MyCity » Ambulanta -> Arhiva Ambulante » [bobby]Sporo dizanje sistema

[bobby]Sporo dizanje sistema

Napisano na dan: 8.10.2008
1

[bobby]Sporo dizanje sistema
Sledeća strana Pagination

Idi na vrh

Poslao: 08 Okt 2008 00:24
Idi na vrh
offline
  • rakac5 
  • Novi MyCity građanin
  • Pridružio: 06 Okt 2008
  • Poruke: 13

Ewo uradio sam sta treba i ostavljam ovo iz notepada:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:16:03, on 8.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Documents and Settings\x\Desktop\New Folder (3)\HiJackThis.exe
C:\Documents and Settings\x\Desktop\New Folder (3)\HiJackThis2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = isoshu.com/count/PagePV.php?id=-1&bookname=help
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\PROGRA~1\ALWILS~1\Avast4\ashMaiSv.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4355 bytes

Dopuna: 08 Okt 2008 0:24

Sistem mi se dize oko dva minuta i najvise baguje kad se ucitava kod slike gde pise windows... nakon 5 minuta moze da se radi na kompu.
config:
Intel Celeron 2.53GHz
768 MB RAM
Ati 9600 pro 256MB
maxtor 160GB

Poslao: 08 Okt 2008 20:16
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Poslao: 08 Okt 2008 22:52
Idi na vrh
offline
  • rakac5 
  • Novi MyCity građanin
  • Pridružio: 06 Okt 2008
  • Poruke: 13

ComboFix 08-10-08.01 - x 2008-10-08 22:21:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.553 [GMT 2:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\a.zip

.
((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-07 18:45 . 2008-10-07 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-10-07 16:22 . 2008-10-07 16:22 <DIR> d-------- C:\Documents and Settings\x\Application Data\Malwarebytes
2008-10-07 16:22 . 2008-10-07 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-07 16:22 . 2008-09-10 00:07 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-07 16:22 . 2008-09-10 00:07 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 16:44 --------- d-----w C:\Documents and Settings\x\Application Data\LimeWire
2008-08-21 04:52 3,299,840 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-21 02:19 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-08-21 02:18 314,880 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-08-21 02:08 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-08-21 02:08 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-08-21 02:07 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-08-21 02:07 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-08-21 02:07 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-08-21 02:05 573,440 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-08-21 02:04 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-08-21 02:01 10,084,352 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-08-21 01:55 4,094,560 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-08-21 01:50 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-08-21 01:38 2,377,856 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-08-21 01:23 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-08-21 01:19 380,928 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-08-21 01:18 37,376 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-08-21 01:18 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-08-21 01:17 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-08-21 01:17 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-08-21 01:11 561,152 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-08-20 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-08-05 21:14 90,112 ----a-w C:\WINDOWS\system32\ATIBRTMON.EXE
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2003-01-20 19:43 68 ----a-w C:\Documents and Settings\x\z.bat
2003-01-20 19:43 46,080 ----a-w C:\Documents and Settings\x\index.exe
2003-01-03 10:46 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2003-01-02 23:12 27,136 ----a-w C:\Documents and Settings\x\x3.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-11-07 3739672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-02 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-12-16 12:57 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 18:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-02 12:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Counter-Strike 1.6\\hlds.exe"=
"D:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\Programi\\Nova fascikla (2)\\mIRC\\mirc.exe"=
"D:\\midtown madness 2\\Midtown Madness 2\\Midtown2.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R3 ALI5261;ALi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ALI5261.SYS [2001-08-17 27678]
S3 ddsxeiservice;ddsxeiservice2;D:\Program Files\sXe Injected\ddsxei.sys [2008-04-04 41344]
S3 teamviewervpn;TeamViewer VPN Adapter;C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys [2008-01-25 25088]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-11-07 98840]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BitTorrent DNA - C:\Program Files\DNA\btdna.exe
MSConfigStartUp-Counter - D:\Program Files\Alex Buturuga\Counter 2\Counter.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\ohm2d0l6.default\
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - D:\Program Files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-08 22:23:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-08 22:24:49
ComboFix-quarantined-files.txt 2008-10-08 20:24:42

Pre-Run: 40.100.880.384 bytes free
Post-Run: 40,431,345,664 bytes free

133 --- E O F --- 2008-05-05 09:08:28

Poslao: 09 Okt 2008 20:15
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Daj mi sledeca tri fajla na analizu:

C:\Documents and Settings\x\z.bat
C:\Documents and Settings\x\index.exe
C:\Documents and Settings\x\x3.exe

Upload uradi preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

Nakon toga promeni ime programa HiJackThis.exe u recimo VGR4.exe pa napravi novi log koji ces mi postaviti ovde.

Poslao: 10 Okt 2008 19:47
Idi na vrh
offline
  • rakac5 
  • Novi MyCity građanin
  • Pridružio: 06 Okt 2008
  • Poruke: 13

Uploadovao sam i evo novog loga:

ComboFix 08-10-08.01 - x 2008-10-10 19:41:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.557 [GMT 2:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2008-10-07 18:45 . 2008-10-07 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-10-07 16:22 . 2008-10-07 16:22 <DIR> d-------- C:\Documents and Settings\x\Application Data\Malwarebytes
2008-10-07 16:22 . 2008-10-07 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-07 16:22 . 2008-09-10 00:07 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-07 16:22 . 2008-09-10 00:07 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 16:44 --------- d-----w C:\Documents and Settings\x\Application Data\LimeWire
2008-08-21 04:52 3,299,840 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-21 02:19 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-08-21 02:18 314,880 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-08-21 02:08 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-08-21 02:08 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-08-21 02:07 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-08-21 02:07 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-08-21 02:07 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-08-21 02:05 573,440 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-08-21 02:04 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-08-21 02:01 10,084,352 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-08-21 01:55 4,094,560 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-08-21 01:50 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-08-21 01:38 2,377,856 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-08-21 01:23 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-08-21 01:19 380,928 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-08-21 01:18 37,376 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-08-21 01:18 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-08-21 01:17 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-08-21 01:17 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-08-21 01:11 561,152 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-08-20 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-08-05 21:14 90,112 ----a-w C:\WINDOWS\system32\ATIBRTMON.EXE
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2003-01-20 19:43 68 ----a-w C:\Documents and Settings\x\z.bat
2003-01-20 19:43 46,080 ----a-w C:\Documents and Settings\x\index.exe
2003-01-03 10:46 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2003-01-02 23:12 27,136 ----a-w C:\Documents and Settings\x\x3.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-08_22.24.09.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-08 14:22:46 79,272 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-10 17:10:21 80,416 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-08 14:22:46 431,254 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-10 17:10:21 433,418 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-11-07 3739672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-02 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-12-16 12:57 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 18:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-02 12:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Counter-Strike 1.6\\hlds.exe"=
"D:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\Programi\\Nova fascikla (2)\\mIRC\\mirc.exe"=
"D:\\midtown madness 2\\Midtown Madness 2\\Midtown2.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R3 ALI5261;ALi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ALI5261.SYS [2001-08-17 27678]
S3 ddsxeiservice;ddsxeiservice2;D:\Program Files\sXe Injected\ddsxei.sys [2008-04-04 41344]
S3 teamviewervpn;TeamViewer VPN Adapter;C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys [2008-01-25 25088]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-11-07 98840]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\x\Application Data\Mozilla\Firefox\Profiles\ohm2d0l6.default\
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - D:\Program Files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-10 19:42:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-10 19:43:52
ComboFix-quarantined-files.txt 2008-10-10 17:43:48
ComboFix2.txt 2008-10-08 20:24:51

Pre-Run: 44.077.985.792 bytes free
Post-Run: 44,067,766,272 bytes free

132 --- E O F --- 2008-05-05 09:08:28

Poslao: 10 Okt 2008 21:40
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\Documents and Settings\x\z.bat
C:\Documents and Settings\x\index.exe
C:\Documents and Settings\x\x3.exe


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


===========================

Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.

Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili

Poslao: 11 Okt 2008 00:35
Idi na vrh
offline
  • rakac5 
  • Novi MyCity građanin
  • Pridružio: 06 Okt 2008
  • Poruke: 13

ComboFix 08-10-08.01 - x 2008-10-11 0:16:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.566 [GMT 2:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\x\index.exe
C:\Documents and Settings\x\x3.exe
C:\Documents and Settings\x\z.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\x\index.exe
C:\Documents and Settings\x\x3.exe
C:\Documents and Settings\x\z.bat

.
((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2008-10-07 18:45 . 2008-10-07 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-10-07 16:22 . 2008-10-07 16:22 <DIR> d-------- C:\Documents and Settings\x\Application Data\Malwarebytes
2008-10-07 16:22 . 2008-10-07 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-07 16:22 . 2008-09-10 00:07 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-07 16:22 . 2008-09-10 00:07 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 16:44 --------- d-----w C:\Documents and Settings\x\Application Data\LimeWire
2008-08-21 04:52 3,299,840 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-21 02:19 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-08-21 02:18 314,880 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-08-21 02:08 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-08-21 02:08 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-08-21 02:07 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-08-21 02:07 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-08-21 02:07 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-08-21 02:05 573,440 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-08-21 02:04 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-08-21 02:01 10,084,352 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-08-21 01:55 4,094,560 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-08-21 01:50 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-08-21 01:38 2,377,856 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-08-21 01:23 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-08-21 01:19 380,928 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-08-21 01:18 37,376 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-08-21 01:18 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-08-21 01:17 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-08-21 01:17 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-08-21 01:11 561,152 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-08-20 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-08-05 21:14 90,112 ----a-w C:\WINDOWS\system32\ATIBRTMON.EXE
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2003-01-03 10:46 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-08_22.24.09.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-08 14:22:46 79,272 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-10 22:06:33 80,988 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-08 14:22:46 431,254 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-10 22:06:33 434,500 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-11-07 3739672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-02 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-12-16 12:57 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 18:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-02 12:13 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Counter-Strike 1.6\\hlds.exe"=
"D:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"D:\\Programi\\Nova fascikla (2)\\mIRC\\mirc.exe"=
"D:\\midtown madness 2\\Midtown Madness 2\\Midtown2.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R3 ALI5261;ALi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ALI5261.SYS [2001-08-17 27678]
S3 ddsxeiservice;ddsxeiservice2;D:\Program Files\sXe Injected\ddsxei.sys [2008-04-04 41344]
S3 teamviewervpn;TeamViewer VPN Adapter;C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys [2008-01-25 25088]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-11-07 98840]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-11 00:18:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-11 0:19:38
ComboFix-quarantined-files.txt 2008-10-10 22:19:35
ComboFix2.txt 2008-10-10 17:43:53
ComboFix3.txt 2008-10-08 20:24:51

Pre-Run: 44.088.832.000 bytes free
Post-Run: 44,077,576,192 bytes free

133 --- E O F --- 2008-05-05 09:08:28

Dopuna: 11 Okt 2008 0:35

mycity.rs/must-login.png

mycity.rs/must-login.png

Poslao: 11 Okt 2008 09:54
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Logovi su sada cisti.
Ima li jos kakvih simptoma?

Poslao: 12 Okt 2008 20:55
Idi na vrh
offline
  • rakac5 
  • Novi MyCity građanin
  • Pridružio: 06 Okt 2008
  • Poruke: 13

2,5 min do WELCOME prozora, i jos 1 minut da se stabilizuje da moze nesto da se radi...
otprilike je malo brzi ali jako malo...
meni se cini da je hard disk ostecen...
Ja sam nabavio jedan stari od 30GB pa cu na njemu da dignem windows i javicu ti za rezultate vec do sutra:)

Dopuna: 12 Okt 2008 20:55

dada u hardu je problem...ima neki problem moracu da uzmem novi...
Nista bobby hvala na ciscenju:)

Poslao: 12 Okt 2008 23:10
Idi na vrh
offline
  • rakac5 
  • Novi MyCity građanin
  • Pridružio: 06 Okt 2008
  • Poruke: 13

Uleteli su mi neki trojanci i komp je odmah bio restartovan. Posle je imao crven desktop background. Evo pogledajte...

MyCity » Ambulanta -> Arhiva Ambulante » [bobby]Sporo dizanje sistema

Ko je trenutno na forumu
 

Ukupno su 960 korisnika na forumu :: 15 registrovanih, 2 sakrivenih i 943 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Bubimir, hyla, ILGromovnik, Istman, jukeboxer, koom0001, ladro, Mi lao shu, panzerwaffe, procesor, SlaKoj, suton, Tvrtko I, vathra, voja64