(riješeno) Moguci spyware problem

[Vjeko]

Zadnjih nekoliko sati primjetio sam neke neobicne reklame po pcekspert forumu, i to one tipa "you are 999,999,999 visitor...bla bla.."
(slika kako to izleda 530kb)
Nisam to nikada prije vidio, a možda nisam ni obracao paznju.

EDIT: takve reklame nisu samo na PCE nego i na svakoj stranici na kojoj imaju AdSens google bannere. npr. net.hr, t-portal...

Uz to imam problem sa google stranicom koja se uspije otvoriti ali neće pretrazivati i također istodobno je i Live messenger odapeo, nemoze se ulogirati, i uz to ne javlja apsolutno nikakvu gresku.

Scanirao sam komp sa nod32 i sa adaware, sve najnoviji update i nisu pronasli ama baš nista. Ništa=0.

U msconfigu sam pogasio neke stvari koje su mi bile sumnjive, u procesima nevidim ništa neobicno...

eto, molim neki savjet kako da se toga rijesim, ili je to normalno i stvarno sam dobio neko brdo love na nagradnoj igri milijunti visitor

Hvala!


Evo log od Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:01, on 31.8.2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\Download's\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BMbb0fb567] Rundll32.exe "C:\WINDOWS\system32\mjcpehlb.dll",s
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[greenfly]

Izbriši si ovu stavku u HJT-u, i ručno taj "mjcpehlb.dll",s" file u system32 folderu.

O4 - HKLM\..\Run: [BMbb0fb567] Rundll32.exe "C:\WINDOWS\system32\mjcpehlb.dll",s

[Vjeko]

Evo ga, u kombinaciji sa spybot s&d i pomoći greenfly-a problem riješen.

Spybot je našao trojanac "Virtumond". Nakon 2 scaniranja, kaže da je riješio, a poslje toga su se na startu windowsa počele pojavljivati razne greške koje je savjet greenfly-a sanirao.

Nadam se da je to sad to, jerbo sve radi i nema više reklama!

[Joke]

Dosta ljudi skupi virtumond ap imaju problema..Vec je par puta bila takva tema s takvim problemom Ali dobro bitno da je rijeseno! http://forum.pcekspert.com/showthrea...79#post1122179

[Vjeko]

heh, evo, opet se sve vratilo...opet sam otvoren za savjete...znači, spyboot ga detektira, ali izgleda da nije učinkovit u brisanju istog.

jos sam u program filesu primjetio jedan folder "Bonjour" koji nemogu obrisati (unutra je jedna dll datoteka) i kad pogasim sve procese opet ga nemogu obrisati.

help!

[Joke]

Jesi provao s ovim programima i safe modea sta sam ti stavio link na temu?PS.O Bonjour serviceu http://www.ajuaonline.com/2007/10/02...njour-service/

[Vjeko]

idem sad probati pa javim.

EDIT: Pustio da odradi Combofix i SmitfraudFix. Izgleda da je sad opet ok, ali idem pustit opet spybot. on ga uvjek pronadje.

EDIT 2: Spybot završio, nije ništa pronašao
valjda je to sad to?

Hvala na pomoći!