Logfile na pregled

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ljudi imam sledeci prob,naime kada se konektujem na net(samo tada) meni komp zna da zablokira(ne svaki put) i to ga drzi debelih 5-10min i za to vrijeme ne mogu nista da otvorim i onda nakon 5-10min sve se vrati u normalu.Komp sam skenirao sa NOD32 i nista nije nasao(I u safe mode).Isto sam skenirao sa nekim spyware prog ali nista.

Takodje imam prob sa usporenim podizanjem sistema jer ona slicica NOD32 stoji minut dva i onda se ostale ikone pojave.


Takodje isto da kazem da sam ranije koristio Kerio firewall I sklonio sam ga sada kada imam ESS ali prije vidim da je kerio u Services,pa kako ga otkloniti ili jednostavno da stavim disable.



Log od HT



Logfile of HijackThis v1.99.1
Scan saved at 16:39:53, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
D:\Documents and Settings\erin\My Documents\Erin\Windows\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...


Ovaj log ne pokazuje aktivne infekcije. Proverićemo još nešto...



Skini ComboFix sa jedne od sledecih adresa:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-01-04.1 - erin 2008-01-06 16:39:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.61 [GMT 1:00]Running from: D:\Documents and Settings\erin\My Documents\Download\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000016_.tmp.dll
C:\WINDOWS\system32\_000017_.tmp.dll
C:\WINDOWS\system32\_000018_.tmp.dll
C:\WINDOWS\system32\_000024_.tmp.dll
C:\WINDOWS\system32\_000111_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 16:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 16:32 . 2008-01-06 16:32 <DIR> d-------- C:\Program Files\Kerio
2008-01-05 16:31 . 2008-01-05 16:31 <DIR> d-------- C:\Program Files\Opera 9
2008-01-05 16:10 . 2008-01-05 16:10 250 --a------ C:\WINDOWS\gmer.ini
2008-01-02 23:08 . 2008-01-04 15:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-02 23:08 . 2008-01-02 23:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-02 15:05 . 2008-01-02 15:05 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-02 15:04 . 2008-01-02 15:05 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-01 16:16 . 2008-01-01 16:16 <DIR> d-------- C:\Documents and Settings\erin\Application Data\ESET
2008-01-01 16:14 . 2008-01-01 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-12-31 15:10 . 2002-04-15 12:28 102,912 --------- C:\WINDOWS\system32\drivers\FWDRV.SYS
2007-12-31 14:19 . 2007-12-31 14:21 <DIR> d-------- C:\Program Files\MSECache
2007-12-31 13:58 . 2008-01-02 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-31 13:23 . 2007-12-31 13:23 <DIR> d-------- C:\Program Files\uTorrent
2007-12-31 13:23 . 2008-01-01 18:56 <DIR> d-------- C:\Documents and Settings\erin\Application Data\uTorrent
2007-12-11 20:23 . 2004-08-04 00:56 17,408 --a------ C:\WINDOWS\system32\msyuv.dll
2007-12-11 20:23 . 2004-08-04 00:56 17,408 --a--c--- C:\WINDOWS\system32\dllcache\msyuv.dll
2007-12-11 20:23 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2007-12-11 20:23 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\tsbyuv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 14:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-05 20:46 --------- d-----w C:\Documents and Settings\erin\Application Data\Skype
2007-12-04 18:44 --------- d-----w C:\Program Files\MSN Messenger
2007-11-18 22:37 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2007-11-18 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Advanced Chemistry Development
2007-11-17 13:20 --------- d-----w C:\Program Files\Aardvark Digital
2007-11-14 14:06 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-11-14 14:04 27,656 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-14 14:03 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05 1410304]

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06]
R1 fwdrv;Kerio Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2002-04-15 12:28]
R3 SNPHV71;PC Camera (602a VGA);C:\WINDOWS\system32\DRIVERS\snphv71.sys [2002-11-08 16:24]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2004-12-16 12:36]

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 16:41:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 16:42:47
ComboFix-quarantined-files.txt 2008-01-06 15:42:21
.
2007-12-13 00:02:06 --- E O F ---

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pokreni HT, skeniraj i čekiraj sledeću liniju:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Klikni Fix Checked.


-------------------------------------------------------------------------------------

Ovde (više) nema malware-a.

Kerio FW driver je još uvek aktivan i vrlo je moguće da dolazi do konflikta sa Eset-ovim FW-om.

Kerio Personal Firewall Driver možeš staviti na Disabled i nakon toga restartuj PC.

nirre ::Takodje imam prob sa usporenim podizanjem sistema jer ona slicica NOD32 stoji minut dva i onda se ostale ikone pojave.
Ovo nije neobično - AV prosto vrši startup scan i to traje određeno vreme.



Zatim...

Iskljucivanje System Restore-a

Na Desktopu, desni klik na My Computer.
Odaberite Properties.
Odaberite System Restore tab.
Stiklirajte Turn off System Restore.
Kliknite na dugme Apply.
Kliknite na dugme OK.


Restartuj PC.


Ukljucivanje System Restore-a

Na Desktopu, desni klik na My Computer.
Odaberite Properties.
Odaberite System Restore tab.
Destiklirajte Turn off System Restore.
Kliknite na dugme Apply.
Kliknite na dugme OK.


-------------------------------------------------------------------------------------

To je sve...