winsys2?!

winsys2?!

offline
  • Pridružio: 06 Jun 2005
  • Poruke: 218
  • Gde živiš: Pirot

U startup procesima sam otkrio nove koje do sada nisam imao:
sw20
sw24
winsys2.
Za prva dva na ProcessLibrary.com je receno da nema opasnosti, dok za treci se kaze:"This process is most likely a virus or trojan.".
Sta mi je ciniti?
Unapred hvala na pomoci!
Evo log fajla od hijackthis-a:
Logfile of HijackThis v1.99.1
Scan saved at 13:29:08, on 5.8.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\System32\winsys2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Djole\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\System32\winsys2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Calendarium.lnk = C:\Program Files\Calendarium\Calendarium.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (HKCU)
O15 - Trusted Zone: http://download.windowsupdate.com
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav mertek.

Za početak mi uploaduj file:
C:\WINDOWS\System32\winsys2.exe
preko sledeće forme: http://www.mycity.rs/ambulanta-upload.php

Startuj HijackThis, opet skeniraj, štikliraj sledeće linije:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

i klikni na Fix Checked.

Zatim preuzmi file gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
U polju za pisanje poruke na forumu klikni desno dugme miša i odaberi opciju Paste.


Uz gmer log, postavi i novi HijackThis log u idućem post-u.

offline
  • Pridružio: 06 Jun 2005
  • Poruke: 218
  • Gde živiš: Pirot

@ dr-Bora:
Nisam mogao da zavrsim skeniranje sa gmer-om.Evo slike:

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Jesi li probao ponoviti skeniranje?

offline
  • Pridružio: 06 Jun 2005
  • Poruke: 218
  • Gde živiš: Pirot

@ dr-Bora:
Probao sam 3 puta i uvek isto.
Sve trazene operacije pre toga sam obavio.

Dopuna: 06 Avg 2007 22:19

Da li je pametno uncekirati ove procese iz startup liste i da li ce se opet pojaviti nakon restarta?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

File koji ti je bio sumnjiv, winsys2.exe nije malware.
File-ovi koje si pomenuo kao nove su najverovatnije deo aplikacije za OC grafičke kartice i nisu maliciozni.
U svakom slučaju, na tvom kompjuteru nema malware-a.

Što se tiče procesa iz startup sekcije, nemoj ih dirati.

Pozdrav

offline
  • Pridružio: 06 Jun 2005
  • Poruke: 218
  • Gde živiš: Pirot

Drago mi je da je sve OK.
Hvala dr-Boro!
Nije mi samo jasno zasto je na ProcessLibrary.com taj fajl okarakterisan kao pretnja?
P.S.: Pre nekoliko dana sam ugradio novu graficku kartu MSI NX 7600 GS.

Ko je trenutno na forumu
 

Ukupno su 670 korisnika na forumu :: 32 registrovanih, 3 sakrivenih i 635 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: amstel2, Bane san, bojank, cenejac111, cikadeda, DARKMEN22, darkstar101, dragoljub11987, dragonserbia, dule10savic, gagac, Gagi193, Georgius, gile58, GreenMan, kybonacci, lovac12, m0nstrum_, mercedesamg, mushroom, Oluj2.1, panonski mornar, Simon simonović, spektorsky, Tenk, Tragač, Uciteljgoran, VJ, vlvl, voja64, vranjanac29, zixmix