WIN32 Trojandownloader small nrs - POMOC

vec nekoliko dana se mucim sa ovim problemom (win32 trojandownloader small nrs). na desktop-u su mi se pojavile dvije ikonice: Help and support center i Windows update koje nikako ne mogu da obrisem jer se posle brisanja ponovo pojave. ne znam sta da radim. uzgred, pojavilo mi se nekih 4000 nepoznatih fajlova u my documents-u i my computer\system C, a cesto ne mogu da udjem u iste ili bilo koji drugi folder! kad upalim komp pojavljuju mi se 2 prozora u kojima pise:...kerner error 1256...; potential problem has been detected and windows has been shutdown buggy application...
ima li rjesenja za ovako nesto???
hvala unaprijed

Skeniraj racunar sa Combofix-om i okaci log ovde. Za vreme rada combofix-a nemoj nista da radis na racunaru.

---

Kako ti sada radi komp? Combofix je pobrisao neke stvari, mada mi ostaju sumnjive vrednosti:
2008-02-19 15:46 . 2008-02-19 15:46 294 --ahs---- C:\WINDOWS\system32\vhkswkwk.ini i
2008-02-08 21:16 . 2008-02-08 21:31 88 -rahs---- C:\WINDOWS\system32\1A9DF87FCB.sys, i mislim da bi trebao izbrisati i te fajlove. Takodje, proveri da li u root folderu, te u My Documents imas mnogo .tmp fajlova. Ako ih ima mozes ih sve obrisati.

---

racunar mi radi mnogo bolje i hvala ti puno ali samo mi reci kako da obrisem te fajlove koje si naveo i gdje se nalazi taj root folder (u my doc nema .tmp fajlova)?

Windows root folder ili %systemroot% a takodje je bitan i %systemroot%\system32 (upisi ovo u "Start > Run"). My documents temp fajlove brises pomocu programa kao sto su CCleaner i sl. Takodje Combofix nije obrisao sve registry kljuceve koji pripadaju trojancima...

Skini HiJackThis! proskeniraj racunar i okachi log. Takodje ponovo uradi Combofix scan i okachi log.

Odgovor ti je dao Binary Mind, ja nisam stigao. Pre nego sto skeniras sa HijackThis-om mozes skenirati racunar i sa VundoFix-om, procedura je slicna kao i kod Combofix-a. Onda odradi HijackThis i Combofix ponovo pa cemo da vidimo dalje.

---

Jel maticna ploca MSI?

nemam pojma!
kako da to provjerim?

Sta pise na User Manual-u od ploce? Mora da si dobio kad si kupio racunar.

asus

Skini program Everest pa odi na motherboard pa nam javi. Ako nije MSI onda ima par fajlova koji bi mogli biti malware. Takodje da li znas sta je Modecor, sumnjivi su mi ti Modecor fajlovi, ali ne mogu da nadjem nikakve informacije u vezi istih. I da li koristis Incredimail? Free verzija sadrzi adware, tako da bih ti preporucio neki drugi mail klijen tipa Thunderbird ili nesto slicno.

E da, i da li mozda imas MSI graficku?

_{[Ovu poruku je menjao krmard84 dana 22.02.2008. u 14:56 GMT+1]}

---

modecor je software koji mi je dosao uz Olivetti stampac.
izbrisacu incredimail.
u my computer mi se promijenila ikonica system C-a - crveni X, sta to znaci?

modecor je software koji mi je dosao uz Olivetti stampac.
izbrisacu incredimail.
u my computer mi se promijenila ikonica system C-a - crveni X, sta to znaci?

hmmmmm i meni je nesto sumnjivo kod mene molim odgovor nekog "doktora"!!!!!!!!!!
evo ga hijack this moj log!!!!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:17 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Frza\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6590 bytes

Da li ti je za desni klik na C: drajv zatamnjena, tj. default opcija Open? Ako jeste idi start>run>upisi regedit Kada ti se otvori regedit idi na HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer i izbrisi folder DriveIcons
To bi trebalo vratiti ikonicu.

@WuTang
Ne znam sta ti je konkretno sumnjivo, trebao bi otvoriti novi post pa tacno objasniti u cemu je problem. Koliko ovako na brzinu vidim imas Crawler toolbar koji bi mozda trebao maknuti, a i imas nLite verziju Windowsa i to isto moze biti uzrok problema, mada kao sto rekoh nisi naveo koji problem imas.

---

hvala na pomoci, uspjelo je

@clapton

Pitao sam za plocu zbog winsys2.exe koji moze biti i trojanac. Ocigledno da se ne radi o trojancu...

@Wu Tang

Koristis neku nlite Windows XP verziju i Crawler bar je adware. Kod dobro odradjene nlite Windows XP verzije nema vidljivih registry kjluceva pod HiJackThis-om... I ja koristim nlite verziju Windows-a koju sam sam napravio ali HiJackThis! nista nece reci o tome kao kod tebe i jos nekih ovde...

Binary da koristim nlite verziju windows xp-a koju sam sam NAPPRAVIO i dodao i izbacio ono samo sto meni treba .....
Sto se tice Crawler nije spyware njega sam instalirao sa spyware terminatorom koji ti se integrise u web browser i pokazuje ti bezbednodst sajtova koje trenutno posecujes
tako da mi je to ok ovo drugo me zanima...

Dobro. Onda okachi Combofix log, posto je HJT! cist ako Crawler nije adver. Ako uradis pretragu ovde na "zastiti" naci ces dosta linkova gde mozes skinuti Combofix... Dok Combofix skenira ne radi nista na kompu...