Zabrinuta

G

galedm

Početnik
Poruka
1
E ljudi kako da se oslobodim trojanca win32-small-gen2. Blokira mi rad na netu i iritira me. Imam Avast antivirus i prepoznaje ga,ali ne moze da ga obrise u potpunosti. Skinula sam i neki trojan remover,ali ni on ne moze da ga unisti.Ima li neko neki predlog :cry:
 
A može i ovako:

Logfile of HijackThis v1.99.0
Scan saved at 2:37:55 PM, on 3/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SYSTEM32\SRPSKEY.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Tadic\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.krstarica.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ads.softwareoutfit.com/ggl_start.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14D1A72D-8705-11D8-B120-0040F46CB696} - (no file)
O2 - BHO: (no name) - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - (no file)
O2 - BHO: (no name) - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_0a67.dll
O2 - BHO: (no name) - {77849D67-5672-4B68-93E2-CCEFF1E3949E} - (no file)
O2 - BHO: (no name) - {898827FA-0AE9-4F7A-ADD9-1E7CE37CF4B0} - (no file)
O2 - BHO: (no name) - {9B053E00-78D3-47AE-B763-60FF36FF2886} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ALOT MoniCA Eye] C:\WINDOWS\eye.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0a67.dll"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [srpskey] C:\WINDOWS\SYSTEM32\SRPSKEY.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ggcuyivy] C:\WINDOWS\System32\ggcuyivy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0a67.dll"
O4 - HKCU\..\Run: [NOMAD Detector] "E:\Creative\SBLive\PlayCenter2\CTNMRun.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1034_pack_XP.cab
O16 - DPF: {CF5F84EB-D3FC-4F98-BE3B-F5B56B962CED} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1035_XP.cab
O21 - SSODL: IEFilter - {57ED652D-B1B7-48E7-A5BB-7BBD348DDEB7} - (no file)
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Kliknite za proširenje...
 
Nclaunch.exe se koristi u okviru aplikacije SWF Studio kada se pravi samoinstalirajući screensaver i ne bi trebao da predstavlja neki problem. S druge strane ggcuyivy.exe je skoro sigurno neki virus koji se naselio, naročito uzimajući u obzir naziv i mesto (system32) gde se nalazi.
 
bojan p:
Nclaunch.exe se koristi u okviru aplikacije SWF Studio kada se pravi samoinstalirajući screensaver i ne bi trebao da predstavlja neki problem. S druge strane ggcuyivy.exe je skoro sigurno neki virus koji se naselio, naročito uzimajući u obzir naziv i mesto (system32) gde se nalazi.
Kliknite za proširenje...
Aha. To li je. Malo mi je čudan zbog ovoga .EXe, ovo malo e na kraju. :|
 
bojan p:
Nclaunch.exe se koristi u okviru aplikacije SWF Studio kada se pravi samoinstalirajući screensaver i ne bi trebao da predstavlja neki problem. S druge strane ggcuyivy.exe je skoro sigurno neki virus koji se naselio, naročito uzimajući u obzir naziv i mesto (system32) gde se nalazi.
Kliknite za proširenje...

Da verovatno je to posto imam neki program za pravljenje screensaver-a
a ovo ggcyivy.exe cu da izbrisem pa cemo da vidimo dalje.
 
Mr X:
Izbrisao sam to sto je bilo sumnjivo ali dzaba.

A sta je svchost.exe u tom je greska posto pise "svchost.exe - application error"
Kliknite za proširenje...
Taj proces ggcuyivy.exe i dalje je u listi procesa kada pokreneš računar, a datoteka se nalazi u c:\system32, pošto si ga obrisao u safe modu i uradio restart?

Gde piše svchost.exe - application?
 
obrisao sam ga uz pomoc ovog hijack this, ne u safe modu samo sam iskljucio system restore.
A svchost.exe -application error pise u okviru prozorceta koje se pojavljuje, svakih par minuta:

The instruction at "0x77c43dbd" referenced memory at "0x41414141". the memory could not be written.

Click on OK to terminate the program

Click on CANCEL to debug the program
 
Mr X:
obrisao sam ga uz pomoc ovog hijack this, ne u safe modu samo sam iskljucio system restore.
A svchost.exe -application error pise u okviru prozorceta koje se pojavljuje, svakih par minuta:

The instruction at "0x77c43dbd" referenced memory at "0x41414141". the memory could not be written.

Click on OK to terminate the program

Click on CANCEL to debug the program
Kliknite za proširenje...
Verovatno da nije problem sa hardverom nego imaš još neke strance koji se tu muvaju. Podgini računar u safe mode-u i onda skeniraj antivirus programom koji imaš, prethodno uradi update baze potpisa virusa, a onda proveri da li možda nemaš i neki spyware korišćenjem Ad-aware ili Spyboot programa. Posle ovoga restart u safe mode ponovo i pošalji izveštaj HijackThis programa.
 
Mr- X ove stvari sredi sa hijack this , preporučljivo u safe modu :

O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} -O4 - HKLM\..\Run: [ALOT MoniCA Eye] C:\WINDOWS\eye.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0a67.dll"
C:\WINDOWS\System32\ggcuyivy.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0a67.dll"

"SafeGuard Protect PCShield " nisi prvi koji je zaradio ovo , ovo je klasifikovano svuda u svetu kao spy

pa zatim ide citat:
Description: eye.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 496640 bytes (66% of all occurrence), 495104 bytes.
File eye.exe is not a Windows core file. The program is not visible. The program listens for or sends data on open ports to LAN or Internet. eye.exe is able to record inputs, manipulate other programs. Therefore the technical security rating is 41% dangerous.
mportant: Some malware camouflage themselves as eye.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the eye.exe process on your pc whether it is pest. We recommend Security Task Manager for verifying your computer's security. It is one of the Top Download Picks of 2005 of The Washington Post and PC World.
sa : http://www.file.net/process/eye.exe.html

Uđi u safe mod i popravi tj fix ove stavke sa hijack this-om , instaliraj sledeće stavke i pokupi upload za njih i sve isto uradi u safe modu .
SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html - * NEW *
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
MS AntiSpy - http://download.microsoft.com/ (XP and W2K only)
posle toga opet skeniraj sa hijjack this i opet stavi log ovde

PS Žao mi je ali imam jako mnogo obaveza zadnjih dana pa retko ugrabim malo vremena za forum ali biće bolje.
 
snejks:
Mr- X ove stvari sredi sa hijack this , preporučljivo u safe modu :

O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} -O4 - HKLM\..\Run: [ALOT MoniCA Eye] C:\WINDOWS\eye.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0a67.dll"
C:\WINDOWS\System32\ggcuyivy.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0a67.dll"

"SafeGuard Protect PCShield " nisi prvi koji je zaradio ovo , ovo je klasifikovano svuda u svetu kao spy

pa zatim ide citat:
Description: eye.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 496640 bytes (66% of all occurrence), 495104 bytes.
File eye.exe is not a Windows core file. The program is not visible. The program listens for or sends data on open ports to LAN or Internet. eye.exe is able to record inputs, manipulate other programs. Therefore the technical security rating is 41% dangerous.
mportant: Some malware camouflage themselves as eye.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the eye.exe process on your pc whether it is pest. We recommend Security Task Manager for verifying your computer's security. It is one of the Top Download Picks of 2005 of The Washington Post and PC World.
sa : http://www.file.net/process/eye.exe.html

Uđi u safe mod i popravi tj fix ove stavke sa hijack this-om , instaliraj sledeće stavke i pokupi upload za njih i sve isto uradi u safe modu .
SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html - * NEW *
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
MS AntiSpy - http://download.microsoft.com/ (XP and W2K only)
posle toga opet skeniraj sa hijjack this i opet stavi log ovde

PS Žao mi je ali imam jako mnogo obaveza zadnjih dana pa retko ugrabim malo vremena za forum ali biće bolje.
Kliknite za proširenje...

Uradio sam sve sto si napisao, samo nisam pronasao ms antispy.
Neverovatno koliko sam obrisao trojanaca i ostalog "smeca".
Sad mi ne puca veza sa netom ali mi se i dalje pojavljuje ista greska, ali samo kada otvorim internet eksplorer. A kada kliknem OK ili CANCEL zatvori mi se eksplorer i kada ga ponovo otvorim ne moze da pronadje ni jedan sajt.
Onda ignorisem prozor sa greskom (sklonim ga sa strane) jedino tako mi normalno funkcionise veza sa netom.
 
Prijavite se ili registrujte da biste poslali poruku.

Back
Top