Zarazen komp + povremeno se "zaledi"

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 09-03-15.01 - Korisnik 2009-03-17 14:53:15.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.101 [GMT 1:00]
Running from: c:\documents and settings\Korisnik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Korisnik\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinSpyKiller
c:\program files\WinSpyKiller\WinSpyKiller.lic
c:\program files\WinSpyKiller\WinSpyKiller1.wk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{DEF85C80-216A-43AB-AF70-1665EDBE2780}
-------\Service_{DEF85C80-216A-43ab-AF70-1665EDBE2780}


((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-17 10:43 . 2009-03-17 11:00 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-16 16:01 . 2009-03-16 16:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-16 13:15 . 2009-03-16 13:16 3,084,099 --a------ C:\ComboFix.rar
2009-03-16 09:21 . 2009-03-16 09:20 66,048 --a------ C:\mbr.exe
2009-03-16 08:37 . 2009-03-16 08:37 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-16 08:08 . 2008-12-12 18:33 3,060,224 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-03-16 08:08 . 2008-08-14 11:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-16 08:08 . 2008-08-14 10:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-16 08:08 . 2008-08-14 10:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-16 08:08 . 2008-08-14 10:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-16 08:04 . 2008-05-01 15:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-16 08:03 . 2008-04-11 19:50 683,520 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-16 08:03 . 2008-10-03 11:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-03-14 15:26 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-03-14 15:23 . 2009-03-14 15:23 <DIR> d-------- c:\program files\MSBuild
2009-03-14 15:23 . 2009-03-14 15:23 <DIR> d-------- c:\program files\Microsoft Works
2009-03-14 15:22 . 2009-03-14 15:22 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-14 15:11 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-03-14 15:09 . 2009-03-14 15:09 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-03-14 15:07 . 2009-03-14 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-14 15:05 . 2009-03-14 15:05 <DIR> dr-h----- C:\MSOCache
2009-03-14 15:04 . 2009-03-14 15:04 316,640 --a------ c:\windows\WMSysPr9.prx
2009-03-14 14:47 . 2004-08-04 00:56 239,616 --------- c:\windows\system32\wstrenderer.ax
2009-03-14 14:47 . 2004-08-04 00:56 164,352 --------- c:\windows\system32\wstpager.ax
2009-03-14 14:47 . 2004-08-04 00:56 96,768 -----c--- c:\windows\system32\dllcache\dpcdll.dll
2009-03-14 14:47 . 2004-08-04 00:56 53,248 --------- c:\windows\system32\vbicodec.ax
2009-03-14 14:47 . 2004-08-03 23:08 40,832 --------- c:\windows\system32\drivers\irbus.sys
2009-03-14 14:47 . 2004-08-03 22:59 9,728 --------- c:\windows\system32\comsdupd.exe
2009-03-14 14:43 . 2009-03-14 14:43 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-14 14:37 . 2004-07-17 11:40 19,528 --a------ c:\windows\002520_.tmp
2009-03-14 14:34 . 2009-03-14 14:34 <DIR> d-------- c:\windows\EHome
2009-03-14 13:35 . 2006-08-25 16:45 617,472 -----c--- c:\windows\system32\dllcache\comctl32.dll
2009-03-14 13:35 . 2008-06-20 11:45 360,320 --a--c--- c:\windows\system32\dllcache\tcpip.sys
2009-03-14 13:31 . 2006-07-14 16:25 546,304 -----c--- c:\windows\system32\dllcache\hhctrl.ocx
2009-03-14 13:31 . 2008-10-15 17:57 332,800 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-14 13:31 . 2008-06-20 10:52 225,920 --a--c--- c:\windows\system32\dllcache\tcpip6.sys
2009-03-14 13:31 . 2006-08-16 12:58 100,352 -----c--- c:\windows\system32\dllcache\6to4svc.dll
2009-03-14 13:30 . 2006-06-22 11:47 181,248 -----c--- c:\windows\system32\dllcache\rasmans.dll
2009-03-14 13:26 . 2006-05-19 13:59 111,616 -----c--- c:\windows\system32\dllcache\dhcpcsvc.dll
2009-03-14 13:26 . 2006-05-19 13:59 94,720 -----c--- c:\windows\system32\dllcache\iphlpapi.dll
2009-03-14 13:18 . 2009-03-14 13:18 <DIR> d-------- c:\windows\system32\bits
2009-03-14 13:17 . 2006-03-17 01:38 28,672 --------- c:\windows\system32\verclsid.exe
2009-03-14 13:17 . 2009-03-16 16:05 1,374 --a------ c:\windows\imsins.BAK
2009-03-14 13:16 . 2009-03-14 13:16 <DIR> d-------- c:\windows\system32\bfubackups
2009-03-14 12:41 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-03-14 12:41 . 2004-08-04 00:56 713,216 --a------ c:\windows\system32\sxs.dll
2009-03-14 12:41 . 2004-08-04 00:56 87,552 --a------ c:\windows\system32\fldrclnr.dll
2009-03-14 12:36 . 2009-03-16 16:05 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 12:36 . 2005-02-25 04:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-03-14 12:35 . 2008-06-20 18:41 148,992 --a--c--- c:\windows\system32\dllcache\dnsapi.dll
2009-03-14 12:35 . 2006-06-26 18:37 8,192 -----c--- c:\windows\system32\dllcache\rasadhlp.dll
2009-03-14 12:30 . 2009-03-14 12:31 <DIR> d-------- c:\program files\Unlocker
2009-03-14 12:30 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-03-14 12:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-03-14 12:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-03-14 12:30 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-03-14 12:19 . 2009-03-14 12:19 <DIR> d-------- c:\program files\TuneUp Utilities 2007
2009-03-14 12:19 . 2009-03-14 12:19 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\TuneUp Software
2009-03-14 12:19 . 2006-12-19 16:53 24,072 --a------ c:\windows\system32\uxtuneup.dll
2009-03-14 12:18 . 2009-03-14 12:18 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-14 12:18 . 2009-03-14 12:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-13 10:32 . 2009-03-13 10:32 <DIR> d-------- c:\windows\ePlusMenuCAD
2009-03-13 10:32 . 2009-03-13 10:36 <DIR> d-------- c:\program files\ePlusMenuCAD
2009-03-11 14:30 . 2009-03-14 12:43 <DIR> d-------- c:\program files\Google
2009-03-10 09:12 . 2009-03-14 12:51 <DIR> d-------- C:\Ulysse
2009-03-10 09:12 . 2009-03-13 13:44 2,229 --a------ c:\windows\ulysse.ini
2009-03-10 09:10 . 2009-03-10 09:10 <DIR> d-------- c:\documents and settings\Korisnik\WINDOWS
2009-03-09 09:54 . 2009-03-17 09:02 <DIR> d-------- c:\program files\ABBYY FineReader 7.0 Professional Edition
2009-03-09 08:36 . 2009-03-09 08:36 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\ABBYY
2009-03-09 08:35 . 2009-03-09 08:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ABBYY
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\windows\system32\Adobe
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\windows\Profiles
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\InterTrust
2009-03-06 08:50 . 1998-10-29 14:45 306,688 --a------ c:\windows\IsUninst.exe
2009-03-03 13:30 . 2009-03-03 13:30 0 --a------ c:\windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 11:13 --------- d-----w c:\program files\Rainlendar
2009-03-14 11:51 --------- d-----w c:\program files\totalcmd
2009-03-06 07:50 --------- d-----w c:\program files\Common Files\Adobe
2009-01-27 12:59 --------- d-----w c:\program files\GlobalMapper10
2008-03-13 22:34 2,568,840 ----a-w c:\program files\ask_install.exe
.

((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-03 23:56:52 93,184 -c--a-w c:\windows\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Korisnik\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2006-01-21 118784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a------ 2009-03-17 08:10 20112 c:\program files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-12 01:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-12 01:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 18:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-03 04:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-31 00:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 19:41 33792 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-07-12 08:55 81920 c:\windows\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\firebird\bin\fbguard.exe -s --> c:\firebird\bin\fbguard.exe -s [?]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\firebird\bin\fbserver.exe -s --> c:\firebird\bin\fbserver.exe -s [?]
R3 WB6692;%WB6692.DeviceDesc%;c:\windows\system32\drivers\WB692pci.sys [2006-09-30 135122]
S2 fips32cup;fips32cup;\??\c:\windows\system32\drivers\fips32cup.sys --> c:\windows\system32\drivers\fips32cup.sys [?]
S2 NMEmployeesAgent;Net Monitor for Employees Agent;c:\program files\Network LookOut\Net Monitor for Employees Professional\bin\NLSAgentSvc.exe --> c:\program files\Network LookOut\Net Monitor for Employees Professional\bin\NLSAgentSvc.exe [?]
S2 systemntmi;systemntmi;\??\c:\windows\system32\drivers\systemntmi.sys --> c:\windows\system32\drivers\systemntmi.sys [?]
S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\drivers\K320bus.sys [2007-07-13 61504]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\drivers\K320mdfl.sys [2007-07-13 9328]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\drivers\K320mdm.sys [2007-07-13 97056]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\K320mgmt.sys [2007-07-13 88560]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\drivers\K320obex.sys [2007-07-13 86368]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TWCU - c:\program files\TP-LINK\TWCU\TWCU.exe
HKLM-Run-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
HKLM-Run-GrooveMonitor - c:\program files\Microsoft Office\Office12\GrooveMonitor.exe


.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uDefault_Search_URL = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {38F7D43D-3EE3-4079-B6B7-3155ECCECE88} = 87.250.97.250,87.250.98.250
TCP: {A33E26F7-0F58-4B25-BE4E-695D784B58BC} = 87.250.98.250,87.250.97.250
DPF: DirectAnimation Java Classes - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\xmldso.cab
DPF: {33331111-1111-1111-1111-615111193427}
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\jbi84gfc.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-03-17 14:57:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\firebird\bin\fbguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\firebird\bin\fbserver.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-17 15:00:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 14:00:28
ComboFix2.txt 2009-03-17 09:18:17

Pre-Run: 17,275,207,680 bytes free
Post-Run: 17,228,808,192 bytes free

221 --- E O F --- 2009-03-16 15:05:29

Dopuna: 17 Mar 2009 16:19

Ne znam da li si procitao na dnu prethodne poruke gdje sam napisao da mi je sada racunar jos vise usporio. NOD-a nema, sve se sporo otvara. U Task manageru su mi se pojavili neki porcesi pod imenima "1", "1066", "1786" i zauzimali su 100% procesora. Zatvorio sam ih sve. Evo jos jedan mi je ostao, pa ti saljem screenshot. Nisam do sada vidio da postoje ovakvi procesi.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:


Driver::
fips32cup
systemntmi



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

U medjuvremenu sam instalirao NOD, obrisao je neka 4 trojanca. A trenutak prije nego sto trebao da ti okacim log, recunar je zaledio.
Morao sam da restartujem.


ComboFix 09-03-15.01 - Korisnik 2009-03-17 17:02:23.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.193 [GMT 1:00]
Running from: c:\documents and settings\Korisnik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Korisnik\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSTEMNTMI
-------\Service_fips32cup
-------\Service_systemntmi


((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-17 10:43 . 2009-03-17 17:08 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-16 16:01 . 2009-03-16 16:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-16 13:15 . 2009-03-16 13:16 3,084,099 --a------ C:\ComboFix.rar
2009-03-16 09:21 . 2009-03-16 09:20 66,048 --a------ C:\mbr.exe
2009-03-16 08:37 . 2009-03-16 08:37 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-16 08:08 . 2008-12-12 18:33 3,060,224 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-03-16 08:08 . 2008-08-14 11:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-16 08:08 . 2008-08-14 10:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-16 08:08 . 2008-08-14 10:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-16 08:08 . 2008-08-14 10:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-16 08:04 . 2008-05-01 15:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-16 08:03 . 2008-04-11 19:50 683,520 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-16 08:03 . 2008-10-03 11:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-03-14 15:26 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-03-14 15:23 . 2009-03-14 15:23 <DIR> d-------- c:\program files\MSBuild
2009-03-14 15:23 . 2009-03-14 15:23 <DIR> d-------- c:\program files\Microsoft Works
2009-03-14 15:22 . 2009-03-14 15:22 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-14 15:11 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-03-14 15:09 . 2009-03-14 15:09 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-03-14 15:07 . 2009-03-14 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-14 15:05 . 2009-03-14 15:05 <DIR> dr-h----- C:\MSOCache
2009-03-14 15:04 . 2009-03-14 15:04 316,640 --a------ c:\windows\WMSysPr9.prx
2009-03-14 14:47 . 2004-08-04 00:56 239,616 --------- c:\windows\system32\wstrenderer.ax
2009-03-14 14:47 . 2004-08-04 00:56 164,352 --------- c:\windows\system32\wstpager.ax
2009-03-14 14:47 . 2004-08-04 00:56 96,768 -----c--- c:\windows\system32\dllcache\dpcdll.dll
2009-03-14 14:47 . 2004-08-04 00:56 53,248 --------- c:\windows\system32\vbicodec.ax
2009-03-14 14:47 . 2004-08-03 23:08 40,832 --------- c:\windows\system32\drivers\irbus.sys
2009-03-14 14:47 . 2004-08-03 22:59 9,728 --------- c:\windows\system32\comsdupd.exe
2009-03-14 14:43 . 2009-03-14 14:43 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-14 14:37 . 2004-07-17 11:40 19,528 --a------ c:\windows\002520_.tmp
2009-03-14 14:34 . 2009-03-14 14:34 <DIR> d-------- c:\windows\EHome
2009-03-14 13:35 . 2006-08-25 16:45 617,472 -----c--- c:\windows\system32\dllcache\comctl32.dll
2009-03-14 13:35 . 2008-06-20 11:45 360,320 --a--c--- c:\windows\system32\dllcache\tcpip.sys
2009-03-14 13:31 . 2006-07-14 16:25 546,304 -----c--- c:\windows\system32\dllcache\hhctrl.ocx
2009-03-14 13:31 . 2008-10-15 17:57 332,800 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-14 13:31 . 2008-06-20 10:52 225,920 --a--c--- c:\windows\system32\dllcache\tcpip6.sys
2009-03-14 13:31 . 2006-08-16 12:58 100,352 -----c--- c:\windows\system32\dllcache\6to4svc.dll
2009-03-14 13:30 . 2006-06-22 11:47 181,248 -----c--- c:\windows\system32\dllcache\rasmans.dll
2009-03-14 13:26 . 2006-05-19 13:59 111,616 -----c--- c:\windows\system32\dllcache\dhcpcsvc.dll
2009-03-14 13:26 . 2006-05-19 13:59 94,720 -----c--- c:\windows\system32\dllcache\iphlpapi.dll
2009-03-14 13:18 . 2009-03-14 13:18 <DIR> d-------- c:\windows\system32\bits
2009-03-14 13:17 . 2006-03-17 01:38 28,672 --------- c:\windows\system32\verclsid.exe
2009-03-14 13:17 . 2009-03-16 16:05 1,374 --a------ c:\windows\imsins.BAK
2009-03-14 13:16 . 2009-03-14 13:16 <DIR> d-------- c:\windows\system32\bfubackups
2009-03-14 12:41 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-03-14 12:41 . 2004-08-04 00:56 713,216 --a------ c:\windows\system32\sxs.dll
2009-03-14 12:41 . 2004-08-04 00:56 87,552 --a------ c:\windows\system32\fldrclnr.dll
2009-03-14 12:36 . 2009-03-16 16:05 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 12:36 . 2005-02-25 04:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-03-14 12:35 . 2008-06-20 18:41 148,992 --a--c--- c:\windows\system32\dllcache\dnsapi.dll
2009-03-14 12:35 . 2006-06-26 18:37 8,192 -----c--- c:\windows\system32\dllcache\rasadhlp.dll
2009-03-14 12:30 . 2009-03-14 12:31 <DIR> d-------- c:\program files\Unlocker
2009-03-14 12:30 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-03-14 12:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-03-14 12:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-03-14 12:30 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-03-14 12:19 . 2009-03-14 12:19 <DIR> d-------- c:\program files\TuneUp Utilities 2007
2009-03-14 12:19 . 2009-03-14 12:19 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\TuneUp Software
2009-03-14 12:19 . 2006-12-19 16:53 24,072 --a------ c:\windows\system32\uxtuneup.dll
2009-03-14 12:18 . 2009-03-14 12:18 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-14 12:18 . 2009-03-14 12:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-13 10:32 . 2009-03-13 10:32 <DIR> d-------- c:\windows\ePlusMenuCAD
2009-03-13 10:32 . 2009-03-13 10:36 <DIR> d-------- c:\program files\ePlusMenuCAD
2009-03-11 14:30 . 2009-03-14 12:43 <DIR> d-------- c:\program files\Google
2009-03-10 09:12 . 2009-03-14 12:51 <DIR> d-------- C:\Ulysse
2009-03-10 09:12 . 2009-03-13 13:44 2,229 --a------ c:\windows\ulysse.ini
2009-03-10 09:10 . 2009-03-10 09:10 <DIR> d-------- c:\documents and settings\Korisnik\WINDOWS
2009-03-09 09:54 . 2009-03-17 09:02 <DIR> d-------- c:\program files\ABBYY FineReader 7.0 Professional Edition
2009-03-09 08:36 . 2009-03-09 08:36 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\ABBYY
2009-03-09 08:35 . 2009-03-09 08:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ABBYY
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\windows\system32\Adobe
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\windows\Profiles
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\InterTrust
2009-03-06 08:50 . 1998-10-29 14:45 306,688 --a------ c:\windows\IsUninst.exe
2009-03-03 13:30 . 2009-03-03 13:30 0 --a------ c:\windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 15:19 --------- d-----w c:\program files\Rainlendar
2009-03-14 11:51 --------- d-----w c:\program files\totalcmd
2009-03-06 07:50 --------- d-----w c:\program files\Common Files\Adobe
2009-01-27 12:59 --------- d-----w c:\program files\GlobalMapper10
2008-03-13 22:34 2,568,840 ----a-w c:\program files\ask_install.exe
.

((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-17 15:31:30 10,134 ----a-r c:\windows\Installer\{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}\callmsi.exe
+ 2009-03-17 15:31:30 136,448 ----a-r c:\windows\Installer\{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}\egui.exe
- 2008-06-26 16:49:08 25,214 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A71000000002}\SC_Reader.exe
+ 2009-03-17 15:49:41 25,214 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A71000000002}\SC_Reader.exe
+ 2004-08-03 23:56:52 93,184 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2008-07-01 07:56:22 39,944 ----a-w c:\windows\system32\drivers\eamon.sys
+ 2007-12-21 07:19:54 39,944 ----a-w c:\windows\system32\drivers\eamon.sys
- 2008-07-01 07:57:14 53,256 ----a-w c:\windows\system32\drivers\easdrv.sys
+ 2007-12-21 07:20:14 30,216 ----a-w c:\windows\system32\drivers\easdrv.sys
- 2008-07-01 08:04:40 34,312 ----a-w c:\windows\system32\drivers\epfwtdir.sys
+ 2007-12-21 07:21:56 33,800 ----a-w c:\windows\system32\drivers\epfwtdir.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]

c:\documents and settings\Korisnik\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2006-01-21 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a------ 2009-03-17 08:10 20112 c:\program files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-12 01:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-12 01:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 18:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-03 04:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-31 00:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 19:41 33792 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-07-12 08:55 81920 c:\windows\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\firebird\bin\fbguard.exe -s --> c:\firebird\bin\fbguard.exe -s [?]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\firebird\bin\fbserver.exe -s --> c:\firebird\bin\fbserver.exe -s [?]
R3 WB6692;%WB6692.DeviceDesc%;c:\windows\system32\drivers\WB692pci.sys [2006-09-30 135122]
S2 netsik;netsik;\??\c:\windows\system32\drivers\netsik.sys --> c:\windows\system32\drivers\netsik.sys [?]
S2 NMEmployeesAgent;Net Monitor for Employees Agent;c:\program files\Network LookOut\Net Monitor for Employees Professional\bin\NLSAgentSvc.exe --> c:\program files\Network LookOut\Net Monitor for Employees Professional\bin\NLSAgentSvc.exe [?]
S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\drivers\K320bus.sys [2007-07-13 61504]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\drivers\K320mdfl.sys [2007-07-13 9328]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\drivers\K320mdm.sys [2007-07-13 97056]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\K320mgmt.sys [2007-07-13 88560]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\drivers\K320obex.sys [2007-07-13 86368]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uDefault_Search_URL = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {38F7D43D-3EE3-4079-B6B7-3155ECCECE88} = 87.250.97.250,87.250.98.250
TCP: {A33E26F7-0F58-4B25-BE4E-695D784B58BC} = 87.250.98.250,87.250.97.250
DPF: DirectAnimation Java Classes - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\xmldso.cab
DPF: {33331111-1111-1111-1111-615111193427}
FF - ProfilePath - c:\documents and settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\jbi84gfc.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-03-17 17:09:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\firebird\bin\fbguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\firebird\bin\fbserver.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-17 17:13:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 16:13:22
ComboFix2.txt 2009-03-17 14:00:32
ComboFix3.txt 2009-03-17 09:18:17

Pre-Run: 17,294,442,496 bytes free
Post-Run: 17,315,581,952 bytes free

227 --- E O F --- 2009-03-16 15:05:29

Dopuna: 17 Mar 2009 17:29

I jos jednom mi je racunar zaledio, odmah poslije postavljanja ovog loga. Poslije restarta nasao mi je jos 2 virusa, ova 2 na vrhu:




Dopuna: 17 Mar 2009 17:39

I opet imam neki "numericki" proces:

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Hmm... Iz loga u log se pojavljuju nove infekcije.

Postavi sveže Gmer logove.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

U medjuvremenu mi je nesto "pojelo" Mozilu, pa ne mogu da je pokrenem. Kaze, missing shortcut. Sreca pa radi explorer.


[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:


Driver::
netsik

Rootkit::
c:\windows\system32\drivers\netsik.sys



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 09-03-15.01 - Korisnik 2009-03-18 11:33:54.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.111 [GMT 1:00]
Running from: c:\documents and settings\Korisnik\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Korisnik\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETSIK
-------\Service_netsik


((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-18 08:04 . 2009-03-18 08:21 <DIR> d-------- c:\documents and settings\Korisnik\Contacts
2009-03-18 08:01 . 2009-03-18 08:01 <DIR> d-------- c:\program files\MSN Messenger
2009-03-17 19:33 . 2009-03-17 19:33 <DIR> d-------- c:\program files\Network LookOut
2009-03-17 18:59 . 2009-03-17 19:06 25,171,704 --a------ c:\documents and settings\All Users\Application Data\nmemplpro.exe
2009-03-17 18:47 . 2009-03-17 18:47 45,056 --a------ c:\windows\system32\UTSCSI.EXE
2009-03-17 17:33 . 2009-03-17 17:33 <DIR> d-------- c:\program files\MathType
2009-03-17 10:43 . 2009-03-17 17:08 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-16 16:01 . 2009-03-16 16:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-16 13:15 . 2009-03-16 13:16 3,084,099 --a------ C:\ComboFix.rar
2009-03-16 09:21 . 2009-03-16 09:20 66,048 --a------ C:\mbr.exe
2009-03-16 08:37 . 2009-03-16 08:37 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-16 08:08 . 2008-12-12 18:33 3,060,224 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-03-16 08:08 . 2008-08-14 11:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-16 08:08 . 2008-08-14 10:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-16 08:08 . 2008-08-14 10:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-16 08:08 . 2008-08-14 10:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-16 08:04 . 2008-05-01 15:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-16 08:03 . 2008-04-11 19:50 683,520 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-16 08:03 . 2008-10-03 11:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-03-14 15:26 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-03-14 15:23 . 2009-03-14 15:23 <DIR> d-------- c:\program files\MSBuild
2009-03-14 15:23 . 2009-03-14 15:23 <DIR> d-------- c:\program files\Microsoft Works
2009-03-14 15:22 . 2009-03-14 15:22 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-14 15:11 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-03-14 15:09 . 2009-03-14 15:09 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2009-03-14 15:07 . 2009-03-14 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-14 15:05 . 2009-03-14 15:05 <DIR> dr-h----- C:\MSOCache
2009-03-14 15:04 . 2009-03-14 15:04 316,640 --a------ c:\windows\WMSysPr9.prx
2009-03-14 14:47 . 2004-08-04 00:56 239,616 --------- c:\windows\system32\wstrenderer.ax
2009-03-14 14:47 . 2004-08-04 00:56 164,352 --------- c:\windows\system32\wstpager.ax
2009-03-14 14:47 . 2004-08-04 00:56 96,768 -----c--- c:\windows\system32\dllcache\dpcdll.dll
2009-03-14 14:47 . 2004-08-04 00:56 53,248 --------- c:\windows\system32\vbicodec.ax
2009-03-14 14:47 . 2004-08-03 23:08 40,832 --------- c:\windows\system32\drivers\irbus.sys
2009-03-14 14:47 . 2004-08-03 22:59 9,728 --------- c:\windows\system32\comsdupd.exe
2009-03-14 14:43 . 2009-03-14 14:43 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-14 14:37 . 2004-07-17 11:40 19,528 --a------ c:\windows\002520_.tmp
2009-03-14 14:34 . 2009-03-14 14:34 <DIR> d-------- c:\windows\EHome
2009-03-14 13:35 . 2006-08-25 16:45 617,472 -----c--- c:\windows\system32\dllcache\comctl32.dll
2009-03-14 13:35 . 2008-06-20 11:45 360,320 --a--c--- c:\windows\system32\dllcache\tcpip.sys
2009-03-14 13:31 . 2006-07-14 16:25 546,304 -----c--- c:\windows\system32\dllcache\hhctrl.ocx
2009-03-14 13:31 . 2008-10-15 17:57 332,800 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-14 13:31 . 2008-06-20 10:52 225,920 --a--c--- c:\windows\system32\dllcache\tcpip6.sys
2009-03-14 13:31 . 2006-08-16 12:58 100,352 -----c--- c:\windows\system32\dllcache\6to4svc.dll
2009-03-14 13:30 . 2006-06-22 11:47 181,248 -----c--- c:\windows\system32\dllcache\rasmans.dll
2009-03-14 13:26 . 2006-05-19 13:59 111,616 -----c--- c:\windows\system32\dllcache\dhcpcsvc.dll
2009-03-14 13:26 . 2006-05-19 13:59 94,720 -----c--- c:\windows\system32\dllcache\iphlpapi.dll
2009-03-14 13:18 . 2009-03-14 13:18 <DIR> d-------- c:\windows\system32\bits
2009-03-14 13:17 . 2006-03-17 01:38 28,672 --------- c:\windows\system32\verclsid.exe
2009-03-14 13:17 . 2009-03-16 16:05 1,374 --a------ c:\windows\imsins.BAK
2009-03-14 13:16 . 2009-03-14 13:16 <DIR> d-------- c:\windows\system32\bfubackups
2009-03-14 12:41 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-03-14 12:41 . 2004-08-04 00:56 713,216 --a------ c:\windows\system32\sxs.dll
2009-03-14 12:41 . 2004-08-04 00:56 87,552 --a------ c:\windows\system32\fldrclnr.dll
2009-03-14 12:36 . 2009-03-16 16:05 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 12:36 . 2005-02-25 04:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-03-14 12:35 . 2008-06-20 18:41 148,992 --a--c--- c:\windows\system32\dllcache\dnsapi.dll
2009-03-14 12:35 . 2006-06-26 18:37 8,192 -----c--- c:\windows\system32\dllcache\rasadhlp.dll
2009-03-14 12:30 . 2009-03-14 12:31 <DIR> d-------- c:\program files\Unlocker
2009-03-14 12:30 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-03-14 12:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-03-14 12:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-03-14 12:30 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-03-14 12:19 . 2009-03-14 12:19 <DIR> d-------- c:\program files\TuneUp Utilities 2007
2009-03-14 12:19 . 2009-03-14 12:19 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\TuneUp Software
2009-03-14 12:19 . 2006-12-19 16:53 24,072 --a------ c:\windows\system32\uxtuneup.dll
2009-03-14 12:18 . 2009-03-14 12:18 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-14 12:18 . 2009-03-14 12:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-13 10:32 . 2009-03-13 10:32 <DIR> d-------- c:\windows\ePlusMenuCAD
2009-03-13 10:32 . 2009-03-13 10:36 <DIR> d-------- c:\program files\ePlusMenuCAD
2009-03-11 14:30 . 2009-03-14 12:43 <DIR> d-------- c:\program files\Google
2009-03-10 09:12 . 2009-03-14 12:51 <DIR> d-------- C:\Ulysse
2009-03-10 09:12 . 2009-03-13 13:44 2,229 --a------ c:\windows\ulysse.ini
2009-03-10 09:10 . 2009-03-10 09:10 <DIR> d-------- c:\documents and settings\Korisnik\WINDOWS
2009-03-09 09:54 . 2009-03-18 11:35 <DIR> d-------- c:\program files\ABBYY FineReader 7.0 Professional Edition
2009-03-09 08:36 . 2009-03-09 08:36 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\ABBYY
2009-03-09 08:35 . 2009-03-09 08:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ABBYY
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\windows\system32\Adobe
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\windows\Profiles
2009-03-06 08:50 . 2009-03-06 08:50 <DIR> d-------- c:\documents and settings\Korisnik\Application Data\InterTrust
2009-03-06 08:50 . 1998-10-29 14:45 306,688 --a------ c:\windows\IsUninst.exe
2009-03-03 13:30 . 2009-03-03 13:30 0 --a------ c:\windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 17:17 --------- d-----w c:\program files\Rainlendar
2009-03-14 11:51 --------- d-----w c:\program files\totalcmd
2009-03-06 07:50 --------- d-----w c:\program files\Common Files\Adobe
2009-01-27 12:59 --------- d-----w c:\program files\GlobalMapper10
2008-03-13 22:34 2,568,840 ----a-w c:\program files\ask_install.exe
.

((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-18 07:02:13 29,926 ----a-r c:\windows\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2009-03-17 15:31:30 10,134 ----a-r c:\windows\Installer\{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}\callmsi.exe
+ 2009-03-17 15:31:30 136,448 ----a-r c:\windows\Installer\{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}\egui.exe
- 2008-06-26 16:49:08 25,214 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A71000000002}\SC_Reader.exe
+ 2009-03-17 15:49:41 25,214 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A71000000002}\SC_Reader.exe
+ 2004-08-03 23:56:52 93,184 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2008-07-01 07:56:22 39,944 ----a-w c:\windows\system32\drivers\eamon.sys
+ 2007-12-21 07:19:54 39,944 ----a-w c:\windows\system32\drivers\eamon.sys
- 2008-07-01 07:57:14 53,256 ----a-w c:\windows\system32\drivers\easdrv.sys
+ 2007-12-21 07:20:14 30,216 ----a-w c:\windows\system32\drivers\easdrv.sys
- 2008-07-01 08:04:40 34,312 ----a-w c:\windows\system32\drivers\epfwtdir.sys
+ 2007-12-21 07:21:56 33,800 ----a-w c:\windows\system32\drivers\epfwtdir.sys
- 2009-03-17 06:51:55 583,016 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-17 17:16:56 596,552 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2007-01-19 11:53:04 51,056 ----a-w c:\windows\system32\sirenacm.dll
+ 2006-06-05 13:14:28 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 13:14:28 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 13:14:28 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]

c:\documents and settings\Korisnik\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2006-01-21 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-12 01:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-12 01:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 18:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-03 04:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-31 00:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2004-12-20 19:41 33792 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-07-12 08:55 81920 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"400:TCP"= 400:TCP:Net Monitor for Employees Configuration

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\firebird\bin\fbguard.exe -s --> c:\firebird\bin\fbguard.exe -s [?]
R2 NMEmployeesAgent;Net Monitor for Employees Agent;c:\program files\Network LookOut\mpNet Monitor for Employees Professional\bin\NLSAgentSvc.exe [2009-03-17 1136640]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\firebird\bin\fbserver.exe -s --> c:\firebird\bin\fbserver.exe -s [?]
R3 WB6692;%WB6692.DeviceDesc%;c:\windows\system32\drivers\WB692pci.sys [2006-09-30 135122]
S2 nicsk32;nicsk32;\??\c:\windows\system32\drivers\nicsk32.sys --> c:\windows\system32\drivers\nicsk32.sys [?]
S2 ws2_32sik;ws2_32sik;\??\c:\windows\system32\drivers\ws2_32sik.sys --> c:\windows\system32\drivers\ws2_32sik.sys [?]
S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\drivers\K320bus.sys [2007-07-13 61504]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\drivers\K320mdfl.sys [2007-07-13 9328]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\drivers\K320mdm.sys [2007-07-13 97056]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\K320mgmt.sys [2007-07-13 88560]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\drivers\K320obex.sys [2007-07-13 86368]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\VoIPFlashDisk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a206cff6-131b-11de-a43e-000021fec628}]
\Shell\AutoRun\command - F:\VoIPFlashDisk.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-FineReader7NewsReaderPro - c:\program files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe


.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uDefault_Search_URL = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {38F7D43D-3EE3-4079-B6B7-3155ECCECE88} = 87.250.97.250,87.250.98.250
TCP: {A33E26F7-0F58-4B25-BE4E-695D784B58BC} = 87.250.98.250,87.250.97.250
DPF: DirectAnimation Java Classes - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - [Link mogu videti samo ulogovani korisnici]\windows\Java\classes\xmldso.cab
DPF: {33331111-1111-1111-1111-615111193427}
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-03-18 11:39:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\firebird\bin\fbguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\UTSCSI.EXE
c:\firebird\bin\fbserver.exe
c:\windows\system32\wscntfy.exe
c:\program files\Network LookOut\mpNet Monitor for Employees Professional\bin\NLSAgent.exe
.
**************************************************************************
.
Completion time: 2009-03-18 11:43:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-18 10:43:00
ComboFix2.txt 2009-03-17 16:13:26
ComboFix3.txt 2009-03-17 14:00:32
ComboFix4.txt 2009-03-17 09:18:17

Pre-Run: 17,322,369,024 bytes free
Post-Run: 17,435,873,280 bytes free

255 --- E O F --- 2009-03-16 15:05:29

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Hajde da odradimo jedan AV scan...


Preuzmi Dr.Web CureIt (~12 MB).
Restartuj kompjuter u Safe Mode (uputstvo za Safe Mode)

Dvoklikom pokreni launch.exe, nakon čega će se pojaviti uvodni prozor - klikni Start

Pojaviće se obaveštenje o započinjanju uvodnog skeniranja - klikni OK

Sačekaj nekoliko minuta da Dr.Web CureIt izvrši Express Scan; ukoliko malware bude pronađen, klikom na taster Yes to All u prozoru koji se pojavi dozvoli programu da izvrši dezinfekciju

Klikni Options > Change settings F9; u prozoru koji će se otvoriti, dečekiraj opciju Heuristic Analysis a zatim klikni OK

U glavnom prozoru obeleži opciju Complete scan a zatim klikni i Dr.Web CureIt će započeti skeniranje

Ukoliko malware bude pronađen, klikom na taster Yes to All u prozoru koji se pojavi dozvoli programu da izvrši dezinfekciju

Kada skeniranje bude završeno, klikni Select all taster (ukoliko je dostupan), a zatim klikni Cure i,
u meniju koji se otvori, klikni Move incurable:


Po završetku procesa, klikni File > Save report list i sačuvaj log na Desktopu

Iskopiraj sadržaj Dr.Web CureIt loga u temu na forumu.





Nakon toga, postavi i svež ComboFix log.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Molim te izvini na kašnjenju, bio sam u frci ovih dana.
E ovako, ovo sto ti saljem je rezultat treceg po redu skeniranja sa DrWeb-om. Prva 2 nisu otisla do kraja. Ostavljao sam racunar da skenira i oba puta bi mi ganeko ugasio.
Prvi put mi je nasao neki fajl pri onom pocetnom skeniranju i njega sam isao na "Move incurable". Drugi put mi je u toku kompletnog skeniranja nasao neki fajl i dao opcije "da" i "ne", to sam isao "da", ali ni taj sken nije zavrsen do kraja. Ovo ti govorim iz razloga sto sam znaci ta 2 neka fajla obrisao (ili sta je vec program uradio) a ne mozes vidjeti koji su, pa ne znam koliko ti je to bitno.
Uglavnom, ova 2 fajla je nasao iz treceg puta:
psexec.cfexe      C:\ComboFix     Program.PsExec.171      Incurable.Moved.
NLSAgent.exe      C:\Program Files\Network LookOut\mpNet Monitor for Employees Professional\bin    Program.Netlookout     Incurable.Moved.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Skini novi ComboFix (sa gore datih linkova), pokreni ga i postavi log koji dobiješ.