Ozbiljne adware Problem

**Psychaospath** · #1 21 siječanj 2008, 20:16

Imam ozbiljan problem. Ive je dobio nekakav adware na moj računalo. Kada Im surfing, ili jednostavno imati moj preglednik otvoren, popup će poskočiti svakih 2-3 minuta. Ive pokušao koristeći AVG Anti-Virus, AVG Anti-Spyware, CounterSpy i bazuka Scanner.

Oni su sve pronađene tone stvari, ja je dobio osloboditi od svih njih, i skenirano ponovno sve nestalo. Osim dosta TrackingCookies, ali da ne bi trebalo doprinijeti adware problem. To su suppost se najbolje programe.

Bilo koji sugestija za ono što mi je potrebno za korištenje i što bih trebao učiniti?

**evilfantasy** · #2 21 siječanj 2008, 20:34

Omogućava se bliže izgled.

Preuzmite i preimenovanje HijackThis (HJT)

Dvaput kliknite na HJTInstall.
Kliknite na Instalacija gumb.
Bit će automatski HJT mjesto u C: \ Program Files \ TrendMicro \ HijackThis \ HijackThis.exe.
Nakon instaliranja, HijackThis trebali otvoriti za vas.
- Zatvori HijackThis i preimenujte ga.
- Idi na C: \ Program Files \ Trend Micro \HijackThis.exe
- Desnom tipkom miša kliknite na HijackThis.exe i odaberite Preimenovanje.
- Upišite sniper.exe i pritisnite Enter.
- Desnom tipkom miša kliknite na sniper.exe i odaberite Pošalji na > Desktop (stvoriti prečac)
Iz otvorenih HiajckThis desktop.
Ako koristite sustav Windows Vista, svakako Pokreni kao administrator
Kliknite na Da li je sustav skenirati i spremanje log datoteku button
HijackThis ce skenirati a zatim i prijava će se otvoriti u Notepad.
Kopirajte i zalijepite zatim se prijavite u vaš post.
- Ne Hijackthis su riješili ništa još. Većina onoga što će se pronađe bezopasni ili čak zahtijeva.

Iako smo na Preimenovali HijackThis snajper, mi ćemo i dalje se odnosi na to kao HijackThis ili HJT.

**Psychaospath** · #3 21 siječanj 2008, 20:50

Logfile of Trend Micro HijackThis v2.0.2
Scan spremljena u 10:50:07, dana 1/21/2008
Platforma: Windows XP SP2 (Winnt 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Pokretanje procesa:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ System32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ explorer.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ SOUNDMAN.EXE
C: \ Program Files \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ jusched.exe
C: \ Program Files \ iTunes \ iTunesHelper.exe
C: \ Program Files \ SlySoft \ CloneCD \ CloneCDTray.exe
C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgcc.exe
C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7,5 \ avgas.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Program Files \ demon Tools \ daemon.exe
C: \ Program Files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe
C: \ Program Files \ TRENDnet \ TRENDnet TEW-423PI-421PC_TEW \ WlanCU.exe
C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleMobileDeviceService.exe
C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7,5 \ guard.exe
C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgamsvr.exe
C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgupsvc.exe
C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgemc.exe
C: \ Program Files \ iPod \ bin \ iPodService.exe
C: \ Program Files \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Program Files \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Trend Micro \ HijackThis \ sniper.exe
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.yahoo.com/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://www.yahoo.com/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.yahoo.com/
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search, CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar - (EF99BD32-C1FB-11D2-892F-0090271D4F88) - C: \ programa ~ 1 \ Yahoo! \ Companion \ Instalira \ cpn \ yt.dll
O2 - BHO: & Yahoo! Toolbar Helper - (02478D38-C3F9-4efb-9B51-7695ECA05670) - C: \ programa ~ 1 \ Yahoo! \ Companion \ Instalira \ cpn \ yt.dll
O2 - BHO: Yahoo! IE Services Button - (5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897) - C: \ Program Files \ Yahoo! \ Common \ yiesrvc.dll
O2 - BHO: SSVHelper Class - (761497BB-D6F0-462C-B6EB-D4DAF1D92D43) - C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ ssv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - (EF99BD32-C1FB-11D2-892F-0090271D4F88) - C: \ programa ~ 1 \ Yahoo! \ Companion \ Instalira \ cpn \ yt.dll
O4 - HKLM \ .. \ Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM \ .. \ Run: [ATICCC] "C: \ Program Files \ ATI Technologies \ ATI.ACE \ cli.exe" runtime-Delay
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ jusched.exe"
O4 - HKLM \ .. \ Run: [iTunesHelper] "C: \ Program Files \ iTunes \ iTunesHelper.exe"
O4 - HKLM \ .. \ Run: [CloneCDTray] "C: \ Program Files \ SlySoft \ CloneCD \ CloneCDTray.exe" / s
O4 - HKLM \ .. \ Run: [AVG7_CC] C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgcc.exe / StartUp
O4 - HKLM \ .. \ Run: [! AVG Anti-Spyware] "C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7,5 \ avgas.exe" / minimizirane
O4 - HKLM \ .. \ Run: [LXCFCATS] rundll32 C: \ WINDOWS \ System32 \ spool \ drivers \ W32X86 \ 3 \ LXCFtim e.dll, _RunDLLEntry @ 16
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKCU \ .. \ Run: [demon Tools] "C: \ Program Files \ demon Tools \ daemon.exe"-lang 1033
O4 - HKCU \ .. \ Run: [Yahoo! Pager] "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe"-quiet
O4 - HKCU \ .. \ Run: [SUPERAntiSpyware] C: \ Program Files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe
O4 - HKUS \ S-1-5-19 \ .. \ Run: [AVG7_Run] C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgw.exe / RunOnce (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [AVG7_Run] C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgw.exe / RunOnce (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [AVG7_Run] C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgw.exe / RunOnce (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [AVG7_Run] C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgw.exe / RunOnce (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.15.lnk = C: \ Program Files \ TRENDnet \ TRENDnet TEW-423PI-421PC_TEW \ WlanCU.exe
O9 - Extra button: Yahoo! Services - (5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897) - C: \ Program Files \ Yahoo! \ Common \ yiesrvc.dll
O9 - Extra button: ShopperReports - Usporedite cijene proizvoda - (C5428486-50A0-4a02-9D20-520B59A9F9B2) - C: \ Program Files \ ShoppingReport \ Bin \ 2.0.26 \ ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Usporedite cijene travel - (C5428486-50A0-4a02-9D20-520B59A9F9B3) - C: \ Program Files \ ShoppingReport \ Bin \ 2.0.26 \ ShoppingReport.dll (file missing)
O9 - Extra button: Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: Windows Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: (05D44720-58E3-49E6-BDF6-D00330E511D3) (StagingUI Object) -- http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: (30528230-99f7-4bb4-88d8-fa1d4f56a2ab) (Installation Support) - C: \ Program Files \ Yahoo! \ Common \ Yinsthelper.dll
O16 - DPF: (39B0684F-D7BF-4743-B050-FDC3F48F7E3B) -- http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: (3BB54395-5982-4788-8AF4-B5388FFDD0D8) (MSN Games - Buddy Invite) -- http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: (48DD0448-9209-4F81-9F6D-D83562940134) (MySpace Uploader Control) -- http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: (5736C456-EA94-4AAC-BB08-917ABDD035B3) (ZonePAChat Object) -- http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: (67A5F8DC-1A4B-4D66-9F24-A704AD929EEE) (System Requirements Lab) -- http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: (9BDF4724-10AA-43D5-BD15-AEA0D2287303) (MSN Games - Teksas Holdem Poker) -- http://zone.msn.com/bingame/zpagames...e.cab60231.cab
O16 - DPF: (B8BE5E93-A60C-4D26-A2DC-220313175592) (MSN Games - Installer) -- http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: (DA2AA6CF-5C7A-4B71-BC3B-C771BB369937) (MSN Games - Game Communicator) -- http://zone.msn.com/binframework/v10...y.cab55579.cab
O20 - Winlogon Obavijesti:! SASWinLogon - C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C: \ Program Files \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc - C: \ Program Files \ Common Files \ Apple \ Mobile Device Support \ bin \ AppleMobileDeviceService.exe
O23 - Service: ati brza tipka Poller - ATI Technologies Inc - C: \ WINDOWS \ system32 \ Ati2evxx.exe
O23 - Service: ATI Smart - Unknown vlasnika - C: \ WINDOWS \ system32 \ ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT sro - C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7,5 \ guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, sro - C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, sro - C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, sro - C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C: \ Program Files \ Common Files \ InstallShield \ Driver \ 1150 \ Intel 32 \ IDriverT.exe
O23 - Service: iPod Service - Apple Inc - C: \ Program Files \ iPod \ bin \ iPodService.exe
O23 - Service: lxcf_device - - C: \ WINDOWS \ system32 \ lxcfcoms.exe
--
End of file - 7993 bytes

**evilfantasy** · #4 21 siječanj 2008, 20:59

To nije puno otkriti, bit će potrebna izvjesna potpuniju scans.

Nekoliko praznih stavki u škripac s HJT real quick.

Otvori HijackThis i odaberite Da li je sustav skenirati samo.

Stavite kvačica pored sljedećih stavki:

O9 - Extra button: ShopperReports - Usporedite cijene proizvoda - (C5428486-50A0-4a02-9D20-520B59A9F9B2) - C: \ Program Files \ ShoppingReport \ Bin \ 2.0.26 \ ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Usporedite cijene travel - (C5428486-50A0-4a02-9D20-520B59A9F9B3) - C: \ Program Files \ ShoppingReport \ Bin \ 2.0.26 \ ShoppingReport.dll (file missing)

Zatvori sve prozore osim HijackThis i kliknite Fix checked.

Izlaz Hijackthis.

---------

Preuzimanje CCleaner

Predlaže se da skinuti CCleaner - Slim -- Ne Toolbar koja je verzija bez Yahoo! Toolbar.

Dvaput kliknite na ccsetup.exe datoteku da biste pokrenuli instalaciju programa.
Odaberite svoj jezik i pritisnite U redu, Zatim dalje.
Pročitajte licenčni ugovor i kliknite I Agree.
Kliknite dalje koristiti zadane instalacije.
Instalacija pod Opcije, odaberite sve zadane postavke
Kliknite Instalacija tada završiti da biste dovršili instalaciju.
Dvaput kliknite na CCleaner prečac na radnoj površini da biste pokrenuli program.
Na "Windows" tab, pod "Internet Explorera", isključite "Cookies" Ako ne želite da ih izbrisana. (Ako je izbrisana, vjerojatno ćete trebati opet upisati vaše lozinke na svim lokacijama gdje se koristi "cookie" prepoznati kada posjetite).
Ako koristite bilo ili Mozilla Firefox preglednicima, poništite okvir za "Cookies" se nalazi na kartici Programi, pod Firefox / Mozilla.
Kliknite na "Options" ikonu na lijevoj strani prozora, a zatim kliknite na "Advanced".
deselektirati "Samo izbrišite datoteke i mape u sustavu Windows Temp stariji od 48 sata."
Kliknite na "čistiju" ikonu na lijevoj strani prozora, a zatim kliknite Trčanje za čistiju za pokretanje programa.
Oprez: Koristiti samo "Registry" opcija ako ste upoznati s vrlo registar kao što je poznato da pronađete stavke legitimna.
Uvijek kopiju Vašeg registry prije donošenje bilo kakve izmjene.
Nakon CCleaner je završila proces, kliknite na Izlaz.

----------

Preuzimanje SUPERAntispyware Free Edition (SAS)

Dvaput pritisnite ikonu na radnoj površini da biste pokrenuli instalacijski program.
Upitan da Ažurirati program definicije, kliknite Da
Kliknite na Next Preferences gumb.
Kliknite Skeniranje Control tab.
Pod Scanner Opcije Pobrinite se samo sljedeće se provjeravaju:
- Zatvori preglednici prije skeniranja
- Scan for tracking cookies
- Raskinuti memorije prijetnje prije quarantining
- Molimo ostavite drugima neprovjeren.
- Kliknite na Zatvori gumb da napuste centar ekrana.
Kliknite Zatvoriti dugme za kontrolu napustiti središte zaslona.
Na glavnom ekranu kliknite Skenirajte svoje računalo
Na lijevoj check C: \ Fiksni Drive
Na pravo odabrati Obavi Cijela Scan
Kliknite Dalje da biste započeli pretraživanje. Budite strpljivi dok skenira vaše računalo.
Nakon skeniranja je kompletan rezime pojavit će se okvir. Kliknite U redu
Provjerite je li sve u bijeloj kutiji ima check pored nje, a zatim kliknite Dalje
Ona će se što je pronađena u karantenu, a ako ga pita ako želite ponovno podizanje sustava, kliknite Da
Da biste preuzeli uklanjanje informacija molimo učinite slijedeće:
- Nakon što ponovno podizanje sustava, dvokliknite SUPERAntiSpyware ikone na radnoj površini.
- Kliknite Preferences. Kliknite Statistika / Evidencije tab.
- Pod Scanner Evidencije, dvokliknite SUPERAntiSpyware Scan Log.
- To će otvoriti u zadani uređivač teksta (npr. Notepad / WordPad).
- Spremite notepad datoteku na radnu površinu tako da kliknete (u Notepad) Datoteka > Save As...
Spremi zapisničku negdje možete lako pronaći. (normalno desktop)
Kliknite bliska i opet zatvori za izlaz iz programa.
Molimo kopirajte i potom zalijepite prijaviti u vaš post.

----------

Next post molimo dodaj
SuperantiSpyware log

**Psychaospath** · #5 21 siječanj 2008, 22:20

OK JA napokon je dobio Internet učinio, ali .... popups još ovdje, anyways Heresu log:

SUPERAntiSpyware Scan Prijava
http://www.superantispyware.com

Generirano 01/22/2008 at 00:10

Application Version: 3/9/1008

Core Pravila Database Version: 3385
Trace Pravila Database Version: 1379

Scan type: Cijela Scan
Ukupno Scan Vrijeme: 00:48:33

Memorija predmeta skenirane: 556
Memorija prijetnje otkrivena: 0
Registry stavke skenirane: 4213
Matični prijetnje otkrivena: 0
File skenirane podatke: 39567
File prijetnje otkrivena: 8

Adware.Tracking Cookie
C: \ Documents and Settings \ Richard \ Cookies \ richard@login.revenueloop [2]. Txt
C: \ Documents and Settings \ Richard \ Cookies \ richard@publishers.clickb ooth [2]. Txt
C: \ Documents and Settings \ Richard \ Cookies \ Richard @ doubleclick [1]. Txt
C: \ Documents and Settings \ Richard \ Cookies \ richard@ads.pointroll [1]. Txt
C: \ Documents and Settings \ Richard \ Cookies \ Richard @ bluestreak [1]. Txt
C: \ Documents and Settings \ Richard \ Cookies \ Richard @ tribalfusion [2]. Txt
C: \ Documents and Settings \ Richard \ Cookies \ Richard @ atdmt [2]. Txt

RootKit.TnCore / Trace
C: \ Windows \ System32 \ Drivers \ core.cache.dsk

**evilfantasy** · #6 21 siječanj 2008, 22:23

Ovo će se ispitati oko 5 do 10 minuta.

Molimo, preuzmite Combofix by sUBs jedan od linkova ispod.
(Isprobajte sve tri ako je potrebno)

VAŽNO - Combofix.exe MORA biti spremljen na vaše vaše Desktop.

Zatvori otvoriti bilo koju web preglednicima. (Firefox, Internet Explorer, etc)
Zatvori / deaktivirati svi protu-virus i anti štetnih sadržaja programa tako da ne ometaju Combofix. <- VAŽNO
- Kliknite na ovaj link da biste vidjeli popis programa koji bi trebao biti onemogućen. Ako tvoj nije na popisu, a vi ne znate kako ga isključiti, molimo pitati.
Dvaput kliknite combofix.exe i slijedite upute.
- Iz tipkovnice odaberite 1 i pritisnite Enter
Kada završite, on će proizvesti prijava za vas.
Pošta da se prijavite u vaš sljedeći odgovor.

Ne mouseclick combofix's prozor dok je pokrenut.
Skeniranje će privremeno onemogućiti Vaš desktop.
Ako je prekinuo svibanj ostavite računalo smrznuta.
Ako se to dogodi, molimo vas da se ponovo pokrenuti vraćanje desktop.

Sljedeća post
Combofix log

**Psychaospath** · #7 21 siječanj 2008, 22:48

ok to. ali imam još dobio popups :-( Heresu log:

ComboFix 08-01-21.3 - Richard 2008-01-22 0:30:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.628 [GMT -5:00]
Running from: C: \ Documents and Settings \ Richard \ Desktop \ ComboFix.exe
* Created novu točku vraćanja
UPOZORENJE-ovaj stroj nema Recovery Console Installed!
.
Ostali ((((((((((((((((((((((((((((((((((((((( brisanja ))))))))) ))))))))))))))))))))))))))))))))))))))))
.
C: \ temp \ tn3
C: \ Windows \ System32 \ Drivers \ core.cache.dsk. . . . failed to izbrisati
.
((((((((((((((((((((((((( Files Created from 2007/12/22 da 2008/01/22 ))))))))))) ))))))))))))))))))))
.
2008-01-22 00:36. 2008-01-22 00:36 167.545 --------- C: \ Windows \ System32 \ Drivers \ core.cache.dsk
2008-01-22 00:34. 2008-01-22 00:34 <DIR> d -------- C: \ Temp \ tn3
2008-01-22 00:29. 2000-08-31 08:00 51.200 - a ------ C: \ WINDOWS \ Nircmd.exe
2008-01-21 23:10. 2008-01-21 23:10 <DIR> d -------- C: \ Program Files \ CCleaner
2008-01-21 22:47. 2008-01-21 22:47 <DIR> d -------- C: \ Program Files \ Trend Micro
2008-01-21 22:21. 2008-01-22 00:16 <DIR> d -------- C: \ Program Files \ SUPERAntiSpyware
2008-01-21 02:10. 2008-01-21 02:10 <DIR> d -------- C: \ Program Files \ Lavasoft
2008-01-21 02:09. 2008-01-21 22:20 <DIR> d -------- C: \ Program Files \ Common Files \ Wise Installation Wizard
2008-01-20 22:04. 2008-01-20 22:04 <DIR> d -------- C: \ Program Files \ bazuka Scanner
2008-01-20 17:41. 2007-05-30 07:10 10.872 - a ------ C: \ Windows \ System32 \ Drivers \ AvgAsCln.sys
2008-01-20 16:39. 2008-01-20 16:39 86.144 - a ------ C: \ Windows \ System32 \ Drivers \ ALCXWDMM.sys
2008-01-12 16:25. 2008-01-12 16:25 <DIR> d -------- C: \ Program Files \ Electronic Arts
2008-01-12 15:11. 2005-06-24 16:24 438.272-RA ------ C: \ WINDOWS \ system32 \ vp6vfw.dll
2008-01-12 15:11. 2004-12-10 09:06 327.680 - a ------ C: \ WINDOWS \ system32 \ vp6dec.ax
2008-01-12 15:06. 2008-01-12 15:20 <DIR> d - h ----- C: \ WINDOWS \ msdownld.tmp
2008-01-10 19:21. 2008-01-10 19:21 <DIR> d -------- C: \ Program Files \ uTorrent
2008-01-10 19:01. 2008-01-10 19:21 <DIR> d -------- C: \ Program Files \ megamaps
2008-01-08 22:43. 2008-01-10 19:30 <DIR> d -------- C: \ Program Files \ Guitar Pro 5
2008-01-06 05:19. 2008-01-06 05:19 <DIR> d -------- C: \ Program Files \ Power Tab Software
2008-01-03 22:31. 2008-01-03 22:31 <DIR> d -------- C: \ AeriaGames
2008-01-03 21:30. 2008-01-12 21:55 <DIR> d -------- C: \ UnrealTournament
2007-12-25 14:25. 2007-12-28 16:53 90 - a ------ C: \ WINDOWS \ RCAMPEG4VC.ini
2007-12-25 14:18. 2006-09-13 14:52 561.152 - a ------ C: \ WINDOWS \ system32 \ xvidcore.dll
2007-12-25 14:18. 2006-09-13 15:01 237.568 - a ------ C: \ WINDOWS \ system32 \ xvidvfw.dll
2007-12-25 14:18. 2005-12-30 15:34 2.864 - a ------ C: \ WINDOWS \ system32 \ xvid.inf
2007-12-25 14:17. 2007-12-25 14:17 <DIR> d -------- C: \ Program Files \ RCA
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 20:59 --------- d - h - w C: \ Program Files \ InstallShield Installation Information
2008-01-17 00:48 --------- d ----- w C: \ Program Files \ Yahoo!
2008-01-16 01:15 --------- d ----- w C: \ Program Files \ Lx_cats
2008-01-11 00:21 --------- d ----- w C: \ Program Files \ Xfire
2008-01-11 00:21 --------- d ----- w C: \ Program Files \ LimeWire
2007-12-22 10:47 --------- d ----- w C: \ Program Files \ DriftCity
2007-12-20 07:35 --------- d ----- w C: \ Program Files \ Sierra On-Line
2007-12-18 08:02 --------- d ----- w C: \ Program Files \ NHN USA
2007-12-17 21:17 --------- d ----- w C: \ Program Files \ Bethesda Softworks
2007-12-05 04:14 --------- d ----- w C: \ Program Files \ SlySoft
2007-12-03 03:06 --------- d ----- w C: \ Program Files \ TGTSoft
2007-11-25 18:18 --------- d ----- w C: \ Program Files \ Common Files \ Sonic Dijeljeno
2007-11-22 05:03 --------- d ----- w C: \ Program Files \ Cliprex DVD Player Professional
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & čitljiv default unose se ne prikazuju
REGEDIT4
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2004-08-04 07:00 15360]
"Demon Tools" = "C: \ Program Files \ demon Tools \ daemon.exe" [2007-08-29 10:09 171464]
"Yahoo Pager" = "C: \ Program Files \ Yahoo! \ Messenger \ YahooMessenger.exe" [2007-08-30 17:43 4670704]
"SUPERAntiSpyware" = "C: \ Program Files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"SoundMan" = "SOUNDMAN.EXE" [2006-11-16 16:42 577536 C: \ WINDOWS \ SOUNDMAN.EXE]
"ATICCC" = "C: \ Program Files \ ATI Technologies \ ATI.ACE \ cli.exe" [2005-08-12 13:43 45056]
"SunJavaUpdateSched" = "C: \ Program Files \ Java \ jre1.6.0_03 \ bin \ jusched.exe" [2007-09-25 01:11 132496]
"iTunesHelper" = "C: \ Program Files \ iTunes \ iTunesHelper.exe" [2007-09-26 13:42 267064]
"CloneCDTray" = "C: \ Program Files \ SlySoft \ CloneCD \ CloneCDTray.exe" [2006-09-28 14:21 57344]
"AVG7_CC" = "C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgcc.exe" [2008-01-20 17:18 579072]
"! AVG Anti-Spyware" = "C: \ Program Files \ Grisoft \ AVG Anti-Spyware 7,5 \ avgas.exe" [2007-06-11 04:25 6731312]
"LXCFCATS" = "C: \ WINDOWS \ System32 \ spool \ drivers \ W32X 86 \ 3 \ LXCFtime.dll" [2005-07-20 12:47 73728]
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"AVG7_Run" = "C: \ programa ~ 1 \ Grisoft \ AVG7 \ avgw.exe" [2008-01-20 17:18 219136]
C: \ Documents and Settings \ All Users \ Start Menu \ Programs \ Startup \
Wireless Configuration Utility HW.15.lnk - C: \ Program Files \ TRENDnet \ TRENDnet TEW-423PI-421PC_TEW \ WlanCU.exe [2007-01-30 13:57:42 577536]
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ policies \ system]
"DisableRegistryTools" = 0 (0x0)
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ Explorer \ shellexecutehooks]
"(5AE067D3-9AFB-48E0-853A-EBB7F4A000DA)" = C: \ Program Files \ SUPERAntiSpyware \ SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ winlogon]
"UIHost" = "LogonUI.EXE"
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ winlogon \ obavijestiti \! SASWinLogon]
C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.dll 2007-04-19 13:41 294912 C: \ Program Files \ SUPERAntiSpyware \ SASWINLO.dll
[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings All Users ^ ^ Start Menu ^ Programs ^ Startup ^ Sonic CinePlayer Quick Launch.lnk]
path = C: \ Documents and Settings \ All Users \ Start Menu \ Programs \ Startup \ Sonic CinePlayer Quick Launch.lnk
backup = C: \ WINDOWS \ PSS \ Sonic CinePlayer Quick Startup Launch.lnkCommon
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ shared tools \ msconfig \ startupreg \ igndlm.exe]
C: \ Program Files \ Download Manager \ DLM.exe
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ shared tools \ msconfig \ startupreg \ MSMSGS]
--------- 2004-10-13 11:24 1694208 C: \ Program Files \ Messenger \ msmsgs.exe
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ shared tools \ msconfig \ startupreg \ QuickTime Task]
- a ------ 2007-06-29 05:24 286720 C: \ Program Files \ QuickTime \ qttask.exe
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ shared tools \ msconfig \ startupreg \ SBCSTray]
C: \ Program Files \ Sunbelt Software \ CounterSpy \ SBCSTray.exe
R0 videX32; videX32; C: \ Windows \ System32 \ Drivers \ videX3 2.sys [2006-10-17 07:22]
R0 xfilt; VIA IDE SATA Hot-plug Vozač, C: \ Windows \ System32 \ Drivers \ xfilt.sys [2006-10-18 04:39]
R1 ALCXWDMM; ALCXWDMM; C: \ Windows \ System32 \ Drivers \ ALCX WDMM.sys [2008-01-20 16:39]
R1 Cinemsup; Cinemsup; C: \ Windows \ System32 \ Drivers \ čine msup.sys [2002-07-19 09:10]
R3 odysseyIM3; Odyssey Mrežne usluge Miniport; C: \ Windows \ System32 \ Drivers \ odysseyIM3.sy s [2007-08-17 20:35]
S3 rtl8180; Realtek RTL8180 Wireless LAN (Mini) PCI NIC Driver NT; C: \ Windows \ System32 \ Drivers \ RTL8180.SYS [2003-12-30 12:20]
S3 SetupNTGLM7X; SetupNTGLM7X; D: \ NTGLM7X.sys []
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ Explorer \ mountpoints2 \ (5ed3c7c1-4bdf-11dc-8daa-806d6172696f)]
\ Shell \ autorun \ naredbu - D: \ Autorun.exe

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ aktivnih setup \ instalirane komponente \ (2352721C-2267-DB51-0008-030706070804)]
C: \ WINDOWS \ system32 \ vsc32.exe
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit / potaja detector by Gmer zlonamjernih programa, http://www.gmer.net
Rootkit scan 2008-01-22 00:37:48
5/1/2600 Windows Service Pack 2 NTFS
skeniranja skrivenih procesa ...
skeniranja skrivenih autostart entries ...
skeniranja skrivenih datoteka ...
scan uspješno završena
skrivenih datoteka: 0
************************************************** ************************
.
Completion time: 2008-01-22 0:42:14 - stroj je ponovno podizanje sustava
ComboFix-u karanteni-files.txt 2008-01-22 05:42:10
.
2008-01-11 00:38:07 --- EOF ---

**evilfantasy** · #8 21 siječanj 2008, 22:57

Sada download By Swandog46 osvetnikaI spremiti na svoj Desktop.

Ekstrakt avenger.exe iz Zip datoteku i spremite ju na radnu površinu
Pokreni avenger.exe dvostrukim klikom na nju.
Provjerite Unos skriptu ručno kutija.
Kliknite na povećalo ikona koja će se otvoriti novi prozor pod nazivom Prikaži / uredi skripta
Kopiraj sve u Codee polje ispod i zalijepite ga u prozor koji se otvara:

Code:

Mape za brisanje: C: \ Temp \ tn3 datoteka za brisanje: C: \ Windows \ System32 \ Drivers \ core.cache.dsk Registry tipke za brisanje: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ aktivnih setup \ instalirane komponente \ (2352721C-2267 - DB51-0008-030706070804)

Napomena: gore navedeni citat je izrađen posebno za ovog korisnika. Ukoliko niste u ovom, nemojte slijediti ove smjernice, jer bi mogao oštetiti djelovanju vašeg sustava

Sada kliknite na "Učinjeno'Gumb.
Kliknite na Green Light i U redu brze.
Vas će se zatražiti da ponovo pokrenete, kliknite U redu na brz i treba da ponovno pokrenete računalo, ako ne, ponovno podizanje sustava to sami.
A log datoteku od osvetnika će biti proizvedena u C: \ avenger.txt

Osvetnika automatski će učiniti sljedeće:

Ona će Ponovo pokrenite računalo. (U slučajevima kada izvršavanje koda sadrži "Vozači se iskrcati", Osvetnika će ponovo pokrenuti sustav, zapravo dva puta.)
Na ponovno podizanje sustava, on će kratko otvorili prozor naredbenog crna na radnoj površini, to je normalno.
Nakon ponovnog pokretanja, ona stvara zapisničku datoteku koji bi trebao otvoriti sa rezultatima osvetnika akcije.

Ova log datoteka će biti smješten na C: \ avenger.txt

Osvetnika također će imati sigurnosne kopije svih datoteka, itd., da ga je pitao za brisanje, A imat će ih i zazipan preselio u zip arhive u C: \ osvetnika \ backup.zip.

Molim pridavati taj C: \ avenger.txt u slijedećem postu.

----------

Sljedeća post
Osvetnik log

**Psychaospath** · #9 21 siječanj 2008, 23:09

u redu ovdje ići, još popups btw.

Logfile of osvetnika verzija 1, koju Swandog46
Pokretanje iz ključ registra:
\ Registry \ Machine \ System \ CurrentControlSet \ Usluga s \ hptxmheu
*******************
Script datoteka se nalazi na adresi: wqwsrviw
Nije bilo moguće otvoriti datoteku skripta! Greška
Nije bilo moguće otvoriti datoteku skripta! Status: 0xc000003b Prekini!

**Psychaospath** · #10 21 siječanj 2008, 23:16

Joj moj loš sam redid ga, cuz zapisnik nije pogled desno, a navodno i nije nešto napraviti pravo prvi put, Heresu novi dnevnik. oh i tu su još popups.

Logfile of osvetnika verzija 1, koju Swandog46
Pokretanje iz ključ registra:
\ Registry \ Machine \ System \ CurrentControlSet \ Usluga s \ mkawvjax
*******************
Script datoteka se nalazi na adresi: \? \ C: \ WINDOWS \ system32 \ ygueewld.txt
Script datoteka otvorena uspješno.
Script datoteka uspješno čitati
Sigurnosne kopije katalog uspješno otvorena u C: \ osvetnika
*******************
Na početku procesa skript datoteke:
Mapu C: \ Temp \ tn3 uspješno izbrisan.
File C: \ Windows \ System32 \ Drivers \ core.cache.dsk uspješno izbrisan.
Registarskom ključu HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ aktivnih setup \ instalirane komponente \ (2352721C-2267-DB51-0008-030706070804) uspješno izbrisan.
Completed script obradu.
*******************
Završeno! Raskinuti.