jedna mala a dosadna napast

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

naime, NOD mi stalno blokira ulayak nekod vbs coda, sta li u
komp, ali nikako da nadjem ko njega tako fino poziva na moj
računar pa se ovde obraćam za pomoć:

evo dva loga i slika sa strane:

Logfile of HijackThis v1.99.1
Scan saved at 17:41:32, on 21.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\Documents and Settings\srdjos\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://klik.si/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:8888;socks=127.0.0.1:8888;
O2 - BHO: (no name) - {5A7949A2-ADB3-4790-80C5-6AE2EA267E41} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V.....6166671671
O17 - HKLM\System\CCS\Services\Tcpip\..\{94EBD337-F1FC-4C1D-A153-A3F73DED1943}: NameServer = 193.189.160.13 193.189.160.23
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Microsoft register shield - Unknown owner - C:\WINDOWS\Mrshield.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

---------------------------------------

ComboFix 08-01-20.1 - srdjos 2008-01-21 17:49:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.200 [GMT 1:00]
Running from: C:\Documents and Settings\srdjos\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 17:37 . 2008-01-21 17:37 46,130 --a------ C:\vir.JPG
2008-01-21 00:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 17:31 . 2008-01-19 17:31 340,542 --a------ C:\Fin.rar
2008-01-19 17:19 . 2008-01-19 18:29 <DIR> d-------- C:\temp
2008-01-19 16:35 . 2000-07-07 12:20 81,920 --a------ C:\WINDOWS\system32\mdt2fw95.dll
2008-01-19 16:35 . 2000-08-06 01:50 36,939 --a------ C:\WINDOWS\system32\insrepim.exe
2008-01-19 16:34 . 2005-05-04 00:02 20,480 --a------ C:\WINDOWS\system32\dbmslpcn.dll
2008-01-19 15:45 . 2008-01-19 17:33 100 --a------ C:\WINDOWS\PRENOS.INI
2008-01-19 10:05 . 2005-07-23 11:57 843,776 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-19 10:05 . 2005-07-23 11:57 159,744 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-19 09:25 . 2008-01-19 09:27 <DIR> d-------- C:\Documents and Settings\srdjos\Application Data\Miranda
2008-01-18 20:44 . 2008-01-19 14:32 <DIR> d-------- C:\Program Files\Miranda IM
2008-01-12 11:03 . 2008-01-12 11:03 2,558 --a------ C:\SkriptWoby2008PART1.sql
2008-01-12 11:02 . 2008-01-12 11:02 7,568 --a------ C:\SkriptWoby2008PART2.sql
2008-01-11 00:23 . 2008-01-11 00:23 774,749 --a------ C:\Kasa.7z
2008-01-10 23:03 . 2008-01-10 23:03 <DIR> d-------- C:\slike problema
2008-01-06 21:50 . 2008-01-06 21:52 540,814 --a------ C:\DSC00052.jpg
2008-01-06 21:50 . 2008-01-06 21:52 427,700 --a------ C:\DSC00036.JPG
2008-01-05 21:39 . 2008-01-05 21:39 <DIR> d-------- C:\WINDOWS\Sun
2008-01-05 21:38 . 2008-01-05 21:38 <DIR> d-------- C:\Program Files\Java
2008-01-05 21:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-05 21:37 . 2008-01-05 21:37 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-03 23:28 . 2008-01-03 23:28 <DIR> d-------- C:\Program Files\BitPim
2008-01-01 18:57 . 2007-02-23 22:34 3,364,352 --------- C:\WINDOWS\system32\nvideataskm.exe
2008-01-01 18:57 . 2004-11-05 16:25 847,872 --a------ C:\WINDOWS\system32\notepadc.xcl
2008-01-01 18:57 . 2008-01-01 18:57 3,047 --a------ C:\WINDOWS\system32\avcodecttss.tmp
2008-01-01 18:56 . 2008-01-01 18:56 327 --a------ C:\WINDOWS\ocx.vbs
2008-01-01 18:55 . 2008-01-01 18:56 33 --a------ C:\WINDOWS\system32\webdown.vbs
2007-12-29 17:14 . 2008-01-21 16:58 68,958 --a------ C:\WINDOWS\system32\oodbs.lor
2007-12-29 11:38 . 2007-12-29 11:38 0 --a------ C:\WINDOWS\oodcnt.INI
2007-12-29 09:35 . 2007-12-29 10:18 <DIR> d-------- C:\WINDOWS\system32\oodag
2007-12-29 09:31 . 2007-12-29 09:31 <DIR> d-------- C:\Program Files\OO Software
2007-12-28 20:53 . 2007-12-28 21:07 <DIR> d-------- C:\Program Files\Brew Mobile Commander
2007-12-28 20:42 . 2007-12-28 20:42 <DIR> d-------- C:\Program Files\Siemens
2007-12-28 20:38 . 2007-12-28 20:38 <DIR> d-------- C:\Program Files\QPST
2007-12-27 21:21 . 2007-12-27 21:21 <DIR> d-------- C:\Program Files\Komunikator v.1.2
2007-12-27 07:14 . 2007-12-27 07:14 <DIR> d-------- C:\Documents and Settings\srdjos\Application Data\XCPCSync.OEM
2007-12-27 06:58 . 1998-06-18 01:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-12-27 06:57 . 2007-12-27 06:58 <DIR> d-------- C:\Program Files\Mobile Phone Manager
2007-12-27 06:57 . 2007-12-27 06:57 <DIR> d-------- C:\Program Files\Common Files\XCPCSync.OEM
2007-12-27 06:57 . 2005-09-12 16:40 27,008 --a------ C:\WINDOWS\system32\drivers\siusbmod.sys
2007-12-27 06:55 . 2007-12-27 06:55 <DIR> d-------- C:\Program Files\WMV9_VCM
2007-12-27 06:53 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-27 06:53 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-12-21 14:06 . 2007-12-21 14:06 2,370 --a------ C:\as.sql

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 16:40 --------- d-----w C:\Documents and Settings\srdjos\Application Data\uTorrent
2008-01-21 16:17 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-20 23:33 --------- d-----w C:\Documents and Settings\srdjos\Application Data\Skype
2008-01-19 18:07 --------- d-----w C:\Program Files\eMule
2008-01-19 15:34 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-12-28 19:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 20:05 --------- d-----w C:\Documents and Settings\srdjos\Application Data\The Bat!
2007-12-11 18:14 --------- d-----w C:\Program Files\The Bat!
2007-12-08 11:58 --------- d-----w C:\Program Files\Google
2007-12-06 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-05 22:55 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2007-12-05 22:55 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2007-12-05 22:55 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-05 22:55 --------- d-----w C:\Program Files\Microsoft Device Emulator
2007-12-05 22:55 --------- d-----w C:\Program Files\Business Objects
2007-12-05 22:49 --------- d-----w C:\Program Files\MSBuild
2007-12-05 22:46 --------- d-----w C:\Program Files\Microsoft SDKs
2007-12-05 22:45 --------- d-----w C:\Program Files\Microsoft Web Designer Tools
2007-12-05 19:26 --------- d-----w C:\Program Files\Windows Mobile 5.0 SDK R2
2007-12-05 19:12 --------- d-----w C:\Program Files\Reference Assemblies
2007-12-03 18:35 42,496 ----a-w C:\WINDOWS\system32\ftp.exe
2007-12-03 18:35 16,896 ----a-w C:\WINDOWS\system32\tftp.exe
2007-11-30 21:37 --------- d-----w C:\Program Files\FastReports
2007-11-30 20:55 --------- d-----w C:\Program Files\Notepad++
2007-11-24 18:02 --------- d-----w C:\Program Files\GExperts for Delphi 7
2007-11-24 17:55 --------- d-----w C:\Documents and Settings\srdjos\Application Data\DelphiSpeedUp
2007-11-24 17:42 --------- d-----w C:\Program Files\Common Files\Borland Shared
2007-11-24 17:38 --------- d-----w C:\Program Files\Borland
2007-11-24 09:18 --------- d-----w C:\Documents and Settings\srdjos\Application Data\Ahead
2007-11-24 08:05 --------- d-----w C:\Program Files\CE Remote Tools
2007-11-24 07:31 --------- d-----w C:\Program Files\Registry Medic 5
2007-11-24 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Iomatic
2007-11-18 13:55 1,419,232 ----a-w C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-11-08 07:19 129,024 ----a-w C:\WINDOWS\system32\msstdfmt.dll
2007-11-08 00:26 228,872 ----a-w C:\WINDOWS\system32\vsjitdebugger.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 00:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 00:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 00:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 00:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-08-05 18:44 6,466 --sh--w C:\WINDOWS\system32\stutv.bak1
2007-08-08 19:45 741,725 --sh--w C:\WINDOWS\system32\stutv.bak2
.

((((((((((((((((((((((((((((( snapshot@2008-01-21_ 0.36.31.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 20:49:48 216,738 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-01-21 16:00:31 216,738 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-01-21 15:59:06 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_508.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A7949A2-ADB3-4790-80C5-6AE2EA267E41}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 19:51 131072]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 12:48 286720]
"mouseElf"="C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE" [2004-02-24 06:30 176128]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-05 12:05 1410304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-01-19 16:35:51 81920]

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2007-08-29 02:04]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2007-08-29 02:04]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-05 12:06]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 13:00]
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2003-08-07 08:42]
S2 Microsoft register shield;Microsoft register shield;"C:\WINDOWS\Mrshield.exe" []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2007-11-18 14:55]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 14:54]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 14:54]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 14:54]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 14:54]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 14:54]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 11:54]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 17:49:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\PROGRA~1\GENIUS~1\WhoRU.dll
.
Completion time: 2008-01-21 17:50:30
ComboFix-quarantined-files.txt 2008-01-21 16:50:15
ComboFix2.txt 2008-01-20 23:36:55
.
2007-11-14 15:57:51 --- E O F ---

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Student sam MyCity AMF skole i ovo pisem sa dozvolom i pod nadzorom starijih kolega.

Skinuti SDFix na Desktop.

Dupli klik na SDFix.exe ce raspakovati program u folder C:\SDFix, osim ukoliko putanja nije drugacije odredjena pri raspakovanju.


Restartovati kompjuter u Safe Mode
Uci u folder u kojem je raspakovan SDFix i startovati RunThis.bat
Stisnuti Y da bi se zapocelo skeniranje
Nakon skeniranja ce se pojaviti poruka da ce kompjuter biti restartovan
Pritisnuti bilo koji taster da bi se kompjuter restartovao
Nakon restarta ce se automatski pokrenuti jos jedno skeniranje, i po njegovom zavrsetku ce se pojaviti poruka Finished
Nakon ucitavanja desktop ikonica, na ekranu ce se pojaviti izvestaj. Izvestaj ce ujedno biti snimljen i kao Report.txt u folderu u kojem je SDFix raspakovan
Iskopirati izvestaj u poruku na forumu, i postaviti i nov log programa HijackThis



Student sam MyCity AMF skole i ovo pisem sa dozvolom i nadzorom starijih kolega

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

evo ga report.txt:


SDFix: Version 1.129

Run by srdjos on 21.01.2008 at 22:09

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\srdjos\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft register shield

Path:
"C:\WINDOWS\Mrshield.exe"

Microsoft register shield - Deleted


C:\WINDOWS\system32\Microsoft\backup.ftp Found
C:\WINDOWS\system32\Microsoft\backup.tftp Found

Checking files:

Genuine:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp

Dummy:
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\dllcache\tftp.exe

Files copied to SDFix\Backups

Restoring files if backups are found

Final Check:

Genuine:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\dllcache\tftp.exe




Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\Microsoft\backup.ftp - Deleted
C:\WINDOWS\system32\Microsoft\backup.tftp - Deleted





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 22:46:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000001
"hdf12"=hex:a6,79,9d,f0,ff,f0,d5,3d,a6,6e,bd,43,36,d8,19,9c,9c,32,88,d3,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,f4,a0,ff,2f,9a,c7,ed,7a,14,af,7c,43,08,cc,46,39,9a,..
"hdf12"=hex:86,2f,ff,aa,dd,63,df,15,b6,91,77,a8,e3,b7,3d,b1,1c,04,99,d3,26,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:29,86,23,ea,69,b8,74,69,91,14,83,ac,93,9a,95,e0,e9,6e,f9,29,1e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:36,ae,32,39,4a,2d,c7,be,5a,2f,70,f6,11,f0,0b,a2,f8,9a,bb,6f,36,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000001
"hdf12"=hex:a6,79,9d,f0,ff,f0,d5,3d,a6,6e,bd,43,36,d8,19,9c,9c,32,88,d3,ad,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,f4,a0,ff,2f,9a,c7,ed,7a,14,af,7c,43,08,cc,46,39,9a,..
"hdf12"=hex:86,2f,ff,aa,dd,63,df,15,b6,91,77,a8,e3,b7,3d,b1,1c,04,99,d3,26,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:29,86,23,ea,69,b8,74,69,91,14,83,ac,93,9a,95,e0,e9,6e,f9,29,1e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:36,ae,32,39,4a,2d,c7,be,5a,2f,70,f6,11,f0,0b,a2,f8,9a,bb,6f,36,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="3A2C600C2BBA106D52AFAC80C3195BB1773B9F4BC31B080791FC039B7E8D429F7B98FEBC9E127BECC74CFEBC9E127BECC74
CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6171C11EC38DE3DFEBC9E127BECC74CE
E0E632074DB9FACEA7012FAE7AFDFEB96F97F948E376836C416AD0DFACC795CCA82B88D3F1C712C0F130F9AE8AA27D16F8277FACDF8A0C4F9D46AAEA8240DC5EAC93E
F406281B7085621962022596D5B6EE3F89CF3E58AD8B34A8AF1DFE0A94709C69123759B158CEFEEB408EB096D76967777DFE726FF492860CBC6CBF650CB39805A431AC5
E879FEC96A2DA0327FD367C961833A459DE5C830F0A9EF026B23D3B30EF4B42DEE6DC187D802BF55831039FE29DBD071DF66CC7804E313DEAD4CBEADC3CCEDF05A3A
34CD850B387D39D68A67A5A60F2568B765081C29274E180526FD3D377EE34AB433B34909F59D0B533CC4E1AD1DF33ADE3020727288AD1897876AD8876FA6835BF7A6FC
00CB11F2E62AF22AF3F6EF8B35425DB3D49181087170E5AAB70B42CB7CF833EE60BF9A000AB52106FC5627C3817E29DCC41D78954BC2D9C960073A2EDDE33278AA3C04
CE7F61B04337820AA99324DBD1F502AC08FADAA0AA331AC80D98C4B87384FB8AAE762D3BEDA5FB581F860D50284AB13471EDEC28FB304800EBFADF08E817C355C443C
ABD5C5F4CF96BD0E5304CE7A3BC724FA96E92AEF2E2B26482E40F98B3312870B34B15928418E12DC03335458EC7C8FE0AA2D6EDA1A46D918F0733BD44D12FD06658D80
5C82A663A2044E6FD699B68CA3E63F6C25CE666C8D8856E021C836B81A187C2968AD2DE2E8D86E0078D4D91288185C131DF7A4B04BACE50D2E88EE0DE68AE24396818
5886C697B6835D4DFD38BED12D60AE6AD3E29747763AE98BC1443617845A6E0A70E1F01338EFA77534E5A7DC22F23904272335F328CC7A637AA3521C9AA4CD29DF027C
EA7DDA7BC5542573FA597968DB96C284D91B5958386727A3339ED2D8287F3DDE6BEC410471AAF190F460F051B7B117B05678E24A5EA5003687A93E53E199CD0BFB2B57
C5E6A60EA2D821A031A8509D52FD4CC752635ED7472161F83F89736403611A6A870A05D4ABE0DC0998F69BF9158D22801C44DB7A7E5E91B8B4BE04E23083A93C40D307
8EA4D6E0EC6A34B653E73AD5EAEE2AB5FA6BF2615726D6336A35966FA75E59A423142FE91FAA3E46DA05504AE5E85DF5934DC509FA4BF21859C321D5ED1D379923A70EE
DF9A028591AD37CA5F62560CDFC380BECE8145B295227CBD46E5537885D38AC08F80D08B4D15B6C8387F24E6EEFE50A13D5A24C2837989783BB104D7F97EAACBBBF74
BED60B1559A06EF60B8C840D7F60878A891341A8BD44D2A2AEC1273CC3985424CB44E9A78AF996122"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\srdjos\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 5 Aug 2007 6,466 ..SH. --- "C:\WINDOWS\system32\stutv.bak1"
Wed 8 Aug 2007 741,725 ..SH. --- "C:\WINDOWS\system32\stutv.bak2"
Thu 16 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!


evo ga hijack:

Logfile of HijackThis v1.99.1
Scan saved at 23:03:04, on 21.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\srdjos\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://klik.nlb.si/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {5A7949A2-ADB3-4790-80C5-6AE2EA267E41} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V.....6166671671
O17 - HKLM\System\CCS\Services\Tcpip\..\{94EBD337-F1FC-4C1D-A153-A3F73DED1943}: NameServer = 193.189.160.13 193.189.160.23
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

Dopuna: 21 Jan 2008 23:10

inače vidim da je našao i uklonio neka čudesa
može li koja reč o tome šta je to bilo ako je poznato

hvala puno za pomoć

srdjos

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uploaduj sledece fajlove preko ovog linka:
http://www.mycity.rs/ambulanta-upload.php


C:\WINDOWS\system32\nvideataskm.exe
C:\WINDOWS\system32\notepadc.xcl
C:\WINDOWS\system32\avcodecttss.tmp
C:\WINDOWS\ocx.vbs
C:\WINDOWS\system32\webdown.vbs


Prvo ih zipuj/raruj pa onda kao arhivu ih posalji (sve u jednom).

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

upload-ovao, fajl je arhiviran i zove se fajlovi.rar

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Srdjos, pregledao sam fajlove koje si poslao, i imam losu vest - racunar ti je haknut i neko ga trenutno koristi kao FTP server.

Pretpostavka je da je na tvoj komp upao bot (koji je helen1 vec resio) i da je vlasnik bota iskoristio tog bota da ti na racunar instalira FTP server (ProFTPD, preimenovan kao C:\WINDOWS\system32\nvideataskm.exe kod tebe).
Tvoj racunar je koriscen za pirateriju.

Infekcija se desila 01.01.2008.
Zamolio bih te da pogledas sta na kompu imas od fajlova kreiranih tog dana, narocito nas interesuju fajlovi i folderi unutar C:\Windows i C:\Windows\System32

Svi fajlovi koje si nam poslao su deo infekcije, tako da bih ti savetovao da ih obrises.
Ukoliko ne ide brisanje, onda predji u Safe Mode i obrisi ih odatle.

Nakon brisanja restartuj komp, i nakon restarta uradi novi ComboFix log koji ces nam ovde postaviti.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

nije bilo problema kod brisanja

samo, mislim da je to pocelo jos kad sam instalirao IIS,
tada se to pocelo desavati, kad tacno, nemam pojma
ali ej sigurno pre Nove Godine, samo ne znam kako je
prosao pored NOD-a

pitanje, mozes li malo detaljnije to koriscen za pirateriju

drugo, sta predlazete, reinstalaciju OS-a

evo log fajla i kao i slike win i win32 foldera
crvenim su zaokruženi datumi

----------------------------------------------
ComboFix 08-01-20.1 - srdjos 2008-01-22 21:57:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.102 [GMT 1:00]
Running from: C:\Documents and Settings\srdjos\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\WinTcpips.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-22 17:18 . 2008-01-22 21:46 276 --a------ C:\WINDOWS\system32\eq
2008-01-21 22:08 . 2008-01-21 22:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-21 17:37 . 2008-01-21 17:37 46,130 --a------ C:\vir.JPG
2008-01-21 00:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 17:31 . 2008-01-19 17:31 340,542 --a------ C:\Fin.rar
2008-01-19 17:19 . 2008-01-19 18:29 <DIR> d-------- C:\temp
2008-01-19 16:35 . 2000-07-07 12:20 81,920 --a------ C:\WINDOWS\system32\mdt2fw95.dll
2008-01-19 16:35 . 2000-08-06 01:50 36,939 --a------ C:\WINDOWS\system32\insrepim.exe
2008-01-19 16:34 . 2005-05-04 00:02 20,480 --a------ C:\WINDOWS\system32\dbmslpcn.dll
2008-01-19 15:45 . 2008-01-19 17:33 100 --a------ C:\WINDOWS\PRENOS.INI
2008-01-19 10:05 . 2005-07-23 11:57 843,776 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-19 10:05 . 2005-07-23 11:57 159,744 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-19 09:25 . 2008-01-19 09:27 <DIR> d-------- C:\Documents and Settings\srdjos\Application Data\Miranda
2008-01-18 20:44 . 2008-01-19 14:32 <DIR> d-------- C:\Program Files\Miranda IM
2008-01-12 11:03 . 2008-01-12 11:03 2,558 --a------ C:\SkriptWoby2008PART1.sql
2008-01-12 11:02 . 2008-01-12 11:02 7,568 --a------ C:\SkriptWoby2008PART2.sql
2008-01-11 00:23 . 2008-01-11 00:23 774,749 --a------ C:\Kasa.7z
2008-01-10 23:03 . 2008-01-10 23:03 <DIR> d-------- C:\slike problema
2008-01-06 21:50 . 2008-01-06 21:52 540,814 --a------ C:\DSC00052.jpg
2008-01-06 21:50 . 2008-01-06 21:52 427,700 --a------ C:\DSC00036.JPG
2008-01-05 21:39 . 2008-01-05 21:39 <DIR> d-------- C:\WINDOWS\Sun
2008-01-05 21:38 . 2008-01-05 21:38 <DIR> d-------- C:\Program Files\Java
2008-01-05 21:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-05 21:37 . 2008-01-05 21:37 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-03 23:28 . 2008-01-03 23:28 <DIR> d-------- C:\Program Files\BitPim
2007-12-29 17:14 . 2008-01-22 22:00 77,897 --a------ C:\WINDOWS\system32\oodbs.lor
2007-12-29 11:38 . 2007-12-29 11:38 0 --a------ C:\WINDOWS\oodcnt.INI
2007-12-29 09:35 . 2007-12-29 10:18 <DIR> d-------- C:\WINDOWS\system32\oodag
2007-12-29 09:31 . 2007-12-29 09:31 <DIR> d-------- C:\Program Files\OO Software
2007-12-28 20:53 . 2007-12-28 21:07 <DIR> d-------- C:\Program Files\Brew Mobile Commander
2007-12-28 20:42 . 2007-12-28 20:42 <DIR> d-------- C:\Program Files\Siemens
2007-12-28 20:38 . 2007-12-28 20:38 <DIR> d-------- C:\Program Files\QPST
2007-12-27 21:21 . 2007-12-27 21:21 <DIR> d-------- C:\Program Files\Komunikator v.1.2
2007-12-27 07:14 . 2007-12-27 07:14 <DIR> d-------- C:\Documents and Settings\srdjos\Application Data\XCPCSync.OEM
2007-12-27 06:58 . 1998-06-18 01:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-12-27 06:57 . 2007-12-27 06:58 <DIR> d-------- C:\Program Files\Mobile Phone Manager
2007-12-27 06:57 . 2007-12-27 06:57 <DIR> d-------- C:\Program Files\Common Files\XCPCSync.OEM
2007-12-27 06:57 . 2005-09-12 16:40 27,008 --a------ C:\WINDOWS\system32\drivers\siusbmod.sys
2007-12-27 06:55 . 2007-12-27 06:55 <DIR> d-------- C:\Program Files\WMV9_VCM
2007-12-27 06:53 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-27 06:53 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 17:30 --------- d-----w C:\Program Files\eMule
2008-01-22 17:22 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-22 15:21 --------- d-----w C:\Documents and Settings\srdjos\Application Data\uTorrent
2008-01-21 23:22 --------- d-----w C:\Documents and Settings\srdjos\Application Data\Skype
2008-01-19 15:34 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-12-28 19:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 20:05 --------- d-----w C:\Documents and Settings\srdjos\Application Data\The Bat!
2007-12-11 18:14 --------- d-----w C:\Program Files\The Bat!
2007-12-08 11:58 --------- d-----w C:\Program Files\Google
2007-12-06 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-05 22:55 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2007-12-05 22:55 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2007-12-05 22:55 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-05 22:55 --------- d-----w C:\Program Files\Microsoft Device Emulator
2007-12-05 22:55 --------- d-----w C:\Program Files\Business Objects
2007-12-05 22:49 --------- d-----w C:\Program Files\MSBuild
2007-12-05 22:46 --------- d-----w C:\Program Files\Microsoft SDKs
2007-12-05 22:45 --------- d-----w C:\Program Files\Microsoft Web Designer Tools
2007-12-05 19:26 --------- d-----w C:\Program Files\Windows Mobile 5.0 SDK R2
2007-12-05 19:12 --------- d-----w C:\Program Files\Reference Assemblies
2007-11-30 21:37 --------- d-----w C:\Program Files\FastReports
2007-11-30 20:55 --------- d-----w C:\Program Files\Notepad++
2007-11-24 18:02 --------- d-----w C:\Program Files\GExperts for Delphi 7
2007-11-24 17:55 --------- d-----w C:\Documents and Settings\srdjos\Application Data\DelphiSpeedUp
2007-11-24 17:42 --------- d-----w C:\Program Files\Common Files\Borland Shared
2007-11-24 17:38 --------- d-----w C:\Program Files\Borland
2007-11-24 09:18 --------- d-----w C:\Documents and Settings\srdjos\Application Data\Ahead
2007-11-24 08:05 --------- d-----w C:\Program Files\CE Remote Tools
2007-11-24 07:31 --------- d-----w C:\Program Files\Registry Medic 5
2007-11-24 07:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Iomatic
2007-08-05 18:44 6,466 --sh--w C:\WINDOWS\system32\stutv.bak1
2007-08-08 19:45 741,725 --sh--w C:\WINDOWS\system32\stutv.bak2
.

((((((((((((((((((((((((((((( snapshot@2008-01-21_ 0.36.31.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-19 06:25:21 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-21 21:09:03 5,971,968 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-01-21 21:09:03 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-19 06:25:21 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-21 21:09:01 5,971,968 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-01-21 21:09:01 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-12-03 18:35:38 42,496 -c--a-w C:\WINDOWS\system32\dllcache\ftp.exe
+ 2004-08-04 12:00:00 42,496 -c--a-w C:\WINDOWS\system32\dllcache\ftp.exe
- 2007-12-03 18:35:38 16,896 -c--a-w C:\WINDOWS\system32\dllcache\tftp.exe
+ 2004-08-04 12:00:00 16,896 -c--a-w C:\WINDOWS\system32\dllcache\tftp.exe
- 2007-12-03 18:35:38 42,496 ----a-w C:\WINDOWS\system32\ftp.exe
+ 2004-08-04 12:00:00 42,496 ----a-w C:\WINDOWS\system32\ftp.exe
- 2008-01-20 20:49:48 216,738 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-01-22 21:01:13 216,737 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2007-12-03 18:35:38 16,896 ----a-w C:\WINDOWS\system32\tftp.exe
+ 2004-08-04 12:00:00 16,896 ----a-w C:\WINDOWS\system32\tftp.exe
+ 2008-01-22 21:01:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_3c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A7949A2-ADB3-4790-80C5-6AE2EA267E41}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 19:51 131072]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 12:48 286720]
"mouseElf"="C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE" [2004-02-24 06:30 176128]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-05 12:05 1410304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-01-19 16:35:51 81920]

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2007-08-29 02:04]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2007-08-29 02:04]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-05 12:06]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 13:00]
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2003-08-07 08:42]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2007-11-18 14:55]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 14:54]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 14:54]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 14:54]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 14:54]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 14:54]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 11:54]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 22:01:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\PROGRA~1\GENIUS~1\WhoRU.dll
.
Completion time: 2008-01-22 22:03:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-22 21:03:18
ComboFix2.txt 2008-01-20 23:36:55
.
2007-11-14 15:57:51 --- E O F ---

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

U vezi piraterije, ovo su stringovi iz jednog od fajlova sa tvog kompa:
ReplyNoAnon=GO AWAY DUDE
ReplyNoCredit=Erst hochladen, dann kannst du auch was leechen! Immer diese Scheiss LEECHER
ReplySYST=This System is HaXXoreD by -AG-UNIT-
ReplyTooMany=Zu viele Benutzer angemeldet! Versuch es später noch einmal. Sorry.
Ne znam koliko razumes Nemacki, ali druga linija znaci nesto kao "Provo uploaduj pa tek onda mozes nesto i leechovati. Uvek ovi usrani leecheri."


Sada mi je ovo interesantno - U zadnjem ComboFix logu se vidi da si se nanovo inficirao novom infekcijom, tj. fajlom koji pre toga nisi imao.
Problem mi je sto ne znam da li to jos necega kod tebe na kompu ima sto dovlaci infekcije, ili ti je mreza puna botova i crva, a ti nemas firewall.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

pa gle ovako
nemam pojma, verovatno ima
kad sam došao u stan (ostavio sam komp da skida
neki film, torrent), dočekala me poruka sa nod-a da je
blokirao neki ulaz

pa možda je i mreža puna svačega jer imam još jedan komp u
drugoj sobi, cimerov, moramo i njega proveriti

da, u pravu si, nemam firewall,

Dopuna: 22 Jan 2008 22:53

ajd da ga testiramo
koji firewall predlažeš ?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Evo,da se ja ubacim na kraju(dok cekamo cimerov log),mozes probati Comodo firewall.
Bilo je dosta price o njemu u ovoj temi:
http://www.mycity.rs/Firewall-programi/Comodo-Personal-Firewall-freeware.html