Zarazen komp + povremeno se "zaledi"

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pri paljenju mi NOD ponekad javi "threat found - win32/mebroot trojan" u operativnoj memoriji i kada pokusam operaciju clean, kaze da ne moze to da uradi.
Takodje, povremeno mi se sve zaledi i moram da ga restartujem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:55, on 14/03/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Firebird\bin\fbguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Firebird\bin\fbserver.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Korisnik\Desktop\coumna\coumna.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = lord-rs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1107E93D-0D9E-4504-BF69-40F93F873764} - C:\WINDOWS\System32\gebyw.dll (file missing)
O2 - BHO: (no name) - {3B5C9610-80B2-4ADB-869C-93B9992A5661} - C:\Program Files\MSN\horemo.dll (file missing)
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 - BHO: (no name) - {E2F8F7C7-954D-4336-BA99-27BFBEB73DAF} - C:\WINDOWS\system32\gebxwwt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Korisnik\Local Settings\Temporary Internet Files\Content.IE5\SUJC2FJ7\install_sbd_en[1].exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - browsergate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - browsergate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - myffi.webex.com/client/T26L/nbr/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38F7D43D-3EE3-4079-B6B7-3155ECCECE88}: NameServer = 87.250.97.250,87.250.98.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{A33E26F7-0F58-4B25-BE4E-695D784B58BC}: NameServer = 87.250.98.250,87.250.97.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{38F7D43D-3EE3-4079-B6B7-3155ECCECE88}: NameServer = 87.250.97.250,87.250.98.250
O17 - HKLM\System\CS2\Services\Tcpip\..\{38F7D43D-3EE3-4079-B6B7-3155ECCECE88}: NameServer = 87.250.97.250,87.250.98.250
O20 - Winlogon Notify: gebxwwt - C:\WINDOWS\
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Firebird\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Firebird\bin\fbserver.exe
O23 - Service: Net Monitor for Employees Agent (NMEmployeesAgent) - Unknown owner - C:\Program Files\Network LookOut\Net Monitor for Employees Professional\bin\NLSAgentSvc.exe (file missing)
O24 - Desktop Component 0: (no name) - img.photobucket.com/albums/v364/Kresimira/tarot/IMG_0115.jpg
O24 - Desktop Component 1: (no name) - image.guardian.co.uk/sys-images/Travel/Pix/.....mn_300.jpg
O24 - Desktop Component 2: (no name) - livada.pondi.hr/travar/zivotinje/ptice/ptice32.jpg

--
End of file - 6626 bytes

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...


Zašto nemaš instaliran Service Pack 3?



Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.

Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Ma ovo mi je neki stari racunar, bio je kod prijatelja u firmi, pa mi ga je vratio. Neka ga za prvu pomoc.
Tek sam u logu vidio da je SP1 i u medjuvremenu sam instalirao SP2 (imao ga na CD-u).

Evo rezultata Gmer-a. Prvi scan (full scan) je trajao sat vremena i na kraju mi je nestalo dugme COPY. Tako da sam uradio 2 screenshot-a onoga sto je izlistao. Znaci, prvi scan ti saljem u 2 slike. Drugi je ok.
A poslacu ti i ovaj neki kraci rezultat prvog skeniranja, mozda ti je samo on dovoljan.





mycity.rs/must-login.png

mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Skini sledeći file na root (osnovni folder) C diska:

http://www2.gmer.net/mbr/mbr.exe

Klikni Start, Run i copy/paste sledeće:

C:\mbr.exe -f


Nakon svega restartuj PC i postavi svež Gmer Rootkit/Malware log.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Izvini na kasnjenju, nisam bio tu preko vikenda.
mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pokreni ESET Smart Security/ESET NOD32 na sledeci nacin :
Start>All Programs>ESET>ESET Smart Security ili pak ESET NOD32 Antivirus(ukoliko koristis samo Antivirus resenje).

* Kada ti se otvori glavni prozor programa, klikni na Setup opciju sa leve strane prozora;
* Izaberi Antivirus and antispyware opciju i klikni na Temporarily disable Antivirus and antispyware protection.
* Na sledece pitanje klikni Yes.




Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

E ovako ... NOD sam ugasio skroz, u task manager-u i pokrenuo combo.
Combo je odradio svoje i restartovao racunar. Ali nije se mogao ponovo podici sistem. To mi se i prije desavalo. Racunar zapisti nekoliko puta i nece da se pokrene. Morao sam ga rucno ugasiti pa upaliti. Elem, kada se upalio, C:\ComboFix.txt loga nije bilo. Imam folder COmboFix na C-u i unutra njega ComboFix.txt, ali u njemu je samo ovo:

ComboFix 09-03-15.01 - Korisnik 2009-03-16 13:00:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.133 [GMT 1:00]
Running from: C:\Documents and Settings\Korisnik\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

Dopuna: 16 Mar 2009 13:58

I nije mi jasno otkud sad pise "* Resident AV is active", ako je NOD bio ugasen.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Probaj ponovo...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 09-03-15.01 - Korisnik 2009-03-17 10:14:22.2 - NTFSx86
Running from: c:\documents and settings\Korisnik\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kr_done1
.
---- Previous Run -------
.
C:\installer4.exe
c:\program files\AntiSpyKit 5.3
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03132008-143606.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03132008-150230.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03132008-150341.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03132008-161458.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03142008-075930.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03142008-185047.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03152008-080410.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03172008-075527.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03172008-082338.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03172008-102808.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03172008-123334.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03172008-141625.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03182008-075209.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03192008-080429.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03192008-230531.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03202008-030544.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03202008-054442.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03202008-225310.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03212008-004532.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03222008-081030.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03222008-164431.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03242008-075611.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03252008-080306.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03252008-082300.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03252008-152246.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03252008-154557.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03262008-082258.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03262008-095934.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03262008-100327.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03262008-100732.html
c:\program files\AntiSpyKit 5.3\Logs\scan_log_03262008-101121.html
c:\program files\AntiSpywareShield
c:\program files\AntiSpywareShield\AntiSpywareShield.lic
c:\program files\AntiSpywareShield\AntiSpywareShield1.ad
c:\program files\AntiSpywareShield\Uninstall.exe
c:\program files\deskbar
c:\program files\deskbar\about.html
c:\program files\deskbar\basis.xml
c:\program files\deskbar\deskbar.crc
c:\program files\deskbar\deskbar.inf
c:\program files\deskbar\icons.bmp
c:\program files\deskbar\inst.bat
c:\program files\deskbar\mbback.bmp
c:\program files\deskbar\mbbigopen.bmp
c:\program files\deskbar\mbclose.bmp
c:\program files\deskbar\mbfwd.bmp
c:\program files\deskbar\mblogo.bmp
c:\program files\deskbar\mbsep.bmp
c:\program files\deskbar\options.html
c:\program files\deskbar\softomate.gif
c:\program files\deskbar\version.txt
c:\program files\Helper
c:\program files\NetProject
c:\windows\BM8f757957.txt
c:\windows\BM8f757957.xml
c:\windows\IE4 Error Log.txt
c:\windows\pskt.ini
c:\windows\system32\bedlikug.ini
c:\windows\system32\bhngxvub.ini
c:\windows\system32\ijkkksyk.ini
c:\windows\system32\jfuiuivd.ini
c:\windows\system32\qudrjmcn.ini
c:\windows\system32\sjnsednv.ini
c:\windows\system32\tfuikipq.ini
c:\windows\system32\wdnfacks.ini
c:\windows\system32\wubjhqhg.ini
c:\windows\system32\wybeg.ini
c:\windows\system32\wybeg.ini2

.
((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-16 16:01 . 2009-03-16 16:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-16 13:15 . 2009-03-16 13:16 3,084,099 --a------ C:\ComboFix.rar
2009-03-16 09:21 . 2009-03-16 09:20 66,048 --a------ C:\mbr.exe
2009-03-16 08:37 . 2009-03-16 08:37 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-16 08:08 . 2008-12-12 18:33 3,060,224 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-03-16 08:08 . 2008-08-14 11:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-16 08:08 . 2008-08-14 10:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-16 08:08 . 2008-08-14 10:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-16 08:08 . 2008-08-14 10:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-16 08:04 . 2008-05-01 15:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-16 08:03 . 2008-04-11 19:50 683,520 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-16 08:03 . 2008-10-03 11:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-03-14 15:26 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-03-14 15:23 . 2009-03-14 15:23 <DIR> d-------- c:\program files\MSBuild
2009-03-14 15:23 . 2009-03-14 15:23 <DIR> d-------- c:\program files\Microsoft Works
2009-03-14 15:22 . 2009-03-14 15:22 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-14 15:11 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-03-14 15:09 . 2009-03-14 15:09 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-03-14 15:07 . 2009-03-14 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-14 15:05 . 2009-03-14 15:05 <DIR> dr-h----- C:\MSOCache
2009-03-14 15:04 . 2009-03-14 15:04 316,640 --a------ c:\windows\WMSysPr9.prx
2009-03-14 14:47 . 2004-08-04 00:56 239,616 --------- c:\windows\system32\wstrenderer.ax
2009-03-14 14:47 . 2004-08-04 00:56 164,352 --------- c:\windows\system32\wstpager.ax
2009-03-14 14:47 . 2004-08-04 00:56 96,768 -----c--- c:\windows\system32\dllcache\dpcdll.dll
2009-03-14 14:47 . 2004-08-04 00:56 53,248 --------- c:\windows\system32\vbicodec.ax
2009-03-14 14:47 . 2004-08-03 23:08 40,832 --------- c:\windows\system32\drivers\irbus.sys
2009-03-14 14:47 . 2004-08-03 22:59 9,728 --------- c:\windows\system32\comsdupd.exe
2009-03-14 14:43 . 2009-03-14 14:43 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-14 14:37 . 2004-07-17 11:40 19,528 --a------ c:\windows\002520_.tmp
2009-03-14 14:34 . 2009-03-14 14:34 <DIR> d-------- c:\windows\EHome
2009-03-14 13:35 . 2006-08-25 16:45 617,472 -----c--- c:\windows\system32\dllcache\comctl32.dll
2009-03-14 13:35 . 2008-06-20 11:45 360,320 --a--c--- c:\windows\system32\dllcache\tcpip.sys
2009-03-14 13:31 . 2006-07-14 16:25 546,304 -----c--- c:\windows\system32\dllcache\hhctrl.ocx
2009-03-14 13:31 . 2008-10-15 17:57 332,800 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-14 13:31 . 2008-06-20 10:52 225,920 --a--c--- c:\windows\system32\dllcache\tcpip6.sys
2009-03-14 13:31 . 2006-08-16 12:58 100,352 -----c--- c:\windows\system32\dllcache\6to4svc.dll
2009-03-14 13:30 . 2006-06-22 11:47 181,248 -----c--- c:\windows\system32\dllcache\rasmans.dll
2009-03-14 13:26 . 2006-05-19 13:59 111,616 -----c--- c:\windows\system32\dllcache\dhcpcsvc.dll
2009-03-14 13:26 . 2006-05-19 13:59 94,720 -----c--- c:\windows\system32\dllcache\iphlpapi.dll
2009-03-14 13:18 . 2009-03-14 13:18 <DIR> d-------- c:\windows\system32\bits
2009-03-14 13:17 . 2006-03-17 01:38 28,672 --------- c:\windows\system32\verclsid.exe
2009-03-14 13:17 . 2009-03-16 16:05 1,374 --a------ c:\windows\imsins.BAK
2009-03-14 13:16 . 2009-03-14 13:16 <DIR> d-------- c:\windows\system32\bfubackups
2009-03-14 12:41 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-03-14 12:41 . 2004-08-04 00:56 713,216 --a------ c:\windows\system32\sxs.dll
2009-03-14 12:41 . 2004-08-04 00:56 87,552 --a------ c:\windows\system32\fldrclnr.dll
2009-03-14 12:36 . 2009-03-16 16:05 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 12:36 . 2005-02-25 04:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-03-14 12:35 . 2008-06-20 18:41 148,992 --a--c--- c:\windows\system32\dllcache\dnsapi.dll
2009-03-14 12:35 . 2006-06-26 18:37 8,192 -----c--- c:\windows\system32\dllcache\rasadhlp.dll
2009-03-14 12:30 . 2009-03-14 12:31 <DIR> d-------- c:\program files\Unlocker
2009-03-14 12:30 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-03-14 12:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-03-14 12:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-03-14 12:30 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-03-14 12:19 . 2009-03-14 12:19 <DIR> d-------- c:\program files\TuneUp Utilities 2007
2009-03-14 12:19 . 2009-03-14 12:19 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\TuneUp Software
2009-03-14 12:19 . 2006-12-19 16:53 24,072 --a------ c:\windows\system32\uxtuneup.dll
2009-03-14 12:18 . 2009-03-14 12:18 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-14 12:18 . 2009-03-14 12:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-13 10:32 . 2009-03-13 10:32 <DIR> d-------- c:\windows\ePlusMenuCAD
2009-03-13 10:32 . 2009-03-13 10:36 <DIR> d-------- c:\program files\ePlusMenuCAD
2009-03-11 14:30 . 2009-03-14 12:43 <DIR> d-------- c:\program files\Google
2009-03-10 09:12 . 2009-03-14 12:51 <DIR> d-------- C:\Ulysse
2009-03-10 09:12 . 2009-03-13 13:44 2,229 --a------ c:\windows\ulysse.ini
2009-03-10 09:10 . 2009-03-10 09:10 <DIR> d-------- c:\documents and settings\Korisnik\WINDOWS
2009-03-09 09:54 . 2009-03-17 09:02 <DIR> d-------- c:\program files\ABBYY FineReader 7.0 Professional Edition
2009-03-09 08:36 . 2009-03-09 08:36 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\ABBYY
2009-03-09 08:35 . 2009-03-09 08:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ABBYY
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\windows\system32\Adobe
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\windows\Profiles
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\InterTrust
2009-03-06 08:50 . 1998-10-29 14:45 306,688 --a------ c:\windows\IsUninst.exe
2009-03-03 13:30 . 2009-03-03 13:30 0 --a------ c:\windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 07:13 --------- d-----w c:\program files\Rainlendar
2009-03-14 11:51 --------- d-----w c:\program files\totalcmd
2009-03-07 11:25 2,568 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-06 07:50 --------- d-----w c:\program files\Common Files\Adobe
2009-03-03 11:55 --------- d-----w c:\program files\WinSpyKiller
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-27 12:59 --------- d-----w c:\program files\GlobalMapper10
2008-03-13 22:34 2,568,840 ----a-w c:\program files\ask_install.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" [2009-03-17 20112]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-17 20112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-03-17 20112]

c:\documents and settings\Korisnik\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2006-01-21 20112]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a------ 2009-03-17 08:10 20112 c:\program files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-12 01:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-12 01:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 18:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-03 04:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-31 00:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 19:41 33792 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-07-12 08:55 81920 c:\windows\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\firebird\bin\fbguard.exe -s --> c:\firebird\bin\fbguard.exe -s [?]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\firebird\bin\fbserver.exe -s --> c:\firebird\bin\fbserver.exe -s [?]
R3 WB6692;%WB6692.DeviceDesc%;c:\windows\system32\drivers\WB692pci.sys [2006-09-30 135122]
S2 NMEmployeesAgent;Net Monitor for Employees Agent;c:\program files\Network LookOut\Net Monitor for Employees Professional\bin\NLSAgentSvc.exe --> c:\program files\Network LookOut\Net Monitor for Employees Professional\bin\NLSAgentSvc.exe [?]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\c:\windows\TEMP\1FD.tmp --> c:\windows\TEMP\1FD.tmp [?]
S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\drivers\K320bus.sys [2007-07-13 61504]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\drivers\K320mdfl.sys [2007-07-13 9328]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\drivers\K320mdm.sys [2007-07-13 97056]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\K320mgmt.sys [2007-07-13 88560]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\drivers\K320obex.sys [2007-07-13 86368]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1107E93D-0D9E-4504-BF69-40F93F873764} - (no file)
BHO-{3B5C9610-80B2-4ADB-869C-93B9992A5661} - (no file)
Notify-gebxwwt - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lord-rs.com/
uDefault_Search_URL = hxxp://searchbar.findthewebsiteyouneed.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {38F7D43D-3EE3-4079-B6B7-3155ECCECE88} = 87.250.97.250,87.250.98.250
TCP: {A33E26F7-0F58-4B25-BE4E-695D784B58BC} = 87.250.98.250,87.250.97.250
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {33331111-1111-1111-1111-615111193427}
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\jbi84gfc.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-17 10:16:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [2624]
? [6984]
? [7044]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\c:\windows\TEMP\1FD.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-17 10:18:16
ComboFix-quarantined-files.txt 2009-03-17 09:17:57

Pre-Run: 17,992,667,136 bytes free
Post-Run: 17,979,518,976 bytes free

277 --- E O F --- 2009-03-16 15:05:29

Dopuna: 17 Mar 2009 12:24

Ajoj. Racunar mi je sada sporiji 10 puta. Restartovao sam ga, dugo se dizao sistem i sada nemam NOD. Kada ga probam rucno pokrenuti na START/PROGRAMS, kaze mi "missing shortcut" ...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:


Folder::
c:\program files\WinSpyKiller

Driver::
{DEF85C80-216A-43ab-AF70-1665EDBE2780}



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.