Gde li ga je strpalo???

[ mancic82 @ 26.10.2005. 15:30 ] @

Znaci, pre neki dan sam trazio nesto po netu i pojavilo mi se upozorenje:
"C:\Documents and Settings\Mancic\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe Infected:
Trojan-Downloader.Win32.TSUpdate.l ..."! E sad, "odem" ja tamo, posto antivirusni nije hteo da ga obrise i pobrisem sve odatle, medjutim on meni i dalje prijavljuje taj virus ili sta li je vec! Posle duzeg vremena provedenog skenirajuci racunar i brisajuci virus vise mi ne prijavljuje da ga ima, medjutim svakih desetak minuta mi se browser sam aktivira i ispisuje adrese tipa:
http://www.ad-w-a-r-e.com/cgi-...ormal&mSkip=1&rnd=7025

http://www.ad-w-a-r-e.com/cgi-...ormal&mSkip=1&rnd=2627

i salje me na neke adrese sa reklamama i nekim "devojkama za dopisivanje"!
Skenirao sam racunar i Ad-awer-eom i Spybot-om i pobrisao to sto je nadjeno, ali mene i dalje salje na te adrese!!! Cime jos da ga skeniram???
Ako neko moze da pomogne neka to uradi molim vas, da ne bih morao da brisem sistem jer me uzasno nervira!
Unapred hvala!

[ Ozzy @ 26.10.2005. 18:31 ] @

Pa koji anti-virusni program koristis?Jesi li probao sa Kaspersky?Pogledaj "radi" li ti taj exe file u Task manager.
Ako nesto ne mozes da obrises skini program Copy lock.

[ IcyImpact @ 26.10.2005. 19:18 ] @

Skini program HijackThis pa nam kopiraj ono sto je on nasao pa cemo mi vidjeti sta se tu krije.

[ mancic82 @ 27.10.2005. 07:27 ] @

Koristim Avast! v.4.6-691, a jedini "sumnjivi proces" u task manager-u mi je "wdfmgr.exe" jer jedino njega ne mogu da iskljucim a ne znam ni cemu sluzi!
Evo sta kaze HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 8:16:41, on 27.10.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware SE Enterprise 2005 Client\aaclient.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Mancic\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50af88e4d2f944b3b5add29a1f81268e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50af88e4d2f944b3b5add29a1f81268e
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DABBEA1-000A-4F98-A19B-B7F0476D4D08}: NameServer = 82.117.214.2,82.117.214.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{7DABBEA1-000A-4F98-A19B-B7F0476D4D08}: NameServer = 82.117.214.2,82.117.214.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{7DABBEA1-000A-4F98-A19B-B7F0476D4D08}: NameServer = 82.117.214.2,82.117.214.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\e6jm0g11e6.dll
O23 - Service: Ad-Axis Client - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware SE Enterprise 2005 Client\aaclient.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[ IcyImpact @ 27.10.2005. 20:47 ] @

Jedino sto sam nasao, a moglo bi biti uzrok tvog problema je: e6jm0g11e6.dll

Jesi imao najnovije definicije kad si radio skeniranja sa Spybotom S&D i Ad-Awareom?

[ AleksandarNS @ 27.10.2005. 21:59 ] @

namesti avast! da ti skenira harddisk pre podizanja windows-a.

[ mancic82 @ 28.10.2005. 12:17 ] @

Imao sam najnovije definicije kada sam skenirao Spybotom S&D i Ad-Awareom, cak sam isao i u safe mode da ga skeniram, takodje sam uradio i boot-scan Avast-om i obrisao taj virus sto je naso, a sad sam obrisao i e6jm0g11e6.dll, iz registry-a sam obrisao tsl2 i nekog "Alexa", medjutim opet on mene salje na te adrese, a pored toga mi sklanja "quick launch" iz task bara svaki put kada restartujem komp., sto ne znam da li ima veze sa tim ali uzasno nervira!!! U task manager-u nema nista sumnjivo, osim onog wdfmgr.exe za koji sam cuo da ima veze sa media player-om 10 i stvarno ne znam gde je moglo da ga sakrije?!?!?!
Koliko mi se cini format mu ne gine :(

[ AleksandarNS @ 28.10.2005. 14:52 ] @

da li ti je ukljuchen system restore?

[ mancic82 @ 28.10.2005. 18:11 ] @

Ukljucen mi je system restore, jel da ga iskljucim?

[ Shadowed @ 28.10.2005. 18:19 ] @

Ne moras ali preuzmi vlasnistvo nad folderima System Volume Information i skeniraj ono sto je u njima.

[ mancic82 @ 29.10.2005. 12:52 ] @

Obrisao ja sadrzaj iz:
C:\Documents and Settings\Mancic\Local Settings\Temporary Internet Files\Content.IE5\...
i problem mi je resen! E sad, stvar je u tome sto sam ja sadrzaj tog foldera brisao i pre nego sto sam ovde postavio pitanje ali on se uvek vracao, medjutim sad se ne vraca!
P.S.Jos jedno pitanjce koje nema veze sa ovim, ali da ne otvaram novu temu, nema mi tab-a system restore u control panel/system, kako da ga iskljucim ako pozelim to?
Hvala svima koji su ulozili truda da mi pomognu!
Pozdrav!!!

_{[Ovu poruku je menjao mancic82 dana 29.10.2005. u 14:15 GMT+1]}

[ AleksandarNS @ 29.10.2005. 14:10 ] @

Question:
I had a virus and found instructions to disable system restore in order to rid the virus from my system. After disabling system restore, then running my virus scan, the system restore tab has disappeared from the system properties window. How do I get this back?

Solution:
In order to restore your system restore tab, you will need to edit the registry. Be sure that you make a backup copy of the registry prior to making any changes.

Go to Start>> Run. Type in: regedit [Enter]

Navigate to the following registry key;

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore

Single click once on the entry; "SystemRestore" to empty its contents into the right pane.

Find the entry "DisableSR", right click on it and delete it.

Preuzeto sa http://www.5starsupport.com

[ mancic82 @ 29.10.2005. 15:52 ] @

Hvala, medjutim registry key:
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore
nije postojao u mom registry-ju, pa sam resenje za to nasao na
http://www.webuser.co.uk/forum...t.php?Number=126392&page=0

Mozda ce nekom da se javi isti problem, pa eto i resenja za to!
P.S.Ukoliko ovaj post nije za ovde premestite ga, posto mislim da je korisno!
Pozdrav i hvala jos jednom!!!