Za dr Boru !!! Virus: malware Win32: Zlober [Drp]
Strana 1 od 2 12 PoslednjaPoslednja
Prikazujem rezultate 1 do 25 od 37

Tema: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

  1. #1
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Post Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Pozdrav za dr Boru,
    Imam problem sa virusom čije je ime: malware Win32: Zlober [Drp], tipa: Kukavičje jaje, koji se aktivira samo kada se konektujem na internet. Stalno se klonira i pravi probleme. Njega uvek detektuje AV program Avast, koji koristim, i smeštam ga u kovčeg.
    Pročitao sam Vaše uputstvo za samostalno otklanjanje problema u vezi malware-a.
    Koristio sam:
    AV Avast 4.7 home version,
    Spybot-Search & Destroy (skeniran iz Safe Mode-a),
    Ad-Aware SE Personal,
    Spyware Terminator.

    Rezultat je NEGATIVAN. Nemože da se otkloni virus.
    Koristim Dial-up conection za pristupanje internetu.

    Po vašem uputstvu iskoristio sam program Hijack This i nakon sprovedene procedure izašao je sledeći log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:42:58, on 25.11.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\sm56hlpr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IDA\ida.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\totalcmd\TOTALCMD.EXE
    D:\Install\Pomoc na FORUM-u\Pomoc preko FORUM-a.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60327
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
    R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\Explo reExtPDF.dll
    O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\Explo reExtPDF.dll
    O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
    O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: Crawler Search - tbr:iemenu
    O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
    O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
    O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Mirage Computer Systems: Multimedia Protector update permissions manager. 14007. - Unknown owner - C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

    Pozdrav od zabrinutog studenta.



  2. #2
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Jel' koristiš Multimedia Protector Premium (i čemu to služi)?

    Napiši tačno u kojem file-u AV detektuje malware.
    Poslednji put ažurirao/la dr_Bora : 25.11.2007. u 14:16

  3. #3
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Koristim program Multimedia Protector Premium, a on služi za zaštitu CD-a od kopiranja.
    Inače problem sa virusom datira pre nego što sam postavio taj program.
    AV Avast! 4.7 ga locira i smešta u temporalni fajl:
    C:\DOCUME~1\User\LOCALS~1\Temp

  4. #4
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Preuzmi ComboFix sa jednog od sledećih linkova i sačuvaj ga na Desktop-u:
    download link 1, download link 2
    • Privremeno isključi AV program kako ne bi ometao proces čišćenja
    • Dvoklikom pokreni ComboFix.exe i isprati uputstva
    • Nemoj klikati mišem u prozoru ComboFix-a dok radi!
    • Kada proces bude završen, logfile C:\ComboFix.txt će se otvoriti u Notepad-u
    • Iskopiraj sadržaj tog logfile-a u temu na forumu

  5. #5
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Nakon korišćenja programa ComboFix dobijen je Logfile:

    ComboFix 07-11-19.3 - User 2007-11-25 15:06:03.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.67 [GMT 1:00]
    Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
    * Created a new restore point
    .
    ADS - svchost.exe: deleted 68 bytes in 1 streams.
    ADS - ntoskrnl.exe: deleted 36 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\User\ravmonlog

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
    .

    2007-11-25 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
    2007-11-25 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
    2007-11-23 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
    2007-11-23 21:00 <DIR> d-------- C:\Program Files\Common Files\HP
    2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tehnicki fakultet u Boru
    2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
    2007-11-23 20:59 <DIR> d-------- C:\WINDOWS\Sun
    2007-11-23 20:59 <DIR> d-------- C:\Program Files\RichVideoCodec
    2007-11-23 20:59 <DIR> d-------- C:\Documents and Settings\User\Application Data\WtmCDProtect
    2007-11-23 18:53 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
    2007-11-23 18:31 <DIR> d-------- C:\Program Files\Crawler
    2007-11-23 18:30 <DIR> d-------- C:\Program Files\Spyware Terminator
    2007-11-23 18:30 <DIR> d-------- C:\Documents and Settings\User\Application Data\Spyware Terminator
    2007-11-18 12:59 <DIR> d-------- C:\Program Files\Multimedia Protector Premium
    2007-11-16 18:19 <DIR> d---s---- C:\Documents and Settings\User\UserData
    2007-11-16 17:36 <DIR> d-------- C:\Documents and Settings\User\Application Data\Image Zone Express
    2007-11-16 15:01 <DIR> d-------- C:\Documents and Settings\User\Application Data\HP
    2007-11-16 14:55 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
    2007-11-16 14:55 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
    2007-11-16 14:55 48,128 --a------ C:\WINDOWS\system32\hpzll054.dll
    2007-11-16 14:55 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
    2007-11-16 14:53 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
    2007-11-16 14:53 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
    2007-11-16 14:53 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
    2007-11-16 14:53 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
    2007-11-16 14:53 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
    2007-11-16 14:53 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
    2007-11-16 14:52 <DIR> d-------- C:\Program Files\HP
    2007-11-16 14:49 31,744 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-11-16 14:49 31,744 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
    2007-11-16 14:47 117,699 --a------ C:\WINDOWS\hpoins11.dat
    2007-11-16 10:41 204,800 -ra------ C:\WINDOWS\nMconfig.exe
    2007-11-16 10:41 62,824 -ra------ C:\WINDOWS\system32\drivers\nMUSB.sys
    2007-11-16 10:41 45,056 -ra------ C:\WINDOWS\system32\nMenum.dll
    2007-11-16 10:41 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
    2007-11-16 10:41 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
    2007-11-11 11:55 <DIR> d-------- C:\Program Files\Alcohol Soft
    2007-11-05 17:34 <DIR> d-------- C:\Program Files\Wtm CD Protect
    2007-10-29 20:26 <DIR> d-------- C:\Program Files\Common Files\SolidDocuments
    2007-10-29 20:26 20,569 --a------ C:\WINDOWS\system32\pxc25pm.dll
    2007-10-29 20:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\SolidDocuments
    2007-10-29 19:09 <DIR> d-------- C:\Program Files\SolidDocuments

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2007-11-23 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-23 20:00 --------- d-----w C:\Program Files\Hewlett-Packard
    2007-11-23 19:59 --------- d-----w C:\Program Files\SmartDraw 2008
    2007-11-23 19:58 --------- d-----w C:\Program Files\Common Files\Ahead
    2007-11-23 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
    2007-11-23 13:21 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
    2007-11-23 12:59 --------- d-----w C:\Program Files\QMwin32
    2007-11-04 18:58 --------- d-----w C:\Program Files\PDFCreator
    2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
    2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
    2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
    2007-09-30 15:31 --------- d-----w C:\Program Files\Google
    2007-09-28 14:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-09-28 14:23 --------- d-----w C:\Program Files\ROUTE66
    2007-09-28 07:46 --------- d-----w C:\Documents and Settings\User\Application Data\Ahead
    2007-09-28 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
    2007-09-25 11:57 --------- d-----w C:\Program Files\Ahead
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03]
    "Internet Download Accelerator"="C:\Program Files\IDA\ida.exe" [2006-12-15 16:38]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "VTTimer"="VTTimer.exe" [2005-03-08 03:33 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2005-11-01 04:15 C:\WINDOWS\system32\VTTrayp.exe]
    "SMSERIAL"="sm56hlpr.exe" [2004-12-29 06:01 C:\WINDOWS\sm56hlpr.exe]
    "SoundMan"="SOUNDMAN.EXE" [2006-06-20 14:42 C:\WINDOWS\soundman.exe]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2002-11-04 20:29]
    "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-10-25 17:20]
    "OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 17:00]
    "WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2006-07-18 15:24]
    "WinRemote"="C:\Program Files\InterVideo\WinDVR3\WinRemote.exe" [2006-07-18 15:23]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
    "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-11-23 18:53]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-08 16:45:42]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
    HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
    InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-07-16 19:51:55]

    R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
    R2 Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.;Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.;C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe -PermissionManagerRun
    R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys
    S3 netModUSBService;Service for netMod USB CAPI Driver;C:\WINDOWS\system32\drivers\nMUSB.sys
    S3 TridVid;Trident Analog Video;C:\WINDOWS\system32\DRIVERS\TridVid.sys
    S4 Csdssfacxnt;Csdssfacxnt;C:\WINDOWS\system32\driver s\http.sys

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-18 12:00:12 C:\WINDOWS\Tasks\Automatic Updates Checking for Multimedia Protector.job"
    - C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
    .
    ************************************************** ************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-25 15:07:56
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    "ServiceDll"="%SystemRoot%\System32\msgsvc.dll "

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M irage Computer Systems: Multimedia Protector update permissions manager. 14007.]
    .
    Completion time: 2007-11-25 15:08:27
    .
    --- E O F ---

  6. #6
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Isključi AV pre sledećeg koraka.

    Preuzmi SmitfraudFix.

    • Restartuj kompjuter u Safe Mode (pritiskuj F8 pri paljenju kompjutera i izaberi Safe Mode iz menija)
    • Dvoklikom pokreni SmitfraudFix.exe
    • Izaberi opciju #2 - Clean kucajući 2 i Enter
    • Sačekaj da se čišćenje i Disk Cleanup završe
    • Biće ti postavljeno pitanje: "Registry cleaning - Do you want to clean the registry ?" odgovori "Yes" kucajući Y i Enter
    • Program će takođe proveriti da li je wininet.dll inficiran. Ukoliko jeste, bićeš upitan(a) oko zamene wininet.dll. Odgovori "Yes" na pitanje "Replace infected file ?" kucajući Y i Enter


    Možda će biti potreban restart da bi se završio proces čišćenja; ukoliko se kompjuter automatski ne restartuje, ti to učini.
    Ovaj program će napraviti logfile C:\rapport.txt koji je potrebno iskopirati u temu na forumu.



    Nakon svega postavi i novi HT log.

  7. #7
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Nakon čišćenja log file je:

    SmitFraudFix v2.254

    Scan done at 17:47:20,53, ??? 25.11.2007
    Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\Program Files\RichVideoCodec\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» DNS



    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End



    Novi HT log file je:

    Logfile of HijackThis v1.99.1
    Scan saved at 17:53:51, on 25.11.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\sm56hlpr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\IDA\ida.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\wuauclt.exe
    D:\Install\Pomoc na FORUM-u\Pomoc preko FORUM-a.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
    R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\Explo reExtPDF.dll
    O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\Explo reExtPDF.dll
    O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
    O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: Crawler Search - tbr:iemenu
    O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
    O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
    O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Mirage Computer Systems: Multimedia Protector update permissions manager. 14007. - Unknown owner - C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

  8. #8
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Da li se još uvek isti problem ispoljava?

    Koristiš li program Wtm CD Protect?

  9. #9
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Mislim da se u međuvremenu još jednom pojavio malware.
    Siguran sam jer je ovog trenutka, počući ovu poruku, opet detektovan od strane AV Avast! 4.7 i smestio sam ga u kovčeg.

    Inače, Wtm CD protect sam u prvoj varijanti hteo da instaliram ali nije radio korektno. Hoću da ga se oslobodim zauvek. Neću više da ga vidim ni u tragovima. Možda je odatle i došao ovaj problem.
    Molim te daj mišljenje o tome, i kako da uklonim sve fajlove u vezi Wtm CD protect-a.

    Zahvalan Ivan iz Pirota.

  10. #10
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Ovako... Ovi logovi su konstantno više-manje čisti.
    Treba mi tačan naziv file-a koji avast detektuje.
    Znači, ne samo putanja (Temp folder) već kompletan naziv.

  11. #11
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Kako to da uradim ?

  12. #12
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Pogledaj molim te šta sam ptonašao na internetu.
    Nisam baš najsigurniji, zbog skromnog znanja engleskog jezika, ali i oni predlažu neku sličnu proceduru za uklanjanje virusa.

    Colby:
    I keep getting this virus Thing

    File name: c:docume~1\user\LOCAS~1\temp\BIT89F.tpm
    Malewrae name : Win32:Zlober [Drp]
    Type: Dropper
    VPS Version 000780-2 10/11/2007

    i have tryed deleting, moving/renaming, And Moving it to chest, And taking no action And It KEEPS Coming Back GRRRRR

    Tech:
    If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

    1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

    2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

    3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

    4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

    5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Panda.

    6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

    7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

    8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

    Colby:
    So far it working Thanks

    DavidR:
    What would be helpful to others is what tools did you try and what results were found.
    What was the malware name, the infected file/s name and where it was located, e.g. (C:\windows\system32\infected-file-name.***) ?

    If malware is found, then if possible you should send samples to avast so that detections can be improved.

    Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

    Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

    Welcome to the forums.

    GrahamE:
    Quote from: Tech on October 11, 2007, 11:15:09 PM

    7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.



    Ok, I'm sorry that I'm going off at a slight tangent here, but after your recommendation, I downloaded and installed this 'Windows Advanced Care' program.
    It tells me that I have no infections, but that I should immunise about 34,000 items. Why? If so far, my security has held up okay, why do I need to immunise 34,000 (YES!! 34 THOUSAND!!) items??

    Most importantly I feel, why, in regard to Startup items, is it telling me to remove startup entries for:

    AVAST4/ASHDISP.EXE
    ZoneAlarm
    SpywareTerminator
    ATI Graphics card

    This is one weird program for you to be recommending!??!

  13. #13
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Pa kada Avast nešto detektuje, sigurno će ispisati lokaciju/naziv file-a.
    Moguće je i da to možeš videti i u samom ''kovčegu''.

    Što se tiče ovog uputstva... Možeš odraditi Boot time scan, ako želiš (mada, ako se file uporno vraća, to neće pomoći).

    U principu, ja bih vrlo rado video kopiju toga što avast detektuje. Hajde proveri da li je moguće kopirati file-ove iz kovčega.

  14. #14
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Sve što je bilo detektovano do sada obrisano je.
    Noćas ću ponovo pokrenuti sve antivirus programe i spy...-ove pa ću ti sutra ujutru poslati šta je sve pronađeno.

    Tebi puno hvala. Pravi si prijatelj.
    Uspostavićemo kontakt ujutru.
    Ivan, Pirot

  15. #15
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Prvo sam deinstalirao i pobrisao sve programe koje sam smatrao za sumnjivim.

    Prilikom detaljnog skeniranja pomoću AV programa Avast! nisu pronađeni nikakvi virusi. Jedino što je u izveštaju dao to su fajlovi koje nije mogao da skenira jer su zaključani i nije mogao da im priđe. Takođe su se tu pojavila nekoliko fajla koje je on proglasio za tempirane bombe, i njih nije skenirao.

    Takođe sam računar skenirao pomoću softvera: Ad-Aware SE Personal, Spybot S&D, Spyware Terminator. Ni jedan nije pronašao ozbiljniji problem. Neki kolačići su pronađeni koji su popravljeni ili pobrisani.

    Problem sa virusom malware Win32: Zlober [Drp] i dalje postoji. On se pojavljuje kada se konektujem na internet. Njega detektuje AV Avast i odmah predlaže da ga smestim u kovčeg. Ali to je neki temporalni fajl (putanja Temp folder).

    Šta da radim? Koji je tvoj savet?
    Da li da pokrenem AV Avast (da mu dam naredbu da skenira) iz DOS-a prilikom podizanja sistema ?

  16. #16
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Ovako... Nisam baš siguran kako avast funkcioniše, pa ti ne mogu precizno reći.

    Proveri u ''kovčegu'' da li postoji opcija da se ti file-ovi koje si tamo prebacio kopiraju negde drugo. Ako postoji, onda to i uradi.

    Ako ne postoji takva mogućnost, onda uradi sledeće: idući put kada ti AV prijavi malware, ''reci'' mu da ga ostavi gde jeste, tj. da ga ne briše.
    Nakon toga, u Windows Explorer-u, Tools meni: Folder options: na View tabu:
    -obeleži Show hidden files and folders
    -dečekiraj Hide protected operating system files (Recommended).

    Sada pronađi taj file koji je detektovan u ovom folderu:

    C:\Documents and settings\User\Local settings\Temp\

    kopiraj ga negde drugo, zipuj i priloži uz poruku.

    Želim da vidim ovaj file kako bih za početak proverio da li je uopšte maliciozan, i ako jeste, kako bih imao bolji uvid u ono što ovde pravi probleme.

    Btw, da li ti je Avast ažuriran?

  17. #17
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Stalni skener AV programa Avast je detektovao napad virusa. Pustio sam ga bez brisanja da se smesti u Temp-oralni fajl. Uradio sam sve po uputstvu. Zipovao sam kompletni Temp fajl (nema puno fajlova jer je prethodno bio čišćen). Obrati pažnju na fajli po imenu:

    temp\Bit2E.tmp

    tu se pojavljuje !!!
    Priloženi fajlovi Priloženi fajlovi
    Poslednji put ažurirao/la Ivan-Pirot : 26.11.2007. u 17:54

  18. #18
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Ponovo ćemo koristiti SmitFraudFix. Ovaj koji trenutno imaš, obriši i skini novi (ažuriran je u međuvremenu). Isključi Avast pre skidanja.

    Preuzmi SmitfraudFix.

    • Restartuj kompjuter u Safe Mode (pritiskuj F8 pri paljenju kompjutera i izaberi Safe Mode iz menija)
    • Dvoklikom pokreni SmitfraudFix.exe
    • Izaberi opciju #2 - Clean kucajući 2 i Enter
    • Sačekaj da se čišćenje i Disk Cleanup završe
    • Biće ti postavljeno pitanje: "Registry cleaning - Do you want to clean the registry ?" odgovori "Yes" kucajući Y i Enter
    • Program će takođe proveriti da li je wininet.dll inficiran. Ukoliko jeste, bićeš upitan(a) oko zamene wininet.dll. Odgovori "Yes" na pitanje "Replace infected file ?" kucajući Y i Enter


    Možda će biti potreban restart da bi se završio proces čišćenja; ukoliko se kompjuter automatski ne restartuje, ti to učini.
    Ovaj program će napraviti logfile C:\rapport.txt koji je potrebno iskopirati u temu na forumu.


    Nakon toga postavi i novi HT log.

  19. #19
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Novi log nakon korišćenja SmitfraudFix-a je:

    SmitFraudFix v2.255

    Scan done at 19:39:01,68, ??? 26.11.2007
    Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» DNS



    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End



    Novi HT log je:

    Logfile of HijackThis v1.99.1
    Scan saved at 19:49:45, on 26.11.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\sm56hlpr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\IDA\ida.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\totalcmd\TOTALCMD.EXE
    D:\Install\Pomoc na FORUM-u\1-HijeckThis\Pomoc preko FORUM-a.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\Explo reExtPDF.dll
    O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\Explo reExtPDF.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
    O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
    O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
    O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Mirage Computer Systems: Multimedia Protector update permissions manager. 14007. - Unknown owner - C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

  20. #20
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Sve čisto... Ne vidim šta pravi ove file-ove.

    Reci mi, koji Avast-ov modul ti ovo prijavljuje(Web Shield ili...)?
    Jel' bi mogao da napraviš screenshot kada ti prikaže detekciju?

    Odradi i ovo:

    Preuzmi Gmer.
    • Raspakuj arhivu u neki folder
    • Dvoklikom pokreni gmer.exe
    • Na Rootkit tabu, klikni na taster Scan
    • Kada skeniranje bude gotovo, klikni na taster Save ... i sačuvaj log kao file1.txt
    • Klikni na taster >>> kako bi omogućio pristup ostalim tab-ovima
    • Na AutoStart tab-u, klikni na taster Scan
    • Kada skeniranje bude gotovo, klikni na taster Copy (time ćeš log iskopirati u Clipboard)
    • Otvori Notepad, nalepi kopirani log i sačuvaj ga kao file2.txt
    • file1.txt i file2.txt priloži uz iduću poruku

  21. #21
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Evo rezultata u prilogu.
    Napraviću screenshot kada se pojavi. Sada za maler, u poslednja dva konektovanja na internet, se nije pojavio detektovan virus.
    Priloženi fajlovi Priloženi fajlovi

  22. #22
    Aktivan član dr_Bora (avatar)
    Učlanjen
    27.12.2004.
    Pol
    muški
    Poruke
    1.248
    Reputaciona moć
    60

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Logovi čisti...

    Zipuj i priloži uz poruku:

    C:\WINDOWS\system32 \drivers\http.sys

    Imaš li TV karticu?

    Pokreni opet ComboFix i postavi ovde log koji ti on napravi.
    Poslednji put ažurirao/la dr_Bora : 27.11.2007. u 11:28

  23. #23
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Poštovani dr Boro,
    danas sam bio odsutan pa iz tog razloga se nisam javljao.

    Zipovao sam pomenuti fajl, ali ne može da stane u prilog jer je preveliki, prelazi dozvoljeni limit.

  24. #24
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Novi log je:

    ComboFix 07-11-19.4 - User 2007-11-27 23:07:26.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.134 [GMT 1:00]
    Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
    .

    2007-11-26 17:27 <DIR> d-------- C:\unzipped
    2007-11-25 17:47 2,982 --a------ C:\WINDOWS\system32\tmp.reg
    2007-11-25 17:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
    2007-11-25 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
    2007-11-25 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
    2007-11-23 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
    2007-11-23 21:00 <DIR> d-------- C:\Program Files\Common Files\HP
    2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tehnicki fakultet u Boru
    2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
    2007-11-23 20:59 <DIR> d-------- C:\WINDOWS\Sun
    2007-11-23 20:59 <DIR> d-------- C:\Documents and Settings\User\Application Data\WtmCDProtect
    2007-11-23 18:53 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
    2007-11-23 18:30 <DIR> d-------- C:\Program Files\Spyware Terminator
    2007-11-23 18:30 <DIR> d-------- C:\Documents and Settings\User\Application Data\Spyware Terminator
    2007-11-18 12:59 <DIR> d-------- C:\Program Files\Multimedia Protector Premium
    2007-11-16 18:19 <DIR> d---s---- C:\Documents and Settings\User\UserData
    2007-11-16 17:36 <DIR> d-------- C:\Documents and Settings\User\Application Data\Image Zone Express
    2007-11-16 15:01 <DIR> d-------- C:\Documents and Settings\User\Application Data\HP
    2007-11-16 14:55 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
    2007-11-16 14:55 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
    2007-11-16 14:55 48,128 --a------ C:\WINDOWS\system32\hpzll054.dll
    2007-11-16 14:55 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
    2007-11-16 14:53 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
    2007-11-16 14:53 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
    2007-11-16 14:53 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
    2007-11-16 14:53 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
    2007-11-16 14:53 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
    2007-11-16 14:53 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
    2007-11-16 14:52 <DIR> d-------- C:\Program Files\HP
    2007-11-16 14:49 31,744 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-11-16 14:49 31,744 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
    2007-11-16 14:47 117,699 --a------ C:\WINDOWS\hpoins11.dat
    2007-11-16 10:41 204,800 -ra------ C:\WINDOWS\nMconfig.exe
    2007-11-16 10:41 62,824 -ra------ C:\WINDOWS\system32\drivers\nMUSB.sys
    2007-11-16 10:41 45,056 -ra------ C:\WINDOWS\system32\nMenum.dll
    2007-11-16 10:41 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
    2007-11-16 10:41 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
    2007-11-11 11:55 <DIR> d-------- C:\Program Files\Alcohol Soft
    2007-11-05 17:34 <DIR> d-------- C:\Program Files\Wtm CD Protect
    2007-10-29 20:26 <DIR> d-------- C:\Program Files\Common Files\SolidDocuments
    2007-10-29 20:26 20,569 --a------ C:\WINDOWS\system32\pxc25pm.dll
    2007-10-29 20:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\SolidDocuments
    2007-10-29 19:09 <DIR> d-------- C:\Program Files\SolidDocuments

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2007-11-23 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-23 20:00 --------- d-----w C:\Program Files\Hewlett-Packard
    2007-11-23 19:59 --------- d-----w C:\Program Files\SmartDraw 2008
    2007-11-23 19:58 --------- d-----w C:\Program Files\Common Files\Ahead
    2007-11-23 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
    2007-11-23 13:21 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
    2007-11-23 12:59 --------- d-----w C:\Program Files\QMwin32
    2007-11-04 18:58 --------- d-----w C:\Program Files\PDFCreator
    2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
    2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
    2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
    2007-09-30 15:31 --------- d-----w C:\Program Files\Google
    2007-09-28 14:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-09-28 14:23 --------- d-----w C:\Program Files\ROUTE66
    2007-09-28 07:46 --------- d-----w C:\Documents and Settings\User\Application Data\Ahead
    2007-09-28 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
    .

    ((((((((((((((((((((((((((((( snapshot@2007-11-25_15.07.58,43 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-11-26 19:49:52 585,791 ----a-w C:\WINDOWS\gmer.dll
    + 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
    + 2007-11-26 19:49:52 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
    + 2007-11-26 16:02:43 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5b4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03]
    "Internet Download Accelerator"="C:\Program Files\IDA\ida.exe" [2006-12-15 16:38]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "VTTimer"="VTTimer.exe" [2005-03-08 03:33 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2005-11-01 04:15 C:\WINDOWS\system32\VTTrayp.exe]
    "SMSERIAL"="sm56hlpr.exe" [2004-12-29 06:01 C:\WINDOWS\sm56hlpr.exe]
    "SoundMan"="SOUNDMAN.EXE" [2006-06-20 14:42 C:\WINDOWS\soundman.exe]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2002-11-04 20:29]
    "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-10-25 17:20]
    "OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 17:00]
    "WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2006-07-18 15:24]
    "WinRemote"="C:\Program Files\InterVideo\WinDVR3\WinRemote.exe" [2006-07-18 15:23]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
    "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-11-23 18:53]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-08 16:45:42]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
    HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
    InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-07-16 19:51:55]

    R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
    R2 Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.;Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.;C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe -PermissionManagerRun
    R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys
    S3 netModUSBService;Service for netMod USB CAPI Driver;C:\WINDOWS\system32\drivers\nMUSB.sys
    S3 TridVid;Trident Analog Video;C:\WINDOWS\system32\DRIVERS\TridVid.sys
    S4 Csdssfacxnt;Csdssfacxnt;C:\WINDOWS\system32\driver s\http.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-18 12:00:12 C:\WINDOWS\Tasks\Automatic Updates Checking for Multimedia Protector.job"
    - C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
    .
    ************************************************** ************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-27 23:09:08
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    "ServiceDll"="%SystemRoot%\System32\msgsvc.dll "

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M irage Computer Systems: Multimedia Protector update permissions manager. 14007.]
    .
    Completion time: 2007-11-27 23:09:49
    .
    --- E O F ---

  25. #25
    Početnik
    Učlanjen
    06.09.2007.
    Pol
    muški
    Poruke
    43
    Reputaciona moć
    0

    Podrazumevano Re: Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

    Pogledaj ovo što je u prilogu.
    Priloženi fajlovi Priloženi fajlovi

Slične teme

  1. kako radi malwarebytes anti-malware
    Autor jovan. u forumu Sigurnost i zaštita
    Odgovora: 7
    Poslednja poruka: 02.04.2009., 18:27
  2. Da li ovo moze biti MALWARE!?
    Autor Screen u forumu Sigurnost i zaštita
    Odgovora: 13
    Poslednja poruka: 22.01.2009., 20:45
  3. Za dr Boru: Virus ili ...
    Autor Jovan010 u forumu Sigurnost i zaštita
    Odgovora: 14
    Poslednja poruka: 20.01.2008., 10:29
  4. VIRUS Win32:Zlober Drp
    Autor Jovan010 u forumu Sigurnost i zaštita
    Odgovora: 1
    Poslednja poruka: 23.11.2007., 21:58
  5. Spyware, malware, adware...
    Autor RaiKkonen 911 u forumu Sigurnost i zaštita
    Odgovora: 3
    Poslednja poruka: 12.03.2005., 01:56

Pravila za slanje poruka

  • Ne možete kreirati novu temu
  • Ne možete poslati odgovor
  • Ne možete dodati priloge
  • Ne možete prepraviti svoju poruku
  •