torpig virus pomoc

2

torpig virus pomoc

offline
  • frasi 
  • Novi MyCity građanin
  • Pridružio: 14 Jul 2007
  • Poruke: 13

file zipped: C:\WINDOWS\PREFETCH\ISARVICESE4.EXE-1F92C9C2.pf -> catchme.zip -> ISARVICESE4.EXE-1F92C9C2.pf ( 67954 byte
source file error: C:\WINDOWS\system32\isarvicese4.exe


Ovo je notepad od Catchme.Neznam da li da uploadujem ovo prvo na notepadu. Kad ubacim ovaj script sto si ti napisao izbaci script completed with error.






Ovo sam nasao preko search/for files and folders prije par dana.Sada kad ukucam isarvicese4 u search nadje samo ovo prvo ispod i to sam ukuco u catchme script.

ISARVICES4E.EXE-1F92C9C2.pf c:\windows\prefetch 67 kb pf file

isarvicese4 c:\windows\ system 32 43 kb application

Dopuna: 20 Jul 2007 20:25

Logfile of HijackThis v1.99.1
Scan saved at 3:57:15 AM, on 21/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mario govedarica\Desktop\d\d1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = paramountpc.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SvcManager] isarvicese4.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paramountpc.com.au
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DE7E8E3-6E03-4D26-9FBB-2F5D09970FF7}: NameServer = 203.194.27.57 203.194.56.150
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DE7E8E3-6E03-4D26-9FBB-2F5D09970FF7}: NameServer = 203.194.27.57 203.194.56.150
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Samoubistvo...
Trenutno me kolje sto ne mogu da zakljucim da li u imenu foldera gore (c:\windows\ system 32) stvarno postoji razmak ispred reci system i ispred brojke 32, ili je to do kopiranja teksta u poruku.
Ajde proveri da li u folderu Windows imas foldere System32 i System 32 (sa razmakom).

Skini ComboFix
i postavi mi sadrzaj loga koji ce biti snimljen kao C:\ComboFix.txt

offline
  • frasi 
  • Novi MyCity građanin
  • Pridružio: 14 Jul 2007
  • Poruke: 13

U Windows ima samo jedan folder system32 bez razmaka,mada ima i folder -system- bez ikakvih brojeva.

Evo saljem combo fix log.Dobio sam poruku combofix needs to submit malware files for further analysis.Neznam da li da posaljem.

Takodje firewall mi je izbacio da blokira neke djelove msn za protekciju.Neznam da li da pritisnem keep blocking ili unblock.

"mario govedarica" - 2007-07-21 19:56:14 - ComboFix 07-07-17.8 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\WINDOWS\system32\4_exception.nls


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_NTMLSVC
-------\asc3550u
-------\NtmlSvc


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-21 19:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-17 22:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-03 01:10 2,548 --a------ C:\DOCUME~1\MARIOG~1\ymkycq.exe
2007-07-01 23:33 65,422 --a------ C:\DOCUME~1\MARIOG~1\ndzkiq.exe
2007-07-01 23:17 61,042 --a------ C:\DOCUME~1\MARIOG~1\lniqwz.exe
2007-07-01 23:12 <DIR> d-------- C:\install


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 13:26:22 -------- d-----w C:\DOCUME~1\MARIOG~1\APPLIC~1\Lavasoft
2007-07-13 17:21:22 -------- d-----w C:\Program Files\Soulseek
2007-07-09 13:29:01 -------- d-----w C:\Program Files\mIRC
2007-05-30 10:28:33 -------- d-----w C:\Program Files\dvdSanta
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2004-10-01 05:30:16 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2001-12-11 15:12:08 15,089 ----a-w C:\Program Files\README.TXT
2001-12-11 13:10:44 548,864 ----a-w C:\Program Files\alleg40.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-06-07 11:09 399352 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2005-09-24 09:42 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 00:04 853672 --------- C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2005-11-11 06:52 184423 --a------ C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-07-07 12:29 324416 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 17:24 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-02-27 14:45]
"Device Detector"="DevDetect.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-01 20:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-27 17:47]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 14:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 14:14]
"SvcManager"="isarvicese4.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 19:34]
"PowerBar"="" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-09-16 16:41]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2006-12-11 17:09]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44]
"MSMSGS"="C:\PROGRA~1\MESSEN~1\msmsgs.exe" [2004-10-14 01:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-12-11 17:09:08]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2006-01-17 05:11:30]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2007-07-21 20:00:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-21 20:01:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-21 20:01

--- E O F ---

Dopuna: 21 Jul 2007 15:07

Imam i neki cf-submit folder na desktopu to submit malware to bleeping computer for analysis,takodje mi se pojavio neki QooBox folder kao karantin.Otkad sam uradio ovaj combo fix nemogu da otvorim dva sajta u isto vrijeme,passwords su mi se izbrisale itd.Nadam se da je to normalno.

Dopuna: 21 Jul 2007 15:27

Pojavilo mi se i ovo:

IEXPLORE.EXE- APPLICATION ERROR
the instruction at oxo11b5fbe referenced memory at oxo11b5fbe.memory couldnt be read. click ok to terminate program.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Spakuj mi u jedan ZIP sledece:

folder
c:\qoobox\

fajlove:
C:\WINDOWS\system32\inetcomm.dll
C:\WINDOWS\system32\schannel.dll
C:\Documents and Settings\mario govedarica\ymkycq.exe
C:\Documents and Settings\mario govedarica\ndzkiq.exe
C:\Documents and Settings\mario govedarica\lniqwz.exe
C:\Program Files\alleg40.dll

Uploaduj mi to preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

Iskopiraj mi u poruku sadrzaj sledeceg loga:
C:\ComboFix-quarantined-files.txt

offline
  • frasi 
  • Novi MyCity građanin
  • Pridružio: 14 Jul 2007
  • Poruke: 13

Izvini neznam kako da to stavim u zip.

Evo ti ovaj log



2007-07-06 23:43      73605    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll.vir
2007-07-06 23:44      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\4_exception.nls.vir
2007-07-21 19:58      1026    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NTMLSVC.reg.cf
2007-07-21 19:58      1044    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_ASC3550U.reg.cf
2007-07-21 19:58      3708    --a------    C:\Qoobox\Quarantine\Registry_backups\services_NtmlSvc.reg.cf
2007-07-21 19:58      850    --a------    C:\Qoobox\Quarantine\Registry_backups\services_asc3550u.reg.cf


Folder PATH listing
Volume serial number is F4DD-DD92
C:\QOOBOX
\---Quarantine
    +---C
    |   +---Program Files
    |   |   \---Common Files
    |   |       \---Microsoft Shared
    |   |           \---Web Folders
    |   |                   ibm00001.dll.vir
    |   |                   
    |   \---WINDOWS
    |       \---system32
    |               4_exception.nls.vir
    |               
    \---Registry_backups
            LEGACY_ASC3550U.reg.cf
            LEGACY_NTMLSVC.reg.cf
            services_asc3550u.reg.cf
            services_NtmlSvc.reg.cf
           

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Ukoliko koristis Windows Explorer, onda klikni desno dugme na folder QooBox, tu imas opciju SendTo, pa onda podopciju Compressed (zipped) Folder. Time ces taj folder spakovati u jedan ZIP fajl.

Za ostale fajlove je najlakse da ih sve iskopiras u jedan novi folder, pa onda za taj ceo folder ponovis postupak kao sto sam gore opisao za QooBox folder.

Dopuna: 21 Jul 2007 19:16

btw. zaboravih nesto mozda jako vazno - ja ovde sumnjam na Banker trojanca. Ukoliko koristis online pristup tvom bankovnom racunu ili slicnim vaznijim stvarima, moja preporuka i savet su ti da promenis lozinke/sifre za pristup, posto Banker trojanac sluzi bas za kradju pristupnih podataka bankama.

offline
  • frasi 
  • Novi MyCity građanin
  • Pridružio: 14 Jul 2007
  • Poruke: 13

Evo poslao sam ovo sve.Danas mi je avg prijavio ono isarvicese4.exe kao virus i ocistio.spybot nije poslje nista nasao.Neznam ima li jos sta da se cisti.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pregledaj sledeci folder i kazi mi sta jos ima od fajlova u njemu:
C:\Program Files\Common Files\microsoft shared\web folders\

Daj mi i novi HijackThis log.

offline
  • frasi 
  • Novi MyCity građanin
  • Pridružio: 14 Jul 2007
  • Poruke: 13

Ovo sam nasao u C:\Program Files\Common Files\microsoft shared\web folders:

-msonsext.dll microsoft office name space extension 548 kb
-msows409.dll microsoft office server extension localized resources 120kb

A OVO JE BIO KAO HIDDEN FILE:

Publace hypertext template 8 kb



Logfile of HijackThis v1.99.1
Scan saved at 5:38:49 PM, on 22/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mario govedarica\Desktop\d\d1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = paramountpc.com.au
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SvcManager] isarvicese4.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paramountpc.com.au
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DE7E8E3-6E03-4D26-9FBB-2F5D09970FF7}: NameServer = 203.194.27.57 203.194.56.150
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DE7E8E3-6E03-4D26-9FBB-2F5D09970FF7}: NameServer = 203.194.27.57 203.194.56.150
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skeniraj ponovo HijackThisom i stikliraj polje ispred sledece linije:
O4 - HKLM\..\Run: [SvcManager] isarvicese4.exe

Nakon toga restartuj racunar.

Nakon restarta ponovo skeniraj HijackThisom. Ukoliko se linija nije vise vratila, onda mozemo smatrati slucaj resenim.
Ukoliko se ponovo pojavi, onda cemo morati jos da razbijamo glavu.

Ko je trenutno na forumu
 

Ukupno su 525 korisnika na forumu :: 7 registrovanih, 3 sakrivenih i 515 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: ALBION101, BSD, Doca, nemkea71, sabros, sale755, Taso