Problemi u radu PC-a [ koslaz ]


Problemi u radu PC-a [ koslaz ]

  • Pridružio: 19 Jan 2008
  • Poruke: 42

Komp se kako/tako i upali, ali tesko ide podizanje programa. Kad kliknem na procese vidim da procesor radi skoro 100%. Onda pokusam da ugasim neke procese/taskgmon.exe/, ali nece. Kad se ukljucim na net sve radi brze. Kako da ovo uklonim i sta je u pitanju ? Imam instaliran comodo antivirus, ali on nije detektovao nista

  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Isprati uputstvo za postavljanje HijackThis loga sa sledećeg linka:

[Link mogu videti samo ulogovani korisnici]

  • Pridružio: 19 Jan 2008
  • Poruke: 42

Logfile of HijackThis v1.99.1
Scan saved at 21:17:20, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\Program Files\Comodo\common\CAVASpy\cavasm.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
D:\Documents and Settings\kole\Desktop\New Folder\aiaiaia.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [cnfgCav] "D:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Controller.LNK = D:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O8 - Extra context menu item: Iz&vezi u Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\cavemlsp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bootrom8 - D:\WINDOWS\SYSTEM32\bootrom8.dll
O20 - Winlogon Notify: monln - D:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - D:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\system32\WFXSVC.EXE

Dopuna: 19 Jan 2008 21:44

dr_Bora ::Isprati uputstvo za postavljanje HijackThis loga sa sledećeg linka:

[Link mogu videti samo ulogovani korisnici]

Problem resen. Kliknuo repair i sad radi ok(znam da nije bas ok, ali dobro). Upozorio bi sve da sam problem(virus,worm, sta li)zaradio kad mi je google izbacio oko 200-300 pogodaka i pokusao sam da se onda ulogujem na link.

Postoji li neka zastita od toga ? Naglasavam da ne posecujem rizicne sajtove, ovaj je bio oko nekretnina i oglasa na moru. Pa postoji li bilo kakva zastita od toga >?


  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Nisam baš siguran da je sve u redu...

Ako hoćeš da nastavimo sa ovim i da proverimo o čemu se radi, isprati sledeća uputstva.

Uploaduj mi file: D:\WINDOWS\SYSTEM32\bootrom8.dll

preko ovog linka: [Link mogu videti samo ulogovani korisnici]


Preuzmi HaxFix.

Pokreni program i izaberi opciju 2: Run auto fix.

Kada proces bude završen, iskopiraj ovde sadržaj loga koji HaxFix napravi (D:\haxfix.txt).


Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (D:\ComboFix.txt) koji ces nam ovde iskopirati.

  • Pridružio: 19 Jan 2008
  • Poruke: 42

Poslao: 19 Jan 2008 22:47 Naslov:


CITAT>"Uploaduj mi file: D:\WINDOWS\SYSTEM32\bootrom8.dll

preko ovog linka: [Link mogu videti samo ulogovani korisnici]

Nece da se aploduje, izlazi sledece>"Fajl je previše velik. Maksimalna dozvoljena velièina je 10 MB."

Dopuna: 19 Jan 2008 23:17

HAXFIX logfile - by Marckie

version 5.00.0
19/01/2008 23:15:02,25
running from D:\HaxFix

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found

--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking iexplore.exe
iexplore.exe is not infected

--- Checking for other Goldun and Haxdoor files ---

--- Catchme logfile - thank you Gmer ---

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-01-19 23:15:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

D:\Documents and Settings\kole\Local Settings\Temporary Internet Files\Content.IE5\45IBK9IJ\sqlreply1[1].htm 2496 bytes
D:\Documents and Settings\kole\Local Settings\Temporary Internet Files\Content.IE5\5FR93XZG\CA4PUR45.1200780605&ga_sid=1200780605&ga_hid=1349970910&flash=9&u_h=600&u_w=800&u_ah=570&u_aw=800&u_cd=32&u_tz=60&u_his=1&u_java=true
D:\Documents and Settings\kole\Local Settings\Temporary Internet Files\Content.IE5\7M8RZXC1\viewdeletevisitorz[1].htm 81205 bytes
D:\Documents and Settings\kole\Local Settings\Temporary Internet Files\Content.IE5\EXWNIHQ5\sqlreply1[1].htm 2497 bytes
D:\Documents and Settings\kole\Local Settings\Temporary Internet Files\Content.IE5\G5C5QB4P\CA4PGFOV.1200780605&ga_sid=1200780605&ga_hid=1349970910&flash=9&u_h=600&u_w=800&u_ah=570&u_aw=800&u_cd=32&u_tz=60&u_his=1&u_java=true
D:\Documents and Settings\kole\Local Settings\Temporary Internet Files\Content.IE5\NUZT1X3V\sqlreply1[1].htm 2497 bytes
D:\Documents and Settings\kole\Local Settings\Temporary Internet Files\Content.IE5\WHKBWNK7\CAA9OZID.1200780605&ga_sid=1200780605&ga_hid=1349970910&flash=9&u_h=600&u_w=800&u_ah=570&u_aw=800&u_cd=32&u_tz=60&u_his=1&u_java=true

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 7

--- Analysing Catchme logfile ---

no matching regkeys found


Dopuna: 19 Jan 2008 23:27

Posle restartovanja je izaslo ovo:
HAXFIX logfile - by Marckie

version 5.00.0
19/01/2008 23:20:24,46

--- Auto Haxdoorfix ---

Haxdoorfix Part 1

no infections found

Haxdoorfix Part 2

searching for notifykeys
no notifykeys found

searching for services
no services found

searching for safeboot services
no safeboot services found

--- Goldunfix ---

searching for other goldun- and haxdoorfiles:

checking iexplore.exe
iexplore.exe is not infected

searching for SSODLkeys
no SSODLkeys found

searching for notifykeys
no notify keys found

searching for services
no services found

--- Registrysettings ---

not necessary

.....rebooting the computer.....

--- searching for ssodlkeys ---

not necessary

--- searching for notifykeys ---

not necessary

--- searching for services ---

not necessary

--- searching for safeboot services ---

not necessary

--- searching for files ---

D:\WINDOWS\system32\hrpdcf.bin found
deleting D:\WINDOWS\system32\hrpdcf.bin
D:\WINDOWS\system32\hrpdcf.bin has been deleted

D:\WINDOWS\system32\kl80.bin found
deleting D:\WINDOWS\system32\kl80.bin
D:\WINDOWS\system32\kl80.bin has been deleted

--- searching for other files in the system32 folder ---

no other files found in the system32 folder

--- searching for other files in windows folder ---

no other files found in the windows folder

--- searching for a3d files ---

no a3d files found

--- checking registry settings ---

not necessary

--- Catchme logfile ---

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-01-19 23:24:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Dopuna: 19 Jan 2008 23:29

Combofix ne mogu da startujem, pise> combofix is not a valid win32 application

  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Možda je došlo do greške pri download-u - download-uj ga opet na Desktop i pre pokretanja ComboFix-a isključi AV program.

  • Pridružio: 19 Jan 2008
  • Poruke: 42

ComboFix 08-01-20.1 - kole 2008-01-19 23:37:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.148 [GMT 1:00]
Running from: D:\Documents and Settings\kole\Desktop\ComboFix2.exe
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

D:\Program Files\akl
D:\Program Files\akl\curlog.htm
D:\Program Files\akl\keylog.txt
D:\Program Files\akl\readme.txt
D:\Program Files\akl\unsetup.dat
D:\Program Files\amsys
D:\Program Files\amsys\awmsg.dat
D:\Program Files\amsys\guid.dat
D:\Program Files\amsys\unins000.dat
D:\Program Files\amsys\winam.dat

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))

2008-01-19 23:36 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-19 23:14 . 2008-01-19 23:12 449,326 --a------ D:\HaxFix.exe
2008-01-19 02:41 . 2008-01-19 21:48 7 --a------ D:\WINDOWS\system32\ngxt.bin
2008-01-15 22:29 . 2008-01-15 22:29 <DIR> d-------- D:\Program Files\TEXTware
2008-01-15 22:28 . 1995-05-09 14:20 53,492 --a------ D:\WINDOWS\system\IP769292.TTF
2008-01-15 22:27 . 2008-01-15 22:28 <DIR> d-------- D:\Program Files\Cambridge
2008-01-12 00:46 . 2008-01-14 01:51 6,656 --a------ D:\Documents and Settings\kole\admin.exe
2008-01-10 00:53 . 2008-01-20 23:37 <DIR> d-------- D:\Documents and Settings\kole\Application Data\skypePM
2008-01-10 00:53 . 2008-01-10 00:53 32 --a------ D:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-10 00:50 . 2008-01-10 00:50 <DIR> d-------- D:\Program Files\Skype
2008-01-10 00:50 . 2008-01-12 20:25 <DIR> d-------- D:\Program Files\Google
2008-01-10 00:50 . 2008-01-10 00:50 <DIR> d-------- D:\Program Files\Common Files\Skype
2008-01-10 00:50 . 2008-01-19 23:24 <DIR> d-------- D:\Documents and Settings\kole\Application Data\Skype
2008-01-10 00:49 . 2008-01-10 00:50 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Skype
2008-01-08 10:19 . 2008-01-19 22:26 2,206 --a------ D:\WINDOWS\system32\wpa.dbl
2008-01-07 17:04 . 2008-01-07 18:32 21,760 --a------ D:\WINDOWS\Tyc36.sys
2008-01-07 17:00 . 2008-01-07 17:00 4,224 --a------ D:\WINDOWS\system32\drivers\kcp.sys
2008-01-07 16:59 . 2008-01-07 16:59 6,144 --a------ D:\Documents and Settings\kole\ie_updates3r.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-12-18 16:19 73,728 ----a-w D:\WINDOWS\system32\CavEmLSP.dll
2007-12-18 16:19 499,712 ----a-w D:\WINDOWS\system32\msvcp71.dll
2007-12-18 16:19 434,252 ----a-w D:\WINDOWS\system32\MSVCRTD.DLL
2007-12-18 16:19 348,160 ----a-w D:\WINDOWS\system32\msvcr71.dll
2007-12-18 16:19 216,576 ----a-w D:\WINDOWS\system32\monln.dll
2007-12-18 16:19 102,400 ----a-w D:\WINDOWS\system32\drivers\cavasm.sys
2007-12-18 16:19 1,060,864 ----a-w D:\WINDOWS\system32\MFC71.dll
2007-12-18 16:19 --------- d-----w D:\Program Files\Comodo
2007-12-18 16:19 --------- d-----w D:\Documents and Settings\All Users\Application Data\Comodo

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Skype"="D:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-10 00:50 171448]

"WinFaxAppPortStarter"="wfxsnt40.exe" [1998-07-27 03:54 43008 D:\WINDOWS\system32\WFXSNT40.EXE]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 14:01 46592 D:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"cnfgCav"="D:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2007-12-18 17:19 110592]

"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= D:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 03:54 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 2007-12-18 17:19 216576 D:\WINDOWS\system32\monln.dll

R2 wfxsvc;WinFax PRO;D:\WINDOWS\system32\WFXSVC.EXE [1998-07-27 03:54]

*Newly Created Service* - PROCEXP90

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-01-20 23:38:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2008-01-20 23:39:24
ComboFix-quarantined-files.txt 2008-01-20 22:39:09

  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Nekoliko rootkit-ova manje... Imamo još posla.

Otvoriti Notepad i iskopirati sledeci tekst:

D:\Documents and Settings\kole\admin.exe
D:\Documents and Settings\kole\ie_updates3r.exe

Snimiti na Desktop fajl iz Notepada kao "CFScript"

Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.

Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


Odradi i sledeće:

Preuzmi fajl sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.

Priloži uz poruku ta dva file koji si upravo snimio (koristi opciju Prikači fajl).

  • Pridružio: 19 Jan 2008
  • Poruke: 42

CITAT "Snimiti na Desktop fajl iz Notepada kao "CFScript""

Na zalost izbrisao sam notepad...............

CITAT>"Snimiti na Desktop fajl iz Notepada kao "CFScript""

Kako se to snima u "CFScript"(gde je CFS)

Ovo sa gmerom sad ide, pa cu poslati kad se zavrsi

  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Izbrisao si Notepad? OK...

Probaćemo na drugi način. Skini zip file sa [url= linka[/url] i raspakuj ga - time ćeš dobiti potrebni CFScript. Sada isprati ostatak uputstva odozgo (onaj deo sa prevlačenjem file-a CFScript na ikonicu ComboFix-a).

24 Jan 2008 13:22 dr_Bora Zaključavanje topica Razlog: Rešeno je  
Ko je trenutno na forumu

Ukupno su 1092 korisnika na forumu :: 100 registrovanih, 8 sakrivenih i 984 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 4. Ozrenska, _Rade, _stipa_, Alexa77, Alexandar-1973, alexbr, Alibaba1981, ArchaBasha, Asparagus, BLACKBIRD201284, bokisha253, Buzdovan, BWG, Cian, Cigi, CrazyNorth, cvrle312, cyprus, darkangel, darkojbn, Dimitrise93, Django777, Dogma21, Dorcolac, Dragon Order, Dzoni Stek, Dzoni2412, ElvisP, feanor, Feller, GandorCC, Goran_, iceburn, ivan_8282, jalos, kolle.the.kid, Konda, KonstantinR, Koča, kreker, krkalon, Kubovac, Kukuvaja, Leonov, macak44, markoni.slo, mercedesamg, Metanoja, mikrimaus, mile33, Miletić Zoran, milikonst, Milo97, minmatar34957, mnn2, Mrav Obrad, Mskok, Nomica, obsc, opt1, orah, panzerwaffe, Parker, pein, peradetlić, Polifon, PrincipL, Pv123, R_038, Ranutovac, Sančo, scout81, sekretar, Shinobi, shone34, Skakac7, stegonosa, suton, TalicniTom, taomaster, TBoy, tecataki, tehnika, tenkiasta71, tihi-posmatrac, Tribal, ujke, voja64, XiaomiX, yip314, zeo, ZlatniRez, zlaya011, zmajbre, Zoca, zokizemun, Zorge, Zrcalo, Zvrk, 1453