uzasno sporo

1

uzasno sporo

offline
  • zevsrs 
  • Novi MyCity građanin
  • Pridružio: 09 Mar 2008
  • Poruke: 6

Cuo sam o vama sve najbolje. Imam problem tako sto mi je racunar preevise spor i dugo cekam otvaranje bilo cega. Zamijenicu NOD e evo loga. Hvala. Novi sam i nadam se stalni vas clan.
Logfile of HijackThis v1.99.1
Scan saved at 20:10:53, on 9.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\lnaccess.exe
C:\Documents and Settings\Zoran\Desktop\baja\przamyc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE INTEX USB PC Camera
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [MSN] lssas.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\lnaccess.exe /res
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8E0A1B0-1178-468A-9A87-A5731A619DAD}: NameServer = 87.250.98.250 87.250.97.250
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...



Skinuti Navilog1 sa sledece adrese:
http://pagesperso-orange.fr/il.mafioso/Navifix/Navilog1.exe

Privremeno isključiti antivirus program (AMON modul u NOD32 postaviti na Disabled).

Dvoklikom pokrenuti instalaciju. Nakon instalacije ce na Desktopu biti nova ikonica Navilog1.bat.
Pokrenuti Navilog1.bat i na prvom ekranu odabrati jezik (E za Engleski jezik).
Na sledeca tri ekrana je samo potrebno pritisnuti bilo koji taster da bi se preslo na naredni ekran.

Kada se stigne do ekrana na kojem je potrebno odabrati sta Navilog1 treba da uradi, odabrati opciju 1 - Search.

Po zavrsetku skeniranja Navilog1 ce otvoriti Notepad, i u Notepadu ce biti log koji je potrebno iskopirati u poruku na forumu.

offline
  • zevsrs 
  • Novi MyCity građanin
  • Pridružio: 09 Mar 2008
  • Poruke: 6

evo loga.hvala na podršci.
Search Navipromo version 3.5.0 began on pon 10.03.2008 at 17:39:06,61

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 04.03.2008 at 17h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 6.0.2900.2180
Filesystem type : NTFS

Done in normal mode

*** Searching for installed Software ***


Instant Access


*** Search folders in C:\WINDOWS ***



*** Search folders in C:\Program Files ***

C:\Program Files\Instant Access found !


*** Search folders in C:\DOCUME~1\ALLUSE~1\APPLIC~1 ***




*** Search folders in "C:\Documents and Settings\Zoran\applic~1" ***



*** Search folders in "C:\Documents and Settings\Zoran\locals~1\applic~1" ***



*** Search folders in "C:\Documents and Settings\Zoran\startm~1\programs" ***


*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : gmer.net

Hidden file(s) :

C:\WINDOWS\system32\lioxrpj.dat
C:\WINDOWS\system32\lioxrpj.exe
C:\WINDOWS\system32\lioxrpj_nav.dat
C:\WINDOWS\system32\lioxrpj_navps.dat



*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\WINDOWS\system32 *

* Scan in "C:\Documents and Settings\Zoran\locals~1\applic~1" *



*** Search files ***


C:\WINDOWS\system32\nvs2.inf found !


*** Search specific Registry keys ***

HKEY_CURRENT_USER\Software\Lanconfig found !

*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :

C:\WINDOWS\system32\lnaccess.exe found !

2)Heuristic Search :

* In C:\WINDOWS\system32 :

lioxrpj.dat found !
lnaccess.exe found !

* In "C:\Documents and Settings\Zoran\locals~1\applic~1" :


3)Certificates Search :

Egroup certificate found !
Electronic-Group certificate found !
OOO-Favorit certificate found !

4)Search known files :



*** Search completed on pon 10.03.2008 at 17:44:38,74 ***

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

OK... Idemo dalje...




Pokrenuti Navilog1.bat i na prvom ekranu odabrati jezik (E za Engleski jezik).
Na sledeca tri ekrana je samo potrebno pritisnuti bilo koji taster da bi se preslo na naredni ekran.

Kada se stigne do ekrana na kojem je potrebno odabrati sta Navilog1 treba da uradi, odabrati opciju 2 - Automatic Cleaning.

U toku skeniranja bice zatrazen restart racunara. Ciscenje ce se nastaviti nakon restarta.

Po zavrsetku ciscenja Navilog1 ce napraviti log fajl C:\fixnavi.txt. Taj log otvoriti u Notepadu i iskopirati sadrzaj u poruku na forumu.




-------------------------------------------------------------------------------------




Zatim skini ComboFix sa jedne od sledecih adresa na Desktop:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • zevsrs 
  • Novi MyCity građanin
  • Pridružio: 09 Mar 2008
  • Poruke: 6

evo prvi log, cim uradim ovo sa combo kacim....
Navipromo Removal version 3.5.0 started on pon 10.03.2008 at 18:00:35,28

Fix running from C:\Program Files\navilog1
Updated on 04.03.2008 at 17h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Internet Explorer : 6.0.2900.2180
Filesystem type : NTFS

Automatic removal
with Catchme and GNS results


*** Creating backups for files found by Catchme

Copy to "C:\Program Files\navilog1\Backupnavi"

Copy C:\WINDOWS\system32\lioxrpj.dat done !
Copy C:\WINDOWS\system32\lioxrpj.exe done !
Copy C:\WINDOWS\system32\lioxrpj_nav.dat done !
Copy C:\WINDOWS\system32\lioxrpj_navps.dat done !

*** Deleting files found with Catchme ***

C:\WINDOWS\system32\lioxrpj.dat deleted !
C:\WINDOWS\system32\lioxrpj.exe deleted !
C:\WINDOWS\system32\lioxrpj_nav.dat deleted !
C:\WINDOWS\system32\lioxrpj_navps.dat deleted !

** Second pass with Catchme results **

* In C:\WINDOWS\system32 *


C:\WINDOWS\prefetch\lioxrpj*.pf found !
Copy C:\WINDOWS\prefetch\lioxrpj*.pf done !
C:\WINDOWS\prefetch\lioxrpj*.pf deleted !

* In "C:\Documents and Settings\Zoran\locals~1\applic~1" *


*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *


* Deletion in "C:\Documents and Settings\Zoran\locals~1\applic~1" *



*** Deleting folders in C:\WINDOWS ***


*** Deleting folders in C:\Program Files ***

C:\Program Files\Instant Access ...deleting...
C:\Program Files\Instant Access deleted !


*** Deleting folders in C:\DOCUME~1\ALLUSE~1\APPLIC~1 ***


*** Deleting folders in "C:\Documents and Settings\Zoran\applic~1" ***


*** Deleting folders in "C:\Documents and Settings\Zoran\locals~1\applic~1" ***


*** Deleting folders in "C:\Documents and Settings\Zoran\startm~1\programs" ***


*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs ***



*** Deleting files ***

C:\WINDOWS\system32\nvs2.inf deleted !

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !
Cleaning of C:\Documents and Settings\Zoran\locals~1\Temp done !

*** Complementary Search ***
(Search specific files)

1)Deletion with backups new Instant Access files:

C:\WINDOWS\system32\lnaccess.exe found !
Copy C:\WINDOWS\system32\lnaccess.exe done !
C:\WINDOWS\system32\lnaccess.exe deleted !

2)Heuristic search and deletion with backups :


* In C:\WINDOWS\system32 *


* In "C:\Documents and Settings\Zoran\locals~1\applic~1" *


*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Registry cleaned


*** Certificates ***

Egroup Certificate deleted !
Electronic-Group Certificate deleted !
OOO-Favorit Certificate deleted !

*** Cleaning stage complete on pon 10.03.2008 at 18:05:25,79 ***

Dopuna: 10 Mar 2008 18:37

jednom se restartovao dok je combo skenirao...evo loga
ComboFix 08-03-10.1 - Zoran 2008-03-10 18:20:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.45 [GMT 1:00]Running from: C:\Documents and Settings\Zoran\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Desktop\crazy girls.lnk
C:\Documents and Settings\Zoran\Start Menu\crazy girls.lnk
C:\WINDOWS\dialerexe.ini
C:\WINDOWS\images.zip

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_POWERMANAGER
-------\PowerManager


((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-10 17:37 . 2008-03-10 18:05 <DIR> d-------- C:\Program Files\Navilog1
2008-02-29 17:48 . 2008-03-10 14:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 17:48 . 2008-02-29 17:48 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 14:08 . 2008-02-23 14:17 <DIR> d-------- C:\BMW M3 Challenge

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 20:52 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-08 20:21 --------- d-----w C:\Program Files\ESET
2008-01-30 12:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 11:59 --------- d-----w C:\Program Files\KONAMI
2008-01-22 13:52 --------- d-----w C:\Program Files\Codemasters
2008-01-20 19:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-18 17:43 --------- d-----w C:\Program Files\vanBasco's Karaoke Player
2008-01-12 19:33 45,568 --sh--r C:\WINDOWS\lssas.exe
2007-12-18 16:55 307,200 ----a-w C:\WINDOWS\vidcap32.Exe
2007-12-18 16:55 307,200 ----a-w C:\WINDOWS\IsUn041a.exe
2007-12-17 13:09 966,656 ----a-w C:\WINDOWS\UNNeroBackItUp.exe
2007-12-17 13:04 139,264 ----a-w C:\WINDOWS\cmuninst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="~C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-10-14 17:09 103712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 15:41 45056]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 09:42 1519616]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 49152]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-04 21:55 950664]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"C-Media Mixer"="Mixer.exe" [2003-03-20 13:21 1855488 C:\WINDOWS\mixer.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 23:22 35328]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-12-17 14:02 155648]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2007-10-04 23:09 98304]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-12-15 18:01 40960]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2007-10-14 17:09 103712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-10-04 23:17:52 212992]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 11:54]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 17:02:15 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-03-10 18:27:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\WinRAR\rarext.dll
-> C:\Program Files\Eset\nodshex.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2008-03-10 18:33:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-10 17:33:33
.
2008-03-10 17:11:00 --- E O F ---

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:


File::
C:\WINDOWS\lssas.exe



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja

offline
  • zevsrs 
  • Novi MyCity građanin
  • Pridružio: 09 Mar 2008
  • Poruke: 6

Kada sam prvi put pokusao da uradim sve po uputstvima, po zavrsetku skeniranja i kada sam iskopirao log nestalo je svih ikonica sa Desktopa, mis je bio aktivan ali ni jedne ikonice niti Start menija nije bilo. Morao sam rucno da restartujem comp i ovo je ponovljeni log. Takodje mi ne uspijeva da deinstaliram NOD32, pojavljuje se neko glupo upozorenje slicno znaku Combo fix koje mi je na Desktopu. Racunar je vec mnogo, mnogo brzi.
ComboFix 08-03-10.1 - Zoran 2008-03-10 19:29:51.3 - NTFSx86
Running from: C:\Documents and Settings\Zoran\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zoran\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\lssas.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-10 18:59 . 2008-03-10 18:59 10 --a------ C:\WINDOWS\WININIT.INI
2008-03-10 17:37 . 2008-03-10 18:05 <DIR> d-------- C:\Program Files\Navilog1
2008-02-29 17:48 . 2008-03-10 14:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 17:48 . 2008-02-29 17:48 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 14:08 . 2008-02-23 14:17 <DIR> d-------- C:\BMW M3 Challenge

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 17:49 --------- d-----w C:\Documents and Settings\Zoran\Application Data\ATI
2008-03-10 17:39 --------- d-----w C:\Program Files\Macrogaming
2008-03-08 20:52 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-08 20:21 --------- d-----w C:\Program Files\ESET
2008-01-30 12:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 11:59 --------- d-----w C:\Program Files\KONAMI
2008-01-22 13:52 --------- d-----w C:\Program Files\Codemasters
2008-01-20 19:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-18 17:43 --------- d-----w C:\Program Files\vanBasco's Karaoke Player
2007-12-18 16:55 307,200 ----a-w C:\WINDOWS\vidcap32.Exe
2007-12-18 16:55 307,200 ----a-w C:\WINDOWS\IsUn041a.exe
2007-12-18 16:55 189,952 ----a-w C:\WINDOWS\system32\WISPTIS.EXE
2007-12-17 13:09 966,656 ----a-w C:\WINDOWS\UNNeroBackItUp.exe
2007-12-17 13:04 139,264 ----a-w C:\WINDOWS\cmuninst.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-10_18.32.57.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 00:56:42 870,784 ----a-w C:\WINDOWS\system32\ati3d1ag.dll
+ 2004-08-03 23:56:42 870,784 ----a-w C:\WINDOWS\system32\ati3d1ag.dll
+ 2004-08-03 23:56:42 870,784 -c--a-w C:\WINDOWS\system32\dllcache\ati3d1ag.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 09:42 1519616]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 16:49 49152]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-04 21:55 950664]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"C-Media Mixer"="Mixer.exe" [2003-03-20 13:21 1855488 C:\WINDOWS\mixer.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 23:22 35328]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-12-17 14:02 155648]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2007-10-04 23:09 98304]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-12-15 18:01 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-10-04 23:17:52 212992]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 11:54]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 17:02:15 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-03-10 19:34:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background?g

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-10 19:36:52
ComboFix-quarantined-files.txt 2008-03-10 18:36:34
ComboFix2.txt 2008-03-10 18:19:51
ComboFix3.txt 2008-03-10 17:33:40
.
2008-03-10 17:11:00 --- E O F ---

Dopuna: 10 Mar 2008 19:48

Izvinite dr Bora mogu sutra nastaviti jer moram da idem, ispraticu sva uputstva koja mi ostavite.... A mozda i veceras...

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ovo sada izgleda OK, no izvršićemo još jednu dodatnu proveru...




Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Save ... dugme ispod - i snimi negde taj logfile.
Priloži snimljeni logfile uz iduću poruku (koristi opciju Prikači fajl).

offline
  • zevsrs 
  • Novi MyCity građanin
  • Pridružio: 09 Mar 2008
  • Poruke: 6

Pozdrav doktore Bora, skenirao sam nekako sinoc i sada, evo oba loga. Jos uvijek ne mogu da deinstaliram programe koji su mi nepotrebni, od kamere koju vise nemam, NOD32 zelim da zamijenim a prilikom ukljucivanja racunara kao da imam novi uredjaj pa prijavljuje Device Video controler i zahtijeva CD... Inace racunar sada normalno radi. Hvala.
mycity.rs/must-login.png

mycity.rs/must-login.png

Dopuna: 11 Mar 2008 20:09

Evo i Hjak
Logfile of HijackThis v1.99.1
Scan saved at 20:07:57, on 11.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Zoran\Desktop\baja\przamyc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.sweetim.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE INTEX USB PC Camera
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8E0A1B0-1178-468A-9A87-A5731A619DAD}: NameServer = 87.250.98.250 87.250.97.250
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ko je trenutno na forumu
 

Ukupno su 1047 korisnika na forumu :: 37 registrovanih, 4 sakrivenih i 1006 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, A.R.Chafee.Jr., antonije64, Asparagus, babaroga, Brana01, Cassius Clay, darkangel, draganca, FileFinder, HrcAk47, hyla, ikan, jackreacher011011, Karla, krkalon, laurusri, Leonov, ljuba, Luka Blažević, milos.cbr, milutin134, nemkea71, novator, Outis, pein, RJ, S2M, Singidunumac, Sir Budimir, slonic_tonic, Toper, tubular, vladulns, Yugol33, zillbg, Čivi