15 --------- d-----w C:\Program Files\EPSON
2007-11-22 13:55 336 ----a-w C:\Program Files\temp995.bat
2007-11-15 10:29 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2007-11-15 10:29 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
.
<pre>
----a-w           323,584 2008-02-04 16:09:15  C:\Program Files\FSI\F-Prot\F-Sched .exe
----a-w           290,816 2008-02-07 11:34:40  C:\Program Files\FSI\F-Prot\F-StopW .EXE
----a-w         1,460,560 2008-02-07 08:42:37  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2008-02-07 11:34:47  C:\WINDOWS\system32\ctfmon .exe
----a-w            98,304 2008-01-24 07:48:09  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE .EXE
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2008-02-07 15:04 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00 335872]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-08 12:50 249896]
"TMRUBottedTray"="C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-19 00:18 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2006-12-19 14:41:18 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"Samsung PanelMgr"=C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-08-05 07:14]
R2 RUBotted;Trend Micro RUBotted Service;"C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe" [2007-12-19 00:18]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
R3 TMPassthruMP;TMPassthruMP;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
S0 FPA_RTP;FPA_RTP;C:\WINDOWS\system32\Drivers\FSTOPW.SYS []
S3 SM_clp300_FUService;CLP-300 Status Monitor Service;"C:\Program Files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc []
S3 TMPassthru;Trend Micro Passthru Ndis Service;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-24 15:29]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10c1699d-81ec-11db-bc15-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74212c89-81ed-11db-a5f9-00104b957563}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{842c296e-70b1-11dc-9eec-000d87a7d210}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-08 16:58:31 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 09:39:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 9:42:11
ComboFix-quarantined-files.txt 2008-02-11 08:42:01
ComboFix2.txt 2008-02-07 12:51:50
.
2008-01-10 08:05:02 --- E O F ---





Evo druze, nisam ni stigao da sve pogledam.......

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

Otvoriti Notepad i iskopirati sledeci tekst:

RenV::
C:\Program Files\FSI\F-Prot\F-Sched .exe
C:\Program Files\FSI\F-Prot\F-StopW .EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE .EXE

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{842c296e-70b1-11dc-9eec-000d87a7d210}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 1086 korisnika na forumu :: 41 registrovanih, 6 sakrivenih i 1039 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, Areal84, Asparagus, babaroga, bojank, bokisha253, Brana01, Centauro, Chainsaw, darkangel, Dimitrise93, draganca, FOX, Goran 0000, hologram, ikan, ILGromovnik, janbo, Još malo pa deda, Karla, kihot, Krvava Devetka, kybonacci, Luka Blažević, Mlav, nenad81, oldtimer, radoznao, repac, S2M, simazr, Singidunumac, Stanlio, stegonosa, vathra, vladaa012, vladulns, yufighter, Yugol33, |_MeD_|, šumar bk2