http://storageprotector.com/ - lepo me izmucio :)

1

http://storageprotector.com/ - lepo me izmucio :)

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje



Kada kliknes na bilo sto. ide na ovu adresu i zelo da skine neki program:

http://storageprotector.com/clean/?p=61&gai=s5rk_s6_4_p61&gli=mypc_mydocs_winillegal&gff=68660_a4f6fc16+E70ED4955DE44C2F9CD6E7E71E2A7738

NE KLIKATI BEZVEZE !

Sje#bao ni je Spybot, a i antivirus !
Nije mi dozvolio da ga reinstalram. Citao sam po forumi ( sa drugog PC a), i postupio nekako ovako:





Citat:Logfile of HijackThis v1.99.1
Scan saved at 13:25:18, on 07.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\FSI\F-Prot\F-StopW .EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\WINDOWS\system32\NOTEPAD.EXE
N:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.balkan.enliveninternational.com/rep.asp
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: BORGChat.lnk = C:\Program Files\BORGChat\BORGChat.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: CLP-300 Status Monitor Service (SM_clp300_FUService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe






Citat:ComboFix 08-02.05.3 - LEO 2 2008-02-07 13:30:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.735 [GMT 1:00]
Running from: N:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\xxyvvtu.dll
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\alhqptfr.dll
C:\WINDOWS\system32\axxuejki.ini
C:\WINDOWS\system32\ayxcufut.ini
C:\WINDOWS\system32\bjdkjggm.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\ddcyw.exe
C:\WINDOWS\system32\ffwkujca.ini
C:\WINDOWS\system32\gehcptne.dll
C:\WINDOWS\system32\hcyxqhfn.dll
C:\WINDOWS\system32\ihulpodu.dll
C:\WINDOWS\system32\ikjeuxxa.dll
C:\WINDOWS\system32\jiaoyasr.ini
C:\WINDOWS\system32\jraprkrv.dll
C:\WINDOWS\system32\jyxumsbw.ini
C:\WINDOWS\system32\lbhtypox.dll
C:\WINDOWS\system32\lbhtypox.dll . . . . failed to delete
C:\WINDOWS\system32\lbhtypox.dllbox
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\miynwsjx.dll
C:\WINDOWS\system32\ownugidm.dll
C:\WINDOWS\system32\qkpqqvak.dll
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\rprykxbf.dll
C:\WINDOWS\system32\rsayoaij.dll
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE.EXE
C:\WINDOWS\system32\tgajddpy.dll
C:\WINDOWS\system32\tufucxya.dll
C:\WINDOWS\system32\vmywqwyl.dll
C:\WINDOWS\system32\wbsmuxyj.dll
C:\WINDOWS\system32\whhsvkxd.dll
C:\WINDOWS\system32\wiwkvnve.dll
C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.ini2
C:\WINDOWS\system32\xkhvdhtf.dll
C:\WINDOWS\system32\xmpufbon.dll
C:\WINDOWS\system32\xxxykbwm.ini
C:\WINDOWS\system32\xxyvvtu.dll
C:\WINDOWS\system32\ypddjagt.ini
C:\WINDOWS\system32\yqiiyybh.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 11:24 . 2008-02-07 11:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-07 11:23 . 2008-02-07 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 10:59 . 2008-02-06 10:59 90,688 --a------ C:\WINDOWS\system32\mwbkyxxx.dll
2008-02-05 10:59 . 2008-02-07 13:44 163,904 --a------ C:\WINDOWS\system32\lbhtypox.dll
2008-01-24 15:29 . 2008-01-24 15:29 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-24 15:29 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-24 15:28 . 2008-01-24 15:30 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-24 15:28 . 2008-02-07 11:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 09:30 . 2008-01-23 09:30 <DIR> d-------- C:\Program Files\MyPlayCity.com
2008-01-18 14:08 . 2008-01-18 14:09 2,670,049 --a------ C:\Microsoft Word - LYONESS SR so pris 2..pdf
2008-01-17 16:59 . 2008-01-17 16:59 1,383,700 --a------ C:\LYONESS SR duola za PRINT..pdf
2008-01-17 13:58 . 2008-01-17 13:58 256,267 --a------ C:\Kupujuci za svoje potrebe u dosta trgovina,hotela,benzinski pumpi-ako kupuje koga Vi Uclanite ili ako kupuju oni koje su uclani.pdf
2008-01-17 11:48 . 2008-01-17 11:48 63,805 --a------ C:\WINDOWS\system32\TripPilot THE SECRET OF SHOPPING.pdf
2008-01-11 14:13 . 2008-01-11 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-01-11 12:06 . 2008-01-11 12:06 <DIR> d-------- C:\Program Files\Windows Live
2008-01-11 12:06 . 2008-01-31 15:12 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-01-11 11:10 . 2008-01-11 11:10 140,288 --a------ C:\WINDOWS\~GLC0001.TMP
2008-01-11 11:06 . 2008-01-11 11:10 <DIR> d-------- C:\Program Files\Sebran
2008-01-11 11:06 . 2008-01-11 11:06 140,288 --a------ C:\WINDOWS\~GLC0000.TMP
2008-01-11 11:06 . 2004-08-23 17:51 109,472 --a------ C:\WINDOWS\system32\Sebran3_.ttf
2008-01-11 11:06 . 2003-11-12 23:38 31,732 --a------ C:\WINDOWS\system32\SEBRS___.TTF
2008-01-10 16:06 . 2008-01-10 16:07 122 --a------ C:\WINDOWS\system32\noruns.reg
2008-01-10 08:58 . 2008-02-07 12:34 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-09 16:49 . 2008-01-09 16:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 16:34 . 2008-01-09 16:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-01-09 16:29 . 2008-01-09 15:26 72,192 -rahs---- C:\WINDOWS\system32\sntsvc.exe
2008-01-09 16:29 . 2008-01-09 16:29 244 --ah----- C:\sqmnoopt00.sqm
2008-01-09 16:29 . 2008-01-09 16:29 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 11:20 --------- d-----w C:\Program Files\NewSoft
2008-02-07 10:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 10:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 20:27 --------- d-----w C:\Program Files\Trillian
2008-02-04 14:06 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\Skype
2008-01-31 14:12 --------- d-----w C:\Program Files\MSN Messenger
2008-01-30 14:40 --------- d-----w C:\Program Files\FastStone Screen Capture
2008-01-11 10:10 140,288 ----a-w C:\WINDOWS\~GLC0001.TMP
2008-01-11 10:06 140,288 ----a-w C:\WINDOWS\~GLC0000.TMP
2008-01-10 13:19 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\U3
2008-01-10 08:04 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-08 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-27 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-14 11:01 --------- d-----w C:\Program Files\Google
2007-12-13 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-12-13 15:15 --------- d-----w C:\Program Files\EPSON
2007-11-22 13:55 336 ----a-w C:\Program Files\temp995.bat
.
<pre>
----a-w            45,056 2008-02-07 11:34:44  C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w           323,584 2008-02-04 16:09:15  C:\Program Files\FSI\F-Prot\F-Sched .exe
----a-w           290,816 2008-02-07 11:34:40  C:\Program Files\FSI\F-Prot\F-StopW .EXE
----a-w         1,460,560 2008-02-07 08:42:37  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2008-02-07 11:34:47  C:\WINDOWS\system32\ctfmon .exe
----a-w            98,304 2008-01-24 07:48:09  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE .EXE
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-07 13:44 163904 --a------ C:\WINDOWS\system32\lbhtypox.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-StopW"="C:\Program Files\FSI\F-Prot\F-StopW.EXE" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2006-12-19 14:41:18 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lbhtypox]
lbhtypox.dll 2008-02-07 13:44 163904 C:\WINDOWS\system32\lbhtypox.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"Samsung PanelMgr"=C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
"EPSON Stylus Photo R240 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"

R0 FPA_RTP;FPA_RTP;C:\WINDOWS\system32\Drivers\FSTOPW.SYS [2003-09-29 13:16]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-08-05 07:14]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
S3 SM_clp300_FUService;CLP-300 Status Monitor Service;"C:\Program Files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-24 15:29]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10c1699d-81ec-11db-bc15-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74212c89-81ed-11db-a5f9-00104b957563}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{842c296e-70b1-11dc-9eec-000d87a7d210}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 16:41:14 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 13:49:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\lbhtypox.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\lbhtypox.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\BORGChat\BORGChat.exe
.
**************************************************************************
.
Completion time: 2008-02-07 13:51:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 12:51:46
.
2008-01-10 08:05:02 --- E O F ---




Jos i ovo na kraju :







Jesam li ga sredio ??

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

neka me ispravi neko ako gresim, ali si hijack log trebao da uradis posle combofix-a...ajde pogledacu ovo jos malo pa cu da ti napisem....

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje

Citat:Logfile of HijackThis v1.99.1
Scan saved at 15:01:14, on 07.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\BORGChat\BORGChat.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Softwin\BitDefender10\bdlite.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\LEO 2\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.balkan.enliveninternational.com/rep.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: BORGChat.lnk = C:\Program Files\BORGChat\BORGChat.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: CLP-300 Status Monitor Service (SM_clp300_FUService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)




Evo...


Instalirao sam Bit defender 10, nije bas ....

Dopuna: 07 Feb 2008 15:47

Citat:It seems this storageprotector.com malware has been spreading for a month and there is not a cure yet. Still looking for instructions all over the world. Just wondering if I can reinstall the OS to get rid of it to avoid the pain.

Symptoms:

Many different fake system warnings, the one on the startup is this:
Important : Potential errors found in the system.
During a scan of files at system startup, potential errors in the system registry were found.
p-07-0100 irql: 1f SYSVER 0xff0024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED


Icons on Desktop - If i delete them, they come back moments after.
Icon1 : "Windows Update" with target location of -> "http://storageprotector.com"
Icon2 : "Help and Support Center" with target of -> "http://storageprotector.com"

over 5000 files have spread in Drive C.... " .tmp " " .sqm " files extensions


http://forum.bitdefender.com/index.php?showtopic=3984





Da sasvim tacno !!!!


A ja sam se cudio odakle mi ti fajlovi u Document and setings ..bilo ih je na stotine.......

Izbrisali su se posle ovogagore, nemam nijedam da vam pokazem Smile

srecom Mr. Green Mr. Green Mr. Green

Dopuna: 07 Feb 2008 16:08

Citat:file zipped: C:\WINDOWS\system32\ddcyw.dll -> catchme.zip -> ddcyw.dll ( 336896 bytes )

PE file "C:\WINDOWS\system32\ddcyw.dll" killed successfully

file zipped: C:\WINDOWS\system32\lbhtypox.dll -> catchme.zip -> lbhtypox.dll ( 163904 bytes )

PE file "C:\WINDOWS\system32\lbhtypox.dll" killed successfully

file zipped: C:\WINDOWS\system32\xxyvvtu.dll -> catchme.zip -> xxyvvtu.dll ( 37888 bytes )

PE file "C:\WINDOWS\system32\xxyvvtu.dll" killed successfully





A Bit defender jos uvek vristi na svasta, uklucim printer, neki program...

Gde li sam ovo pokupio da mi je znati........ Confused Confused Confused

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

bunile su me ove linije, gde se fajlovi pojavljuju sa jednim blankom:
C:\Program Files\FSI\F-Prot\F-StopW .EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe

gde se kaze da svi xxx .exe fajlovi su vundo infekcije...a vidim ti si ga koristio...

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje

Da da, ali mimam isti F secure na drugom PC u, a taj je PC sasvim cist.
Karantin file cCombofixa je tezak 12 MB i prepun virusa ....

Hteo sam da ga zipujem i da ti ga posaljem, al mi Bit defender sve izbrisao i rar fajlu Smile


Evo kako to izgleda, da ih brisem li ?



offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

па за сада немој,не би требало да нашкоди сад, видећу да ли треба да се аплоадује и шта даље...

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje

OK, hvala, idem kuci sad...


POZDRAV

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

postavi nov log combofix-a, izgleda da nismo gotovi, da vidimo trenutno stanje...

offline
  • Pridružio: 07 Jan 2006
  • Poruke: 968
  • Gde živiš: Skopje

Instalirao sam Aviru, skenirao, pronasla je 36 virusa.

Dosta njih je bilo sa imenov Vundo..

Postavi cu u ponedeljak, kad budem iso na posao.

Dopuna: 11 Feb 2008 9:55

Citat:ComboFix 08-02.05.3 - LEO 2 2008-02-11 9:33:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.683 [GMT 1:00]
Running from: C:\Documents and Settings\LEO 2\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-08 13:00 . 2007-11-27 22:51 35,216 --a------ C:\WINDOWS\system32\drivers\TMPassthru.sys
2008-02-08 12:47 . 2008-02-08 12:47 <DIR> d-------- C:\Program Files\Avira
2008-02-08 12:47 . 2008-02-08 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-08 12:22 . 2008-02-08 12:22 250 --a------ C:\WINDOWS\gmer.ini
2008-02-08 11:31 . 2008-02-08 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-08 11:17 . 2007-04-10 10:31 332,672 --a------ C:\WINDOWS\system32\WgaTray1.exe
2008-02-08 11:17 . 2007-04-10 10:31 332,672 --a------ C:\WINDOWS\system32\wgatray.exe.bak
2008-02-08 11:17 . 2007-04-10 10:30 200,064 --a------ C:\WINDOWS\system32\WgaLogon1.dll
2008-02-08 11:17 . 2007-04-10 10:30 200,064 --a------ C:\WINDOWS\system32\wgalogon.dll.bak
2008-02-08 11:09 . 2008-02-08 11:09 22 --a------ C:\WINDOWS\system32\ati64hlp.stb
2008-02-08 11:00 . 2008-02-08 11:01 <DIR> d-------- C:\Program Files\CCleaner
2008-02-08 10:46 . 2004-03-03 12:00 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-02-08 10:46 . 2004-03-03 06:09 290,816 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2008-02-07 14:41 . 2008-02-11 09:36 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-02-07 14:39 . 2008-02-07 14:39 <DIR> d-------- C:\Documents and Settings\LEO 2\Application Data\Bitdefender
2008-02-07 14:38 . 2008-02-07 14:38 <DIR> d-------- C:\Program Files\Softwin
2008-02-07 14:38 . 2008-02-07 14:39 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-02-07 14:38 . 2008-02-07 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-02-07 13:56 . 2008-02-09 09:15 <DIR> d-------- C:\VundoFix Backups
2008-02-07 13:26 . 2004-08-04 13:00 388,608 --a------ C:\kmd.exe
2008-02-07 11:24 . 2008-02-07 11:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-07 11:23 . 2008-02-07 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-24 15:29 . 2008-01-24 15:29 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-24 15:29 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-24 15:28 . 2008-01-24 15:30 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-24 15:28 . 2008-02-07 11:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 09:30 . 2008-01-23 09:30 <DIR> d-------- C:\Program Files\MyPlayCity.com
2008-01-18 14:08 . 2008-01-18 14:09 2,670,049 --a------ C:\Microsoft Word - LYONESS SR so pris 2..pdf
2008-01-17 16:59 . 2008-01-17 16:59 1,383,700 --a------ C:\LYONESS SR duola za PRINT..pdf
2008-01-17 13:58 . 2008-01-17 13:58 256,267 --a------ C:\Kupujuci za svoje potreb koje su uclani.pdf
2008-01-11 14:13 . 2008-01-11 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-01-11 12:06 . 2008-01-11 12:06 <DIR> d-------- C:\Program Files\Windows Live
2008-01-11 12:06 . 2008-01-31 15:12 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-01-11 11:10 . 2008-01-11 11:10 140,288 --a------ C:\WINDOWS\~GLC0001.TMP
2008-01-11 11:06 . 2008-01-11 11:10 <DIR> d-------- C:\Program Files\Sebran
2008-01-11 11:06 . 2008-01-11 11:06 140,288 --a------ C:\WINDOWS\~GLC0000.TMP
2008-01-11 11:06 . 2004-08-23 17:51 109,472 --a------ C:\WINDOWS\system32\Sebran3_.ttf
2008-01-11 11:06 . 2003-11-12 23:38 31,732 --a------ C:\WINDOWS\system32\SEBRS___.TTF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 18:22 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\Skype
2008-02-08 12:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 12:00 --------- d-----w C:\Program Files\Trend Micro
2008-02-08 09:46 --------- d-----w C:\Program Files\ATI Technologies
2008-02-08 09:26 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\ATI
2008-02-08 09:25 --------- d-----w C:\Program Files\Trillian
2008-02-08 08:48 --------- d-----w C:\Program Files\Opera
2008-02-07 13:36 --------- d-----w C:\Program Files\MSN Messenger
2008-02-07 13:35 --------- d-----w C:\Program Files\NewSoft
2008-02-07 11:34 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2008-02-07 10:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 10:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 14:40 --------- d-----w C:\Program Files\FastStone Screen Capture
2008-01-11 10:10 140,288 ----a-w C:\WINDOWS\~GLC0001.TMP
2008-01-11 10:06 140,288 ----a-w C:\WINDOWS\~GLC0000.TMP
2008-01-10 13:19 --------- d-----w C:\Documents and Settings\LEO 2\Application Data\U3
2008-01-10 08:04 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-09 15:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-01-08 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-27 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-14 11:01 --------- d-----w C:\Program Files\Google
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-13 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-12-13 15:15 --------- d-----w C:\Program Files\EPSON
2007-11-22 13:55 336 ----a-w C:\Program Files\temp995.bat
2007-11-15 10:29 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2007-11-15 10:29 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
.
<pre>
----a-w           323,584 2008-02-04 16:09:15  C:\Program Files\FSI\F-Prot\F-Sched .exe
----a-w           290,816 2008-02-07 11:34:40  C:\Program Files\FSI\F-Prot\F-StopW .EXE
----a-w         1,460,560 2008-02-07 08:42:37  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2008-02-07 11:34:47  C:\WINDOWS\system32\ctfmon .exe
----a-w            98,304 2008-01-24 07:48:09  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE .EXE
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2008-02-07 15:04 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00 335872]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-08 12:50 249896]
"TMRUBottedTray"="C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-19 00:18 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2006-12-19 14:41:18 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"Samsung PanelMgr"=C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-08-05 07:14]
R2 RUBotted;Trend Micro RUBotted Service;"C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe" [2007-12-19 00:18]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
R3 TMPassthruMP;TMPassthruMP;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
S0 FPA_RTP;FPA_RTP;C:\WINDOWS\system32\Drivers\FSTOPW.SYS []
S3 SM_clp300_FUService;CLP-300 Status Monitor Service;"C:\Program Files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc []
S3 TMPassthru;Trend Micro Passthru Ndis Service;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-24 15:29]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10c1699d-81ec-11db-bc15-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74212c89-81ed-11db-a5f9-00104b957563}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{842c296e-70b1-11dc-9eec-000d87a7d210}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-08 16:58:31 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 09:39:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 9:42:11
ComboFix-quarantined-files.txt 2008-02-11 08:42:01
ComboFix2.txt 2008-02-07 12:51:50
.
2008-01-10 08:05:02 --- E O F ---





Evo druze, nisam ni stigao da sve pogledam.......

offline
  • Pridružio: 07 Avg 2006
  • Poruke: 1182
  • Gde živiš: Fili Davydkovo, Moscow, Russia

Otvoriti Notepad i iskopirati sledeci tekst:

RenV::
C:\Program Files\FSI\F-Prot\F-Sched .exe
C:\Program Files\FSI\F-Prot\F-StopW .EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAHE .EXE

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{842c296e-70b1-11dc-9eec-000d87a7d210}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 797 korisnika na forumu :: 35 registrovanih, 6 sakrivenih i 756 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Apok, arsa, awathorn, Boris90, branko7, caesar, damirZR, Dannyboy, DH, draggan, dragon986, havoc995, Hektor, Insan, ivan979, kolateralnasteta, LUDI, mane123, mačković, MB120mm, mercedesamg, milimoj, milos.cbr, nemkea71, Oluj2.1, pein, repac, RJ, Srki98, Toni, vathra, virked, Vlada1389, Wisdomseeker