MyCity » Zaštita od zlonamernih programa » Molim objasnjenje

Molim objasnjenje

Napisano na dan: 31.5.2005

Molim objasnjenje
Sledeća strana Pagination

Idi na vrh

Poslao: 31 Maj 2005 23:06
Idi na vrh
offline
  • Mare  Male
  • Elitni građanin
  • Pridružio: 20 Feb 2005
  • Poruke: 2342
  • Gde živiš: Beč / Svilajnac

Recite mi kako da se resim ove napasti bubba.wintools or adware win tools
Pojavljuje se u registri bazi, ali mi nije jasno sta ga vraca posle brisanja.
Jel potrebno jos informacija?
Hvala unapred



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
Poslao: 31 Maj 2005 23:47
Idi na vrh
offline
  • Pridružio: 26 Okt 2004
  • Poruke: 66

What is WinTools?
WinTools appears to be a variant of Huntbar. It is very persistent and extremely difficult to remove. It creates its own folder under Program Files/Common Files called WinTools. All of its files appear to be contained within this folder.

How do I Remove WinTools?

Although there are many different methods across the web to remove this parasite, here is the most reliable way of doing this.

1) While online, download the popular HiJackThis program for Spywareinfo.com. You may want to read through the HiJackThis tutorial as well.

2) Reboot your computer into Safe Mode, you may want to also Turn off System Restore in Windows XP/ME as well to remove any backups of the files you are about to delete.

3) Remove the Startup Entries in the Registry

Click on Start, Run, Type REGEDIT and Click OK

Click the pluses(+) next to the following items
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run

Right-Click on the file WinTools and click DELETE

Click the pluses(+) next to the following items
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunServices

Right-Click on the file WinTools and click DELETE

Close REGEDIT
3) Run HiJackThis (while in Safe Mode) and Delete any entries relating to WinTools including

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183}- C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL

Although the following entries should have been deleted in Step 2, delete these entries if they still exist.

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe

3) Delete the WinTools folder and all associated files

Open My Computer, Drive C, Program Files, Common Files
Right-click on the WinTools folder (if it exists) and Delete it
4) You should also delete or clean up your hosts file

Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts


5) Reboot the computer in Normal Mode and run HiJackThis again to test (Wintools should be gone)



Poslao: 31 Maj 2005 23:49
Idi na vrh
offline
  • m4rk0  Male
  • Administrator
  • Administrator tech foruma
  • Marko Vasić
  • Gladijator - Maximus Decimus Meridius
  • Pridružio: 14 Jan 2005
  • Poruke: 15766
  • Gde živiš: Majur (Colosseum)

Ili jednostavno pokreni latest verzije adaware i spybot, apdejtuj ih i skeniraj komp.

Poslao: 31 Maj 2005 23:52
Idi na vrh
offline
  • Mare  Male
  • Elitni građanin
  • Pridružio: 20 Feb 2005
  • Poruke: 2342
  • Gde živiš: Beč / Svilajnac

@m4rk0
To sam prvo uradio, ali buni me sto se napast vraca.
Probacu sa corttex-ovim objasnjenjem

Poslao: 31 Maj 2005 23:55
Idi na vrh
offline
  • Pridružio: 26 Okt 2004
  • Poruke: 66

Možda najjednostavnije da vratiš unazad sa System Restore (ako ti je uključen) na vrijeme prije pojavljivanja problema.

Poslao: 01 Jun 2005 11:17
Idi na vrh
offline
  • SINGI
  • Pridružio: 22 Avg 2003
  • Poruke: 787
  • Gde živiš: Beograd

Mare ::@m4rk0
To sam prvo uradio, ali buni me sto se napast vraca.
Probacu sa corttex-ovim objasnjenjem

Ako jos imas taj problem, probaj sledece:

1. Instaliraj KAV (imas besplatan trial od 30 dana) u SAFE MODE-u i rucno update-uj bazu koju mozes da skines sa www.kaspersky.com/avupdates
Izaberi *Complete update* (cumul.zip).
Cumul.zip kada skines narezi na CD, pa onda kopiraj u C:\Documents and Settings\All Users\Documents\Kaspersky Anti-Virus Personal Updates i unzipuj u tom folderu.
Zatim idi na C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases i obrisi sve sto nadjes unutra...nece uspeti da obrise samo jedan fajl ali to je OK.
Nakon toga otvori KAV pa settings tab,zatim configure updater, zatim update type i izaberi "from a local folder" klikni browse pa ga uputi na onaj folder gde si unzipovao i izadji odatle.
Vrati se na glavni KAV ekran i klikni Update Now

2. Otvori KAV Scanner ali ga NE POKRECI jos uvek

3. pritisni Ctrl + ALT+DEL i otvori task manager, udji processes tab i onda desni klik na explorer.exe pa izaberi "stop process"

Sada ce da ti se "isprazni" desktop i vise neces imati taskbar ni meni, ali ce ti ostati otvoreni task manager i KAV

4. U KAV-u pokreni "Scan My Computer"

5. kada pronadje i ocisti sve sto se namnozilo onda u Taskmanger pritisni file/newtask i otkucaj explorer kako bi dobio desktop i ostalo

6. Zatvori KAV i Taskmanager

7. Reboot i nazad u normal mode.

I komp ti je cist Smile

Dopuna: 01 Jun 2005 12:17

corttex ::Možda najjednostavnije da vratiš unazad sa System Restore (ako ti je uključen) na vrijeme prije pojavljivanja problema.


ovaj malware pokusava da onesposobi system restore, tako sto zarazi explorer.exe u %sysdir%\dllcache time spustajuci nivo bezbednosti celog sistema.

Inace, kada si se zarazio on povuce sa neta cak 100 drugih cuda kao sto su:

AdWare.ISearch.d
Trojan-Clicker.Win32.Agent.bn
Trojan.Win32.LowZones.ai
PornWare.Dialer.Salc

a tipicno sto mozes da nadjes u logu je:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »searchmiracle.com/sp.php
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {2B5E7117-24E7-5914-3794-A3D089E4A773} - (no file)
O2 - BHO: (no name) - {57798B92-1E52-BB11-3BF1-51F50C193253} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe
O4 - HKLM\..\Run: [12C.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001
O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe
O4 - HKLM\..\Run: [12C.tmp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12C.tmp.exe 0 10001
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Mthnzl.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Yfkadl.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [15E.tmp] C:\WINNT\TEMP\15E.tmp.exe 3 10001
O4 - HKLM\..\Run: [15E.tmp.exe] C:\WINNT\TEMP\15E.tmp.exe 3 10001
O4 - HKLM\..\Run: [4.tmp] C:\WINNT\TEMP\4.tmp.exe 0 10001
O4 - HKLM\..\Run: [4.tmp.exe] C:\WINNT\TEMP\4.tmp.exe 0 10001
O4 - HKLM\..\Run: [rE4W37i] jdbtil.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvayb32.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz

O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\wnim.dll

Problem je da kada samo delimicno ocistis offline sistem, sve se vrati nazad cim odes opet na net...

Zato uradi onako kako sam ti opisao i neces vise imati muke Smile

Poslao: 01 Jun 2005 17:11
Idi na vrh
offline
  • Mare  Male
  • Elitni građanin
  • Pridružio: 20 Feb 2005
  • Poruke: 2342
  • Gde živiš: Beč / Svilajnac

Cini mi se da sam se resio napasti, ali videcemo. Da li se Nod32 i KAV kolju? Posto mi je predlozeno u gornjem postu da skinem trial verziju KAV-a, a trenutno koristim Nod32 i on mi se ne ukljanja sa PC-ja.
Evo i loga:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Local Spool support DLL - {20C9D850-244D-11E1-B3C9-10805E499D95} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Programme\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] C:\Programme\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [rfagent] "C:\Programme\RFA\rfagent.exe"
O4 - HKCU\..\Run: [FreeRAM] C:\Programme\FreeRAM\FreeRAM.exe
O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programme\Executive Software\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programme\Eset\nod32krn.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Nadam se da nista nisam propustio da ocistim

Poslao: 01 Jun 2005 17:28
Idi na vrh
offline
  • Pridružio: 19 Mar 2005
  • Poruke: 146
  • Gde živiš: undernet.org

po ovome sto si past-ovao ovde izgleda da si clean Smile

MyCity » Zaštita od zlonamernih programa » Molim objasnjenje

Ko je trenutno na forumu
 

Ukupno su 826 korisnika na forumu :: 5 registrovanih, 1 sakriven i 820 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Koridor, MilosKop, opt1, Sumadija34, zziko