Problem sa trojancem

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Do pre par 7 dana je sve bilo OK, a onda kad sam surfovao najednom Firefox mi se zablokirao odnosno kad ukucam adresu nekog sajta u URL
polje i pritisnem enter ne odvodi me na sajt vec daje celu belu stranicu.
Tek kad klikcem 10-12 x ko' lud na strelicu ispred URL polja jedvaa me
odvede na zeljeni sajt, ali se pogresno ucita (ne vide se slike sajta vec samo
tekst) i kad klikcem punooo puta kao sam pomenuo na neki link sajta jedino
tad me odvede na zeljeno mesto sto postaje izuzetno naporno!

U startu sam posumnjao na virus i skenirao obe particije NOD32 AVP-om
koji mi je po zavrsetku dao Threats found:0
Antivirus mi se redovno apdejtuje i to je otisao do poodmakle verzije,
konstantno se nadogradi na novu.
Onda sam resetovao racunar i logovao se na os kao Admin, pa pokrenuo
Spybot-Search&Destroy koji je nakon scana nasao 2 malwarea:

1vi: KUASIO.KA
za koga kad klikne more info kaze da je ovo TROJAN koji bi trebalo da je
navodno toolbar za Kaspersky AVP a ustvari je trojanac u vidu toolbara
koji se integrise u Firefox gde je nevidljiv golim okom i deluje tako sto
dok "mirno" surfujete internetom kad ukucate zeljeni sajt, odvodi vas na
sajtove pune malwarea i kroz backdoor koji napravi u os-u otvara
ulaz hakerima u vas racunar i ubacuje malware preko sebe samog tj.
malware toolbara!

2gi: Microsoft.Windows.Security.InternetExplorer
Molim vas ako znate da mi kazete sta je ovaj drugi obzirom da sam
obrisao IE iz Program Files foldera jer ga nikad ne koristim, vec samo Firefox!

2gi sam cekirao i kliknuo FIX u Spybotu koji mi je potom prijavio da je
uspesno uspeo da popravi problem u Registryu.

1vi KUASIO.KA se nisam usudio da diram jer sam se uplasio po samom
njegovom opisu da se radi o ozbiljnom trojancu koji zahteva profesionalni pristup.
Onda sam otisao na google.com ukucao kuasio.ka i dobio ogromnu listu
za isti.
Otisao sam na neki sajt gde jedan lik savetuje da iskopiram njegov
sheet sa izmenama u bazi Registry i pasteujem u notepad, sacuvam ga
kao .reg, dvokliknem na njega i on ce naravno naciniti izmene u registryu
i da ce se sve vratiti na staro!
Ne znam zasto ali nisam siguran da treba da mu verujem, a uzasno se plasim ishoda! Sajt je americki i zove se nekako CyberGeek ili slicno!

Drugari su mi rekli da prvo napravim u Norton Ghostu imidz celog hdda
sto sam i uradio i da ako nesto krene po zlu mogu da oporavim os na
tacku kakav je i bio kad sam zapatio kuasio.ka i onda ponovo krenem
novom pristupu resavanja problema u slucaju da taj sheet sa meni
nepoznatog sajta napravi jos vecu zbrku u mom Regystryu!

Takodje sam napravio i Ghost.exe disketu za DOS da u slucaju ako nakon
pomenutog dodje do havarije tipa da ne mogu uci u OS mogu da ga
oporavim imidzem!
Ja ovo ipak ne bih radio odmah ali mi je pomoc hitno potrebna jer sam
vec izgubio vreme i nerve, a imam meni bitne podatke na hddu koje ne
bih da izgubim, niti mi se ponovo instalira os jer je reinstalacija radjena
pre 6 meseci (nije navrsio ni godinu dana) a skidam i neke torrente od
kojih je jedan dosao do 80%, tezi 4GB, skidao sam ga 3nedelje pa ne
bih bas voleo da ga izgubim i radim jalov posao ispocetka!
Krenule su mi i obaveze, moram da ucim, a vec sam izgubio dosta vremena pa vas molim da mi pomognete sto ste pre u mogucnosti!

Imam HijackThis instaliran, pa me je drug uputio na vas rekavsi da imate
strucnjaka za ovu oblast i da vam mogu poslati log fajl iz njega u kome
mozete odrediti sta je od navedenog u listi malware, jer sam ja nov u
ovome i zaista ne mogu sam da procenim!

Molim vas i da mi kazete da li se uklanjanjem iz Registrya u kome mi je
KUASIO.KA nacinio 6 entries kao je Spybot ispisao otklanja problem
do kraja tj. da li ce mi se ponovo javiti ovaj trojanac ili ne, jer je jedan
covek rekao na sajtu da kad je on uradio FIX za kuasio.ka isti mu se
ugnezdio ponovo u racunar i to se desi svaki put kad ode na Internet!

Bitno mi je da se zastitim do max. dok sam na Internetu a opet zadrzim
funkcionalnost u downloadu.
Imam instaliran i Zone Alarm Free sa otvorenim portom za Torrent, da li
je moguce da mi je kroz njega usao isti!

Izvinite zbog poduzeg opisa problema,
ali zaista ne znam sta da radim, a zeleo bih da ga se oslobodim zauvek, da se nikad ne vrati u moj os i da mirno surfujem,
Saljem vam log iz HijackThisa!


Logfile of HijackThis v1.99.1
Scan saved at 2:10:18 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HDD Health\hddhealth.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\TBird_porta1508\ThunderbirdPortable\ThunderbirdPortable.exe
C:\Program Files\TBird_porta1508\ThunderbirdPortable\App\Thunderbird\Thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Igor\Desktop\HijackThis.exe

O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TBSB07235 - {7ACBC613-4EE3-417E-899E-185065A22907} - C:\PROGRA~1\QUICKN~1\MYSPAC~1.DLL (file missing)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Untitled Toolbar - {6AE02E1C-8859-4F57-9097-5A55A56A4CAF} - C:\Program Files\Quicknation\MySpace-Download-Convert.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{36205CFE-31E0-4264-8B91-FC3988D70B58}: NameServer = 194.247.192.1 194.247.192.33
O17 - HKLM\System\CS2\Services\Tcpip\..\{36205CFE-31E0-4264-8B91-FC3988D70B58}: NameServer = 194.247.192.1 194.247.192.33
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Molim vas da mi odgovorite sto pre,
unapred zahvalan IgiGo! aaaaaaAAAAAA Trojan! Eto vec mi se ponovo dize kosa na glavi, oci su mi ko u civave od nesanice ,,,

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ovako..


Isprazni FireFox-ov cache (privremene int. file-ove). Ukoliko situacija sa otvaranjem stranica bude ista, proveri da li je firewall pravilno konfigurisan (možeš ga i nakratko isključiti pa onda proveri kako Firefox radi).


Treba da odradiš ponovno skeniranje ažuriranim SpyBot-om i ukloniš sve što on pronađe.
Restartuj kompjuter nakon toga i ponovi skeniranje još jednom i javi rezultate tog skeniranja.
Ukoliko se iste detekcije ponavljaju, potrebno je da sačuvaš logfile na kraju skeniranja i iskopiraš ga ovde kako bih mogao videti tačno o čemu se radi.


Potrebno je da privremeno isključiš SpyBot-ov TeaTimer:

Pokrenite Spybot S&D
Kliknite Mode stavku u meniju
Odaberite Advance Mode
Na traci levo kliknite na Tools
Kliknite na Resident
Destiklirajte Resident Tea-Timer
Zatvorite Spybot S&D
Restartujte kompjuter.
Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsimo ciscenje.



Skini ComboFix sa jedne od sledecih adresa:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Hvala ti sto si imao strpljenja da procitas moj fajl i obratis se problemu
i izvini ako sam te namucio kao i sto ti ranije nisam poslao odgovor.
Zaboravio sam korisnicko ime pa mi server nije dao ulaz na vas forum,
dok se nisam setio istog-eto koliko sam rastrojen!

Prvo sam uradio FIX kuasio.ka u Spybotu, logovan na os kao Admin
gde mi je prijavio da je uspeo da popravi stvar.

Nakon toga, updateovao sam Spybot i nakon skeniranja XP-a istim,
daje mi Congratulations! No immediate threats found!
Za svaki slucaj zlu netrebalo, resetovao sam racunar kako si rekao i
nanovo skenirao Spybotom sistem.
Posto mi je i drugi put dao da je sve trenutno ok i cestitao, da li to znaci da sam se oslobodio trojanca kuasio.ka ili ne obzirom da me plasi cinjenica da se ovaj doticni vracao ponovo ljudima u racunar posto opet izadju na Internet posle njegovog otklona Spybotom i naravno da li postoji mogucnost da sam zapatio jos nekog ili neke trojance i dr.
malware koji Spybot nije u stanju da detektuje posto svaki antyspy program ima granicu detektivosti oko 60%, neki vise, neki manje!

Sta da uradim i kako se max. zastititi od svih malwera da ne dolaze ponovo u moj OS posto mi je to veoma bitno...

Takode, molio bih te da mi kazes da li da ti
saljem Spybotov log ili ne?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Zamolio bih te da ispratiš uputstvo za ComboFix.
Ostali logovi trenutno nisu potrebni.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Izvoli, saljem ti log, unapred hvala!



ComboFix 07-12-02.7 - Igor 2007-12-05 13:11:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.877 [GMT 1:00]
Running from: C:\Documents and Settings\Igor\Desktop\Combo\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\grouppolicy\machine\scripts\scripts.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-03 18:51 . 2007-12-03 18:51 37,748,736 --a------ C:\VIRTPART.DAT
2007-11-29 01:38 . 2007-12-05 13:14 24,756,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-29 01:38 . 2007-12-05 13:05 291,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-29 01:35 . 2007-09-06 16:14 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-27 17:01 . 2007-11-27 17:01 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-27 13:21 . 2006-03-10 21:48 169,472 -r-hs---- C:\WINDOWS\system32\MatroskaDX.ax
2007-11-27 13:21 . 2006-05-03 10:06 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-11-27 13:21 . 2005-11-25 20:46 161,792 -r-hs---- C:\WINDOWS\system32\RealMediaDX.ax
2007-11-27 13:21 . 2003-11-20 23:00 54,784 -r-hs---- C:\WINDOWS\system32\RLAPEDec.ax
2007-11-27 13:21 . 2004-04-26 23:00 37,888 -r-hs---- C:\WINDOWS\system32\RLMPCDec.ax
2007-11-27 13:21 . 2007-02-21 11:47 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-11-27 13:20 . 2006-09-12 11:46 227,328 -r-hs---- C:\WINDOWS\system32\ac3DX.ax
2007-11-27 13:20 . 2006-01-12 23:23 123,904 -r-hs---- C:\WINDOWS\system32\AVCDX.ax
2007-11-27 13:20 . 2007-07-03 06:59 9,292 ---h----- C:\WINDOWS\super.chm
2007-11-27 13:17 . 2007-11-27 13:17 <DIR> d-------- C:\Program Files\eRightSoft
2007-11-27 12:33 . 2007-11-27 12:29 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-11-27 12:32 . 2006-08-16 14:53 175,104 -r-hs---- C:\WINDOWS\system32\CoreAAC.ax
2007-11-27 12:32 . 2005-02-22 16:55 81,920 -r-hs---- C:\WINDOWS\system32\aac_parser.ax
2007-11-24 00:15 . 2007-11-27 10:37 872 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2007-11-23 22:25 . 2007-12-04 00:01 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-21 20:00 . 2005-09-25 20:11 2,494,464 --a------ C:\WINDOWS\system\advrcntr2.dll
2007-11-21 18:04 . 2005-09-25 20:11 2,494,464 --a------ C:\WINDOWS\system32\advrcntr2.dll
2007-11-21 17:45 . 2007-12-05 01:19 <DIR> d-------- C:\Documents and Settings\Gori\Application Data\OpenOffice.org2
2007-11-21 12:19 . 2007-11-21 12:19 <DIR> d-------- C:\Downloads
2007-11-21 10:41 . 2007-11-21 10:41 <DIR> d-------- C:\Documents and Settings\Gori\Application Data\Thunderbird
2007-11-20 17:37 . 2007-11-20 17:37 <DIR> d-------- C:\Documents and Settings\Gori\Application Data\CyberLink
2007-11-20 13:15 . 2007-11-20 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-20 12:14 . 2007-07-09 14:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-20 12:00 . 2007-11-20 12:00 <DIR> d-------- C:\Program Files\uTorrent
2007-11-20 11:56 . 2006-12-07 07:40 2,362,184 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-11-20 11:46 . 2007-11-20 12:40 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-11-20 11:46 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-20 00:49 . 2007-12-05 13:00 <DIR> d-------- C:\Documents and Settings\Gori\Application Data\uTorrent
2007-11-19 22:33 . 2002-09-17 12:55 3,548 --a------ C:\WINDOWS\system32\drivers\WinFlash.sys
2007-11-19 21:54 . 2007-11-19 21:54 169 --a------ C:\WINDOWS\adidsl.ini
2007-11-19 21:54 . 2007-11-19 21:54 21 --a------ C:\WINDOWS\Fast800.ini
2007-11-19 21:53 . 2007-11-19 21:53 <DIR> d-------- C:\Program Files\SAGEM
2007-11-19 21:53 . 2007-11-19 21:53 <DIR> d-------- C:\Documents and Settings\Igor\Application Data\InstallShield
2007-11-19 01:26 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2007-11-17 01:10 . 2007-11-23 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 00:09 . 2007-11-29 01:35 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-15 19:15 . 2007-12-05 13:14 <DIR> d-------- C:\Program Files\FlashGet
2007-11-15 15:52 . 2007-11-15 15:52 <DIR> d-------- C:\Documents and Settings\Igor\Application Data\Thunderbird
2007-11-15 13:25 . 1998-12-14 10:13 509,536 -ra------ C:\WINDOWS\system32\ltmodem.sys
2007-11-15 00:47 . 2007-11-15 00:47 <DIR> d-------- C:\Program Files\Larian Studios
2007-11-14 22:03 . 2001-09-13 05:10 664,577 -ra------ C:\WINDOWS\system32\drivers\ltmdmnt.sys
2007-11-14 22:03 . 2004-08-03 22:41 606,684 --a--c--- C:\WINDOWS\system32\dllcache\ltmdmnt.sys
2007-11-14 22:03 . 2001-08-17 13:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-11-14 22:03 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2007-11-11 20:48 . 2007-11-11 20:49 <DIR> d-------- C:\Program Files\TBird_porta1508
2007-11-10 00:39 . 2000-01-20 12:24 1,334,784 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-11-09 00:17 . 2007-11-10 00:31 <DIR> d-------- C:\WINDOWS\system32\NVSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 17:21 96,256 ----a-w C:\WINDOWS\system32\drivers\scsiport.sys
2008-12-31 17:21 95,360 ----a-w C:\WINDOWS\system32\drivers\atapi.sys
2008-12-31 17:21 92,032 ----a-w C:\WINDOWS\system32\drivers\ksecdd.sys
2008-12-31 17:21 91,776 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-12-31 17:21 9,600 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-12-31 17:21 88,448 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-12-31 17:21 80,128 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-12-31 17:21 8,832 ----a-w C:\WINDOWS\system32\drivers\rasacd.sys
2008-12-31 17:21 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-12-31 17:21 79,744 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-12-31 17:21 74,752 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-12-31 17:21 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-12-31 17:21 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-12-31 17:21 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-12-31 17:21 71,040 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
2008-12-31 17:21 7,936 ----a-w C:\WINDOWS\system32\drivers\fs_rec.sys
2008-12-31 17:21 7,680 ----a-w C:\WINDOWS\system32\drivers\mcd.sys
2008-12-31 17:21 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-12-31 17:21 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-12-31 17:21 67,584 ----a-w C:\WINDOWS\system32\drivers\sdbus.sys
2008-12-31 17:21 66,176 ----a-w C:\WINDOWS\system32\drivers\udfs.sys
2008-12-31 17:21 646 ----a-w C:\WINDOWS\system32\drivers\gmreadme.txt
2008-12-31 17:21 64,896 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-12-31 17:21 63,744 ----a-w C:\WINDOWS\system32\drivers\mf.sys
2008-12-31 17:21 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-12-31 17:21 63,232 ----a-w C:\WINDOWS\system32\drivers\nwlnknb.sys
2008-12-31 17:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-12-31 17:21 61,056 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-12-31 17:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-12-31 17:21 6,784 ----a-w C:\WINDOWS\system32\drivers\parvdm.sys
2008-12-31 17:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-12-31 17:21 58,112 ----a-w C:\WINDOWS\system32\drivers\vdmindvd.sys
2008-12-31 17:21 57,600 ----a-w C:\WINDOWS\system32\drivers\usbhub.sys
2008-12-31 17:21 55,936 ----a-w C:\WINDOWS\system32\drivers\nwlnkspx.sys
2008-12-31 17:21 55,936 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-12-31 17:21 53,248 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-12-31 17:21 52,736 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-12-31 17:21 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-12-31 17:21 51,712 ----a-w C:\WINDOWS\system32\drivers\tosdvd.sys
2008-12-31 17:21 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-12-31 17:21 5,888 ----a-w C:\WINDOWS\system32\drivers\rootmdm.sys
2008-12-31 17:21 5,888 ----a-w C:\WINDOWS\system32\drivers\dmload.sys
2008-12-31 17:21 49,664 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-12-31 17:21 49,536 ----a-w C:\WINDOWS\system32\drivers\cdrom.sys
2008-12-31 17:21 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-12-31 17:21 42,496 ----a-w C:\WINDOWS\system32\drivers\p3.sys
2008-12-31 17:21 42,240 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-12-31 17:21 41,856 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-12-31 17:21 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-12-31 17:21 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-12-31 17:21 4,736 ----a-w C:\WINDOWS\system32\drivers\usbd.sys
2008-12-31 17:21 4,352 ----a-w C:\WINDOWS\system32\drivers\wmilib.sys
2008-12-31 17:21 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-12-31 17:21 4,224 ----a-w C:\WINDOWS\system32\drivers\rdpcdd.sys
2008-12-31 17:21 4,224 ----a-w C:\WINDOWS\system32\drivers\mnmdd.sys
2008-12-31 17:21 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-12-31 17:21 38,016 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-12-31 17:21 37,376 ----a-w C:\WINDOWS\system32\drivers\amdk7.sys
2008-12-31 17:21 36,992 ----a-w C:\WINDOWS\system32\drivers\amdk6.sys
2008-12-31 17:21 36,480 ----a-w C:\WINDOWS\system32\drivers\crusoe.sys
2008-12-31 17:21 36,352 ----a-w C:\WINDOWS\system32\drivers\disk.sys
2008-12-31 17:21 36,224 ----a-w C:\WINDOWS\system32\drivers\hidclass.sys
2008-12-31 17:21 36,096 ----a-w C:\WINDOWS\system32\drivers\intelppm.sys
2008-12-31 17:21 352,256 ----a-w C:\WINDOWS\system32\drivers\atmuni.sys
2008-12-31 17:21 35,840 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-12-31 17:21 35,328 ----a-w C:\WINDOWS\system32\drivers\processr.sys
2008-12-31 17:21 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-12-31 17:21 34,944 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-12-31 17:21 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-12-31 17:21 34,560 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-12-31 17:21 34,432 ----a-w C:\WINDOWS\system32\drivers\rawwan.sys
2008-12-31 17:21 32,896 ----a-w C:\WINDOWS\system32\drivers\ipfltdrv.sys
2008-12-31 17:21 32,512 ----a-w C:\WINDOWS\system32\drivers\nwlnkfwd.sys
2008-12-31 17:21 31,360 ----a-w C:\WINDOWS\system32\drivers\atmepvc.sys
2008-12-31 17:21 30,848 ----a-w C:\WINDOWS\system32\drivers\npfs.sys
2008-12-31 17:21 30,080 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-12-31 17:21 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-12-31 17:21 3,456 ----a-w C:\WINDOWS\system32\drivers\oprghdlr.sys
2008-12-31 17:21 3,440,660 ----a-w C:\WINDOWS\system32\drivers\gm.dls
2008-12-31 17:21 3,328 ----a-w C:\WINDOWS\system32\drivers\pciide.sys
2008-12-31 17:21 3,328 ----a-w C:\WINDOWS\system32\drivers\dxgthk.sys
2008-12-31 17:21 29,056 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-12-31 17:21 27,392 ----a-w C:\WINDOWS\system32\drivers\fdc.sys
2008-12-31 17:21 262,528 ----a-w C:\WINDOWS\system32\drivers\cinemst2.sys
2008-12-31 17:21 26,624 ----a-w C:\WINDOWS\system32\drivers\usbehci.sys
2008-12-31 17:21 25,472 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-12-31 17:21 25,088 ----a-w C:\WINDOWS\system32\drivers\pciidex.sys
2008-12-31 17:21 24,960 ----a-w C:\WINDOWS\system32\drivers\hidparse.sys
2008-12-31 17:21 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-12-31 17:21 23,936 ----a-w C:\WINDOWS\system32\drivers\usbcamd2.sys
2008-12-31 17:21 23,808 ----a-w C:\WINDOWS\system32\drivers\usbcamd.sys
2008-12-31 17:21 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-12-31 17:21 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-12-31 17:21 21,376 ----a-w C:\WINDOWS\system32\drivers\tsbvcap.sys
2008-12-31 17:21 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-12-31 17:21 20,992 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-12-31 17:21 20,480 ----a-w C:\WINDOWS\system32\drivers\usbuhci.sys
2008-12-31 17:21 20,480 ----a-w C:\WINDOWS\system32\drivers\flpydisk.sys
2008-12-31 17:21 2,944 ----a-w C:\WINDOWS\system32\drivers\null.sys
2008-12-31 17:21 19,072 ----a-w C:\WINDOWS\system32\drivers\msfs.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ACBC613-4EE3-417E-899E-185065A22907}]
C:\PROGRA~1\QUICKN~1\MYSPAC~1.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-12-31 18:21]
"HDDHealth"="C:\Program Files\HDD Health\hddhealth.exe" [2003-09-03 13:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-05-14 06:20 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-01 16:21]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-01 17:36]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-12-31 18:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-11-19 21:53:52]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-09-01 13:47:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDIDL~1\DVDShell.dll [2004-10-09 14:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=C:\WINDOWS\system32\pref3final.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1003\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-1214440339-839522115-1004\Loopback-GPO-List]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-05-28 18:11 94208 --a------ C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-02 19:24 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
S2 ELOADER;General Purpose USB Driver (adildr.sys);C:\WINDOWS\system32\Drivers\adildr.sys
S3 Memctl;Memctl;\??\C:\Program Files\ABIT\FlashMenu\Memctl.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-02 13:30:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
"2007-12-02 14:00:00 C:\WINDOWS\Tasks\JkDefrag.job"
- D:\fCD\JKDEFRAG3.15 jul 2007\JkDefrag.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2007-12-05 13:14:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 13:15:29
.
--- E O F ---

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ovde nema aktivnog malware-a. Samo ćemo malo da ''počistimo''.

Pokreni HijackThis, skeniraj i čekiraj sledeće linije:

O2 - BHO: TBSB07235 - {7ACBC613-4EE3-417E-899E-185065A22907} - C:\PROGRA~1\QUICKN~1\MYSPAC~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Untitled Toolbar - {6AE02E1C-8859-4F57-9097-5A55A56A4CAF} - C:\Program Files\Quicknation\MySpace-Download-Convert.dll (file missing)

Klikni Fix Checked.


Ono što je SpyBot uklonio su verovatno bili samo zaostali ključevi od neke ranije infekcije tako da mislim da više neće biti tih detekcija.

Kako se zaštititi?
Već koristiš firewall i antivirus, tako da je sa softverske strane urađeno što treba. Preostaje ti samo da ''pažljivo'' surfaš, ne instaliraš nepoznate/neproverene programe i sl.

Ovde smo gotovi...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Veliko hvala na ukazanoj pomoci i savetima,
puno pozdrava celoj Ambulanti Bye!...