Prijava na forum:
Ime:
Lozinka:
Prijavi me trajno:
Trajanje:
Registruj nalog:
Ime:
Lozinka:
Ponovi Lozinku:
E-mail:

ConQUIZtador
nazadnapred
Korisnici koji su trenutno na forumu 0 članova i 1 gost pregledaju ovu temu.
Idi dole
Stranice:
Počni novu temu Nova anketa Odgovor Štampaj Dodaj temu u favorite Pogledajte svoje poruke u temi
Tema: Virus,Trojan....Sta je?  (Pročitano 2473 puta)
24. Okt 2005, 02:35:07
Svakodnevni prolaznik


Zodijak Scorpio
Pol Muškarac
Poruke 417
Zastava Niswill
Virus, Trojan....Sta je?
c:\DOCUME~1\kompjuter\LOCALS~1\TEMP\se.dll
Kako da otklonim ovu nakazu koja se pojavljuje sa svakim startovanjem kompa???      Smile

[Edit by Zoran Karavla: Teme sa naslovima tipa: Hitno, Pomoc, Problem, Da li i slicne, treba maksimalno izbegavati! Naslov teme mora da odgovara njenom sadrzaju i da ga barem delimicno opisuje. Konsultujte se sa Pravilnikom Burek Foruma]
« Poslednja izmena: 24. Okt 2005, 17:32:43 od Zoran Karavla »
IP sačuvana
social share
Pogledaj profil
 
Prijava na forum:
Ime:
Lozinka:
Zelim biti prijavljen:
Trajanje:
Registruj nalog:
Ime:
Lozinka:
Ponovi Lozinku:
E-mail:
Udaljen sa foruma
Superstar foruma


Званични Лоодак ::Бурек:: Форума

Zodijak Sagittarius
Pol Muškarac
Poruke 78747
Zastava Beograd
mob
SonyEricsson k800i
prvo izmeni ova velika slova

a drugo .. valjda imash neki antivirus ili anti spy ili tako neshto pa ga skini  Smile Smile
IP sačuvana
social share


Pogledaj profil WWW
 
Prijava na forum:
Ime:
Lozinka:
Zelim biti prijavljen:
Trajanje:
Registruj nalog:
Ime:
Lozinka:
Ponovi Lozinku:
E-mail:
Veteran foruma
Poznata licnost


Moj licni tekst :-?

Zodijak Gemini
Pol Muškarac
Poruke 3589
Zastava Oreskovica
mob
Apple iPhone 4
Se.dll is a IE Browser Helper Object of adware SCBar/SearchExe variant. It adds a toolbar to Internet Explorer and generates popup ads while online.

I ovo Smiley

Does this look familiar??

res://C:\DOCUME~1\<username>\LOCALS~1\Temp\se.dll/sp.html

rundll32 C:\DOCUME~1\<username>\LOCALS~1\Temp\se.dll,DllInstall

or

res://C:\WINDOWS\TEMP\se.dll/sp.html

rundll32 C:\WINDOWS\TEMP\se.dll,DllInstall

This virus is quite similar to the Home Search virus seen in February

It took me 3 hours to kill this thing off. It is infuriating.  I was editing the registry to get rid of the bad stuff and as soon as I exited the registry editor, IT WAS ALREADY CHANGED BACK TO THE BAD STUFF!   You will also find that many of the bad files, executables, and dlls CANNOT BE DELETED in the normal mode of operation - only in Safe Mode.

 

    * 1.  What does this thing do?
          o a) It installs a local service which monitors its own health.
                + The service is installed in your registry at the following key:
                +     HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
                + You will find something like the following:
                +   
                + sp   rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall      sp   rundll32 C:\WINDOWS\TEMP\se.dll,DllInstall 
                + This service reinstalls registry entries which YOU try to change.
                + It also starts the service every time you reboot your machine.
                + Hence this entry must be removed from the registry.
          o b) For Windows ME
                + It puts dlls into the C:\Windows\system\  directory.
                + It puts dlls into the C:\Windows\temp\  directory.
          o c) For Windows XP
                + It puts dlls into the C:\Windows\system32\  directory.
                + It puts dlls into the following directory:
                +    C:\Documents and settings\<username>\Local settings\temp\
          o d) It registers protocol filter classes to get permission to change IE displays.
                + key location = HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
                + key location = HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain
          o e) It registers Browser Helper Objects (BHOs) in the class id area
                + key location = HKEY_CLASSES_ROOT\CLSID\{bunch of letters and numbers}
                + These classes contain links to dlls which have random names.
                + These dlls can be found in your C:\Windows\system32\  directory or in C:\Windows\system\  for Windows ME.
          o f) The bad IE entries point to the dlls
          o g) The dlls display the search crap.
    * 2.  Outline of how to get rid of it.
          o Turn off "system restore" (if it is on) using #4 below.
          o (critical) Stop the local service as given in #3.a below
          o You may want to disconnect your internet cable so no replacement files can be downloaded without your knowledge or permission.  (*new*)
          o Use explorer to find all copies of the "se.dll" file.
                + Write down the full paths (because you can't delete them).
                + You only need to search c:\documents and settings\ for Win XP or
                + c:\windows\temp\ for Win ME
          o Use #3.b or #3.c below to find the other dlls - and write them down.
          o Use #6 below to find all the bad class ids in the registry (write down)
          o Delete as many of the BAD executables and dlls as you can.
          o You will need to reboot in "Safe mode" to delete those files, executables, and dlls which you could not delete in normal mode.
          o You can rename them even if you can't delete them.  Use something like xxxse.dll so that you can still find it easily when you want to delete it  (*new*)
          o When in "safe mode" navigate to each directory and delete the files which you could not delete in normal mode.
          o Next you will need to clean up your registry. Follow #5 below.
          o Finally you need to run Internet Explorer again to see if it is gone.
          o If it is gone, you can turn "system restore" back on.
    * 3.  How do I find the bad guys.
          o a) Finding (and stopping) the local service.
                + Hit  <cntrl><alt><del> to open the Task Manager window
                + Click the top of the left column to sort the entries alphabetically
                + Scan down the list to find "rundll32"
                + Rundll32 is a system service and should NOT run constantly
                + click "End Process"
          o b) (Win ME) Finding the bad executables in the C:\Windows\  directory
                + Use explorer to navigate to the C:\Windows\system\  directory
                + Click at the top of the "date modified" column to sort the list by date.
                + Click again to bring the most recent dates to the top.
                + Scan all dlls or executables which have dates in the last month.
                + Write down the names of any which are suspicious.
                + Move the cursor over each name in your list.
                + If you wait a few seconds a "Tooltip" message will appear.
                + Good programs will have a real message telling who they are (like Microsoft or McAfee or Norton)
                + Bad programs will have no such info.
          o c) (Win XP) Finding the bad dlls in the C:\Windows\system32\  directory.
                + Use explorer to navigate to the C:\Windows\system32\  directory
                + Click at the top of the "date modified" column to sort the list by date.
                + Click again to bring the most recent dates to the top.
                + Scan all dlls which have dates in the last month.
                + Write down the names of any which are suspicious.
                + Move the cursor over each name in your list.
                + If you wait a few seconds a "Tooltip" message will appear.
                + Good programs will have a real message telling who they are (like Microsoft or McAfee or Norton)
                + Bad programs will have no such info.
    * 4. Turning off "system restore"
          o click "start" (bottom left of your screen)
          o select "control panel"
          o select "system"
          o right click & open
          o select "system restore" tab
          o check "turn off system restore on all drives"
          o click "apply"
          o click "ok"
          o close "control panel"
    * 5.  Cleaning up your registry.
          o To open your registry do the following:
                + click "start" (bottom left of your screen)
                + select "Run"
                + type "regedit"
                + ok
          o You need to fix the following four things:
                + You need to remove all references to all files, executables, and dlls in the lists you made in step #3 and step #6.
                + You need to fix all Internet Explorer links which contain "\temp\se.dll"  Simply modify them to http://www.google.com/  or whatever you want. Just search for "\temp\se.dll".
                + You need to remove all copies of all the BAD class ids you found in step #6 (and the dlls they point to).
                + You need to make sure the service is removed from the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ - i.e. sp = rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
          o To remove any name do the following
                + Drag the scroll bar to the top
                + Click on "my computer" - this points you to the top
                + Edit & Find the name you want to delete.
                + delete or fix the entry
                + press F3 to find the next occurence of the same name.
                + repeat until no further occurences are found.
    * 6.  Finding the bad class IDs and dll names in your registry
          o Open your registry as follows:
                + click "start" (bottom left of your screen)
                + select "Run"
                + type "regedit"
                + ok
          o Navigate to  HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
          o Click the "+" to open and see the class ids inside.
          o Repeat the following for each class id.
                + Copy the name = bunch of letters and numbers
                + Scroll to the top of the registry.
                + Find the class id (use only the letters and numbers)
                + Open it by clicking on the "+"
                + You should see "InProcServer32" or similar.
                + Select it to open it.
                + In the right panel you will see a full path name.
                + If it is C:\windows\system32\xxxxx.dll  it is bad.
                + You can also check if its on your previous bad list.
                + If bad, write it down because you will need to remove it later.
          o Navigate to  HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain
          o Click the "+" to open and see the class ids inside.
          o Repeat the following for each class id.
                + same as above list.
    * 7.  Useful downloads
          o CWShreader will help prevent these in the future. (its FREE)
          o Download and install it.
          o Download and install and run about:buster  (its FREE)
    * 8.  Who is doing this to us?
          o Here are the URLs and IP addresses which I have found.
                + looking-for.cc              195.225.176.27
                + lookingfor.cc               195.225.176.3
                + netcasthost.com      195.225.176.0 - 195.225.179.255
                + coolwebsearch.com     66.250.74.150
                + cogent communications        66.250.0.0 - 66.250.255.255
                + onlythebest.com           209.55.83.12
                + shoppingwizard.com    208.254.3.160
                + easy-search.biz            69.50.170.18
                + standard shells        69.50.170.0 -  69.50.170.255
          o Go into your FIREWALL and BLOCK all the above IP addresses.
    * 9.  IP tools to help you find these guys.
          o Karen's URL discombobulator will accept a URL and give you the IP address. (its a FREE download)   (* NEW *)
          o Download this EXCELLENT tool to convert IP addresses to geographic locations and find out their REAL names.  (its FREE)
IP sačuvana
social share
Pozdrav, Nenad ® !
Pogledaj profil WWW
 
Prijava na forum:
Ime:
Lozinka:
Zelim biti prijavljen:
Trajanje:
Registruj nalog:
Ime:
Lozinka:
Ponovi Lozinku:
E-mail:
Udaljen sa foruma
Superstar foruma


Званични Лоодак ::Бурек:: Форума

Zodijak Sagittarius
Pol Muškarac
Poruke 78747
Zastava Beograd
mob
SonyEricsson k800i
au neki zaeban virus ..  Smile
IP sačuvana
social share


Pogledaj profil WWW
 
Prijava na forum:
Ime:
Lozinka:
Zelim biti prijavljen:
Trajanje:
Registruj nalog:
Ime:
Lozinka:
Ponovi Lozinku:
E-mail:
Prijatelj foruma
Jet set burekdzija


Opet me je žensko napravilo volom

Zodijak Capricorn
Pol Muškarac
Poruke 5851
Zastava The beautiful world of cracks, keygens, serials, patches....
mob
Samsung D900i
Tako je Adaware ili WinTasks 5 Pro ili neki drugi na tebi je izbor
IP sačuvana
social share
  • Ištvan Korpa - Picuka (Senta - Ljubljana), popularni "Senćanin", branio je boje istoimenog vojvođanskog kluba do `66 kada je prešao u Ljubljansku Olimpiju. Najblistaviji deo karijere doživeo je na evropskom prvenstvu u Moskvi `70 kada ga je cela Moskovska hala propratila burnim ovacijama koje su se viorile poput talasa na uzburkanom moru "Sencha, Sencha, Sencha...!!"
  • Oh, look at me! I'm making people happy! I'm the Magical Man from Happy-Land, in a gumdrop house on Lollipop Lane! Oh, by the way, I was being sarcastic.
  • Imam krasan Nježnik, ponosim se njime, Srbi kažu Kurac, tak je grozno ime! Dapače, s`problemom moram bit na čisto, jer nježnik i kurac, nisu jedno isto. Nježnik kurcu slično, za oplodnju služi, al kurac obično bude malo duži!

Pogledaj profil WWW GTalk
 
Prijava na forum:
Ime:
Lozinka:
Zelim biti prijavljen:
Trajanje:
Registruj nalog:
Ime:
Lozinka:
Ponovi Lozinku:
E-mail:
Svakodnevni prolaznik


Zodijak Scorpio
Pol Muškarac
Poruke 417
Zastava Niswill
huh...onaj gore naveden metod je isuvise komplikovan...i ja sam ga nasao na net-u...gde da nadje taj win taks pro...?  Smile
IP sačuvana
social share
Pogledaj profil
 
Prijava na forum:
Ime:
Lozinka:
Zelim biti prijavljen:
Trajanje:
Registruj nalog:
Ime:
Lozinka:
Ponovi Lozinku:
E-mail:
Prijatelj foruma
Jet set burekdzija


Opet me je žensko napravilo volom

Zodijak Capricorn
Pol Muškarac
Poruke 5851
Zastava The beautiful world of cracks, keygens, serials, patches....
mob
Samsung D900i
http://www.lidownloads.com/products/wintaskspro.exe, imas google sve ti je tamo, ako hoces da patch-ujes taj wintasks slobodno se javi
« Poslednja izmena: 24. Okt 2005, 16:47:57 od lazacar »
IP sačuvana
social share
  • Ištvan Korpa - Picuka (Senta - Ljubljana), popularni "Senćanin", branio je boje istoimenog vojvođanskog kluba do `66 kada je prešao u Ljubljansku Olimpiju. Najblistaviji deo karijere doživeo je na evropskom prvenstvu u Moskvi `70 kada ga je cela Moskovska hala propratila burnim ovacijama koje su se viorile poput talasa na uzburkanom moru "Sencha, Sencha, Sencha...!!"
  • Oh, look at me! I'm making people happy! I'm the Magical Man from Happy-Land, in a gumdrop house on Lollipop Lane! Oh, by the way, I was being sarcastic.
  • Imam krasan Nježnik, ponosim se njime, Srbi kažu Kurac, tak je grozno ime! Dapače, s`problemom moram bit na čisto, jer nježnik i kurac, nisu jedno isto. Nježnik kurcu slično, za oplodnju služi, al kurac obično bude malo duži!

Pogledaj profil WWW GTalk
 
Prijava na forum:
Ime:
Lozinka:
Zelim biti prijavljen:
Trajanje:
Registruj nalog:
Ime:
Lozinka:
Ponovi Lozinku:
E-mail:
Idi gore
Stranice:
Počni novu temu Nova anketa Odgovor Štampaj Dodaj temu u favorite Pogledajte svoje poruke u temi
nazadnapred
Prebaci se na:  

Poslednji odgovor u temi napisan je pre više od 6 meseci.  

Temu ne bi trebalo "iskopavati" osim u slučaju da imate nešto važno da dodate. Ako ipak želite napisati komentar, kliknite na dugme "Odgovori" u meniju iznad ove poruke. Postoje teme kod kojih su odgovori dobrodošli bez obzira na to koliko je vremena od prošlog prošlo. Npr. teme o određenom piscu, knjizi, muzičaru, glumcu i sl. Nemojte da vas ovaj spisak ograničava, ali nemojte ni pisati na teme koje su završena priča.

web design

Forum Info: Banneri Foruma :: Burek Toolbar :: Burek Prodavnica :: Burek Quiz :: Najcesca pitanja :: Tim Foruma :: Prijava zloupotrebe

Izvori vesti: Blic :: Wikipedia :: Mondo :: Press :: Naša mreža :: Sportska Centrala :: Glas Javnosti :: Kurir :: Mikro :: B92 Sport :: RTS :: Danas

Prijatelji foruma: Triviador :: Nova godina Beograd :: nova godina restorani :: FTW.rs :: MojaPijaca :: Pojacalo :: 011info :: Burgos :: Alfaprevod

Pravne Informacije: Pravilnik Foruma :: Politika privatnosti :: Uslovi koriscenja :: O nama :: Marketing :: Kontakt :: Sitemap

All content on this website is property of "Burek.com" and, as such, they may not be used on other websites without written permission.

Copyright © 2002- "Burek.com", all rights reserved. Performance: 0.086 sec za 17 q. Powered by: SMF. © 2005, Simple Machines LLC.