infekcija detektovana

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Stealth MBR rootkit detector by Gmer, gmer.net

device: opend sucessfully
user: MBR read sucessfully
kernel: MBR read sucessfully
user & kernel MBR OK
INT 0x13 hook detected !

dr.web cureit:

Master Boot Record HDD1 BackDoor.MaosBoot Cured.
What's Wrong.swf C:\Documents and Settings\All Users\Documents\Daniel\Sajebansija Joke.Scream Incurable.Moved.
kl.exe.vir C:\QooBox\Quarantine\C Trojan.Packed.370 Deleted.
WLCtrl32.dll.vir C:\QooBox\Quarantine\C\WINDOWS\system32 Trojan.DownLoader.50037 Deleted.
WLCtrl32.dl_.vir C:\QooBox\Quarantine\C\WINDOWS\system32 Trojan.DownLoader.50037 Deleted.
A0011241.exe C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP22 Trojan.Packed.370 Deleted.
A0011271.exe C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP22 Trojan.Sklog Deleted.
A0011283.dll C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP23 Trojan.DownLoader.50037 Deleted.
A0011293.sys C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP23 BackDoor.Bulknet.157 Deleted.
A0011307.exe C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP24 Trojan.Packed.370 Deleted.
A0011402.dll C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP24 Trojan.DownLoader.50037 Deleted.
A0011409.sys C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP24 BackDoor.Bulknet.157 Deleted.
A0011425.dll C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP25 Trojan.DownLoader.50037 Deleted.
A0013446.exe C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP25 Trojan.DownLoader.49999 Deleted.
MFEX-1.DAT C:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP25\snapshot Trojan.DownLoader.50037 Deleted.
wfpdisable.exe C:\WINDOWS\Super Turbo Tango Patcher\Tools Tool.WFPDisable Incurable.Moved.
tavla.exe D:\igre za instalaciju Win32.KME.based Incurable.Moved.
RADMIN 2.1.EXE D:\programi za instalaciju\Radmin\Radmin 2.1 + (zabranjeno) Program.RemoteAdmin Incurable.Moved.
A0013447.exe D:\System Volume Information\_restore{15EDF095-679B-4EBA-AC81-AD25DF5CB5B9}\RP25 Win32.KME.based Incurable.Moved.


Napokon

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Zamolio bih te da ponoviš skeniranje Gmer-om i priložiš log, kao i da postaviš svež ComboFix log.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

ComboFix 08-03-14.2 - Petar 2008-03-15 22:18:24.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.553 [GMT 1:00]
Running from: C:\Documents and Settings\Petar\Desktop\ComboFix_2.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-15 19:30 . 2008-03-15 19:30 <DIR> d-------- C:\Documents and Settings\Petar\DoctorWeb
2008-03-15 10:44 . 2008-03-15 10:44 2,250,821 --a------ C:\QooBox.rar
2008-03-13 14:13 . 2008-03-15 18:55 <DIR> d-------- C:\Program Files\AIMP2
2008-03-12 21:53 . 2008-03-12 21:53 253,360 --a------ C:\WINDOWS\ProgDVB Uninstaller.exe
2008-03-12 21:18 . 2008-03-12 22:12 <DIR> d-------- C:\Program Files\SkyView
2008-03-11 12:06 . 2008-03-13 11:35 <DIR> d-------- C:\Program Files\David J Taylor
2008-03-10 18:54 . 2008-03-13 14:41 <DIR> d-------- C:\Program Files\ProgDVB
2008-03-10 17:15 . 2008-03-15 21:47 <DIR> d-------- C:\Program Files\DVB-S PowerInstall
2008-03-10 17:09 . 2008-03-10 17:21 <DIR> d-------- C:\Program Files\vPlug Files Center
2008-03-10 16:45 . 2008-03-10 16:45 <DIR> d-------- C:\Program Files\WinPcap
2008-03-10 16:44 . 2008-03-10 16:45 <DIR> d-------- C:\Program Files\SkyGrabber
2008-03-10 11:59 . 2008-03-10 12:12 <DIR> d-------- C:\Program Files\DVBViewerTE
2008-03-10 11:58 . 2008-03-10 11:59 <DIR> d-------- C:\Program Files\TechniSat DVB
2008-03-10 11:58 . 2008-03-10 11:58 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-10 11:57 . 2008-03-10 11:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 11:57 . 2008-03-10 11:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-09 21:37 . 2008-03-09 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Mixesoft
2008-03-09 21:04 . 2008-03-12 22:14 34 --a------ C:\ProgDVB.ini
2008-03-09 20:57 . 2006-03-14 02:22 349,184 -ra------ C:\WINDOWS\system32\drivers\SkyNET.sys
2008-03-09 20:49 . 2008-03-09 20:49 <DIR> d-------- C:\Program Files\VIA
2008-03-04 16:53 . 2002-12-11 18:09 217,600 --a--c--- C:\WINDOWS\system32\dllcache\npdrmv2.dll
2008-03-04 16:53 . 2002-12-11 17:34 9,728 --a--c--- C:\WINDOWS\system32\dllcache\npwmsdrm.dll
2008-03-04 11:25 . 2008-03-04 11:25 0 --a------ C:\WINDOWS\system32\BSPRINT.INI
2008-03-03 01:17 . 2008-03-03 01:17 5,863 --a------ C:\WINDOWS\system32\ubuntu tema.Theme
2008-03-02 21:51 . 2008-03-02 22:17 <DIR> d-------- C:\Documents and Settings\Petar\Application Data\VoipBuster
2008-03-02 21:48 . 2008-03-02 21:48 <DIR> d-------- C:\Program Files\VoipBuster.com
2008-03-01 02:30 . 2008-03-01 02:30 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-03-01 02:30 . 2008-03-01 02:34 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-01 02:08 . 2002-12-27 04:41 26,880 --a------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS
2008-03-01 01:35 . 2008-03-01 01:35 <DIR> d-------- C:\Documents and Settings\Petar\Application Data\Uniblue
2008-03-01 00:01 . 2008-03-01 00:01 <DIR> d-------- C:\Program Files\Shock Utility
2008-03-01 00:01 . 2008-03-01 00:01 65,536 --a------ C:\WINDOWS\IFinst27.exe
2008-02-28 19:45 . 2008-02-28 19:45 <DIR> d-------- C:\Program Files\Vasilios Applications
2008-02-28 19:29 . 2008-03-13 11:36 <DIR> d-------- C:\Program Files\Zortam Mp3 Media Studio
2008-02-28 19:20 . 2008-02-28 19:20 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-02-28 19:18 . 2008-02-28 19:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2008-02-28 19:13 . 2008-02-28 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-28 18:31 . 2002-11-22 14:46 554,776 --a------ C:\WINDOWS\system32\olelib.tlb
2008-02-28 18:17 . 2008-03-03 01:19 <DIR> d-------- C:\WINDOWS\Super Turbo Tango Patcher
2008-02-28 17:40 . 2005-03-24 13:24 153,718 --a------ C:\WINDOWS\boot.bmp
2008-02-28 17:35 . 2008-02-28 19:50 <DIR> d-------- C:\Program Files\Slimm Boot-Logo
2008-02-27 11:14 . 2008-03-15 21:58 250 --a------ C:\WINDOWS\gmer.ini
2008-02-27 10:11 . 2008-03-01 02:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 10:11 . 2008-03-01 02:53 <DIR> d-------- C:\Documents and Settings\Petar\Application Data\SUPERAntiSpyware.com
2008-02-27 10:11 . 2008-02-27 10:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-27 09:52 . 2008-02-27 09:56 <DIR> d-------- C:\fixwareout
2008-02-26 23:52 . 2008-03-15 21:49 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-02-26 22:58 . 2008-02-26 22:58 <DIR> d-------- C:\Documents and Settings\Petar\Application Data\Lavasoft
2008-02-26 22:31 . 2008-02-26 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 19:59 . 2008-02-26 20:10 8,192 --a------ C:\WINDOWS\Rpoint.exe
2008-02-26 19:58 . 2008-02-26 22:25 <DIR> d-------- C:\spywarebegone
2008-02-26 19:58 . 2008-02-26 19:58 170 --a------ C:\WINDOWS\spywarebegone-fullversion-installed.html
2008-02-26 15:27 . 2008-02-26 15:27 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-26 15:00 . 2002-11-22 01:00 221,184 --a------ C:\WINDOWS\system32\DartSock.dll
2008-02-26 15:00 . 2002-11-25 01:00 118,784 --a------ C:\WINDOWS\system32\DartWeb.dll
2008-02-26 15:00 . 2000-10-10 01:00 49,152 --a------ C:\WINDOWS\system32\DartObjects.dll
2008-02-26 14:56 . 2008-02-26 14:56 <DIR> d-------- C:\Program Files\Stardock
2008-02-26 14:56 . 2003-02-26 22:27 36,864 --------- C:\WINDOWS\system32\wbsys.dll
2008-02-25 15:55 . 2008-02-12 00:54 309,916 --a------ C:\WINDOWS\wall8_2.jpg
2008-02-25 15:50 . 2008-02-25 15:50 <DIR> d-------- C:\Program Files\TGTSoft
2008-02-25 15:22 . 2008-02-25 15:22 <DIR> d-------- C:\Program Files\VirtuallTek
2008-02-25 08:01 . 2008-03-01 03:51 <DIR> d-------- C:\Program Files\nLite
2008-02-16 00:55 . 2008-02-16 00:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-02-16 00:54 . 2008-02-16 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-02-16 00:49 . 2008-02-26 21:14 <DIR> d-------- C:\Program Files\NSS
2008-02-16 00:49 . 2006-08-29 15:56 32,377 --a------ C:\WINDOWS\system32\drivers\prodigy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 18:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-13 13:30 294,929 ---h--w C:\Documents and Settings\Petar\Application Data\TurboLaunch_IconCache.dat
2008-03-11 11:09 678,746 ----a-w C:\WINDOWS\unins000.exe
2008-03-11 07:33 --------- d-----w C:\Documents and Settings\Petar\Application Data\Azureus
2008-03-11 07:00 --------- d-----w C:\Program Files\Azureus
2008-03-10 10:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-04 09:25 --------- d-----w C:\Program Files\SpeedFan
2008-03-02 21:38 --------- d-----w C:\Documents and Settings\Petar\Application Data\Skype
2008-03-01 01:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-02-28 19:05 --------- d-----w C:\Program Files\RocketReader KidsV3
2008-02-28 19:05 --------- d-----r C:\Program Files\TypingMaster
2008-02-28 17:21 --------- d-----w C:\Program Files\Winamp
2008-02-28 17:19 2,320,384 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-02-28 17:19 2,187,264 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-02-27 12:58 --------- d-----w C:\Program Files\PowerISO
2008-02-27 10:03 --------- d-----w C:\Program Files\Nokia
2008-02-27 10:03 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-26 20:41 --------- d-----w C:\Program Files\Bonjour
2008-02-26 20:23 --------- d-----w C:\Program Files\NeuroTran
2008-02-26 20:16 --------- d-----w C:\Program Files\TP
2008-02-26 20:08 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-26 20:06 --------- d-----w C:\Program Files\Morgan
2008-02-26 20:05 --------- d-----w C:\Program Files\mIRC
2008-02-26 20:02 --------- d-----w C:\Program Files\Hunting Unlimited 2
2008-02-26 19:53 --------- d-----w C:\Program Files\Free Audio Pack
2008-02-26 19:53 --------- d-----w C:\Program Files\eMule
2008-02-26 19:52 --------- d-----w C:\Program Files\DivX
2008-02-26 19:45 --------- d-----w C:\Documents and Settings\Petar\Application Data\BSplayer
2008-02-26 19:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-26 18:58 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-02-14 19:50 --------- d-----w C:\Documents and Settings\Petar\Application Data\Metacafe
2008-02-11 23:31 --------- d-----w C:\Program Files\ASUS
2008-02-11 17:56 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-02-11 17:42 --------- d-----w C:\Program Files\Activision
2008-02-10 23:12 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-02-08 10:13 --------- d-----w C:\Program Files\VirtualDJ
2008-02-08 10:13 --------- d-----w C:\Program Files\Folder Marker
2008-02-08 10:13 --------- d-----w C:\Program Files\Cheatbook Database 2006
2008-02-08 10:12 --------- d-----w C:\Program Files\Solways Task Scheduler
2008-01-28 21:35 --------- d-----w C:\Program Files\SourceTec
2008-01-28 21:35 --------- d-----w C:\Program Files\Common Files\SourceTec
2008-01-17 21:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\MicroSoftOcx
2008-01-15 13:55 --------- d-----w C:\Program Files\D-Tools
2008-01-08 21:58 47,360 ----a-w C:\Documents and Settings\Petar\Application Data\pcouffin.sys
2006-05-24 15:38 233,472 ----a-w C:\Program Files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 16:00 204,895 ----a-w C:\Program Files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 13:41 77,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 15:59 426,081 ----a-w C:\Program Files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 11:19 458,752 ----a-w C:\Program Files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 17:35 139,264 ----a-w C:\Program Files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 10:10 204,800 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 10:42 106,496 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 10:22 212,992 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 10:21 167,936 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2004-08-03 22:56 93,184 --sha-w C:\WINDOWS\Super Turbo Tango Patcher\Backup\iexplore.exe
.

------- Sigcheck -------

2007-03-08 16:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\SoftwareDistribution\Download\4d9d678c0d8af22c04a4a7fc7f1ff86c\sp2gdr\user32.dll
2007-03-08 16:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\SoftwareDistribution\Download\4d9d678c0d8af22c04a4a7fc7f1ff86c\sp2qfe\user32.dll
2004-08-03 23:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\backup\sp2gdr\user32.dll
2004-08-03 23:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\backup\sp2qfe\user32.dll
2005-03-02 19:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\user32.dll
2005-03-02 19:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\user32.dll
2005-03-02 19:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\SoftwareDistribution\Download\dc3fa7fed4facc29618f4c01f9c9f686\sp2gdr\user32.dll
2005-03-02 19:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\SoftwareDistribution\Download\dc3fa7fed4facc29618f4c01f9c9f686\sp2qfe\user32.dll
2004-08-03 23:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\Super Turbo Tango Patcher\Backup\user32.dll
2004-08-03 23:56 540672 348a1fb4d6ff3ba12c55da1f8bdbc0d9 C:\WINDOWS\system32\user32.dll
2004-08-03 23:56 540672 348a1fb4d6ff3ba12c55da1f8bdbc0d9 C:\WINDOWS\system32\dllcache\user32.dll

2007-02-28 10:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
2005-03-02 01:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\SoftwareDistribution\Download\dc3fa7fed4facc29618f4c01f9c9f686\backup\sp2gdr\ntkrnlpa.exe
2005-03-02 01:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\SoftwareDistribution\Download\dc3fa7fed4facc29618f4c01f9c9f686\sp2qfe\ntkrnlpa.exe
2004-08-04 00:05 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntkrnlpa.exe
2008-02-28 18:19 2187264 adb6cf9a8a0bbaf5f18c22179e93c380 C:\WINDOWS\system32\ntkrnlpa.exe
2004-08-04 00:05 2187264 83a784e2516c022a4e27736605818339 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2007-02-28 10:55 2182144 19d249958ca4b26ec0e2b472a54286af C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntoskrnl.exe
2007-02-28 10:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2005-03-02 02:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\SoftwareDistribution\Download\dc3fa7fed4facc29618f4c01f9c9f686\backup\sp2gdr\ntoskrnl.exe
2005-03-02 02:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\SoftwareDistribution\Download\dc3fa7fed4facc29618f4c01f9c9f686\sp2qfe\ntoskrnl.exe
2004-08-03 22:18 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\Super Turbo Tango Patcher\Backup\ntoskrnl.exe
2008-02-28 18:19 2320384 66b5883ab972da755ee6ca4663fa3bb0 C:\WINDOWS\system32\ntoskrnl.exe
2004-08-03 22:18 2320384 e82797f423fa850f04d042df08227b4e C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 11:23 980992 02a351f886df3dd2f0a90057c40be755 C:\WINDOWS\explorer.exe
2007-06-13 12:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 11:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\Super Turbo Tango Patcher\Backup\explorer.exe
2007-06-13 11:23 980992 02a351f886df3dd2f0a90057c40be755 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-14_21.18.33.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-27 10:14:22 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-15 09:46:31 819,200 ----a-w C:\WINDOWS\gmer.dll
- 2008-01-18 19:31:10 757,760 ----a-w C:\WINDOWS\gmer.exe
+ 2008-03-03 19:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
- 2008-03-14 19:45:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-15 09:02:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-14 19:45:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-15 09:07:51 131,072 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-14 19:47:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008031420080315\index.dat
+ 2008-03-14 22:10:05 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008031420080315\index.dat
+ 2008-03-15 09:07:44 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008031520080316\index.dat
- 2008-03-14 19:51:16 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-15 09:09:20 327,680 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-27 10:14:22 85,713 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2008-03-15 09:46:32 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2008-03-15 20:47:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_214.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2005-09-07 14:35 716800]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 10:11 925696]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 14:55 339968]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

C:\Documents and Settings\Petar\Start Menu\Programs\Startup\
PowerInstall Key Updater.lnk - C:\Program Files\DVB-S PowerInstall\PSU.EXE [2008-02-06 21:05:40 52094]
Sonic CinePlayer Quick Launch.lnk - C:\Program Files\Common Files\Sonic Shared\cinetray.exe [2002-09-18 14:16:30 98304]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Super Turbo Tango Patcher Reloader.lnk - C:\WINDOWS\Super Turbo Tango Patcher\Reloader.exe [2007-05-21 03:37:38 108398]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-10-18 19:47 75064 C:\WINDOWS\system32\LMIinit.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"Web Video Downloader"="C:\Program Files\SourceTec\Sothink Web Video Downloader Stand-alone\VideoDownloader.exe"
"Slawdog Smart Shutdown"=C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" -lang 1033
"snpstd3"=C:\WINDOWS\vsnpstd3.exe
"DownloadAccelerator"="C:\Program Files\DAP\DAP.EXE" /STARTUP
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UACDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSI\\MyGuard Live\\MyGuard Live.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\SIERRA\\Half-Life\\hl.exe"=
"C:\\SIERRA\\Half-Life\\hlds.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"C:\\Program Files\\My Drivers\\MyDrivers.exe"=
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\ProgDVB\\ProgDvbNet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"86:TCP"= 86:TCP:BroadCam Web Server

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys [2005-07-22 12:07]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 08:10]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 09:20]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2007-09-23 20:21]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 23:56]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;C:\WINDOWS\system32\DRIVERS\SkyNET.SYS [2006-03-14 02:22]
S1 StarPortLite;StarPort Storage Controller (Lite);C:\WINDOWS\system32\DRIVERS\StarPortLite.sys []
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 08:05]
S3 Asushwio;Asushwio;C:\WINDOWS\system32\drivers\Asushwio.sys [2004-04-26 16:26]
S3 mbr;mbr;C:\DOCUME~1\Petar\LOCALS~1\Temp\mbr.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 11:54]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb01b14d-60ce-11dc-ab2e-806d6172696f}]
\Shell\AutoRun\command - E:\bootcd\wintools\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7c9c5aa-8a05-11dc-b161-0017319b95e3}]
\Shell\AutoRun\command - H:\.\Start.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-03-15 22:19:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\BsLangInDepRes.dll
.
Completion time: 2008-03-15 22:20:36
ComboFix-quarantined-files.txt 2008-03-15 21:20:27
ComboFix2.txt 2008-03-15 09:21:27
ComboFix3.txt 2008-03-14 20:18:52
.
2007-09-13 08:16:44 --- E O F ---

mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Da li si vršio skeniranje dr.Web CureIT-om u Safe Mode-u, tj. da li je između dr.Web CureIt skeniranja i Gmer skeniranja kompjuter restartovan?

Ako nije, molim te da restartuješ PC i ponoviš Gmer/Rootkit skeniranje (bitno je).

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

dr.Web CureIT je skenirao u normalnom režimu, potom sam restartovao računar zbog " štekanja", zatim Gmer. Ako je dr.Web CureIT trebao raditi u safe modu, nisam razumio. Znači bio je restart između skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ovako... Ovde je u pitanju jedna nova infekcija (vrsta rootkit-a) - zato te malo više gnjavim...

Hajde da probamo da ovo rešimo...


Iskopiraj file mbr.exe na C: disk (znači, lokacija treba da mu je C:\mbr.exe).

Klikni Start > Run i ukucaj:

mbr -f


Kada proces bude gotov, iskopiraj ovde sadržaj loga C:\mbr.log.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ne radi druže. Sve po uputstvu ali ne može da ga nađe.

Dopuna: 16 Mar 2008 0:31

Sad sam u Run ukucao C:\mbr -f pa je odradio.
ne znam pije li to vode al evo log za svaki slučaj

Stealth MBR rootkit detector by Gmer, gmer.net

device: opend sucessfully
user: MBR read sucessfully
kernel: MBR read sucessfully
user & kernel MBR OK
INT 0x13 hook detected !

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

@petar1975

dr_Bora je izgleda posao na pocinak.
Iz fajlova koje si nam poslao uspeli smo da identifikujemo server sa kojeg si pokupio zarazu.
Skupio sam sa tog servera sve moguce primerke malwarea koje sam mogao da nadjem, i poslao ih na analizu u AV laboratorije.
Iskreno se nadam da cemo sutra vec imati neke rezultate koji ce da nam pomognu da resimo tvoj slucaj.

Ovo zadnje si ispravno uradio, ali nazalost izgleda da nije pomoglo.

Umes li da koristis Recovery Console sa Windowsovog instalacionog CD-a?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ne, jer ne razumijem postupak( to je ono sa nekim komandama zar ne?)
Ja sam u ovome samouk, bez ikakvog znanja programskih jezika, samo onako engleski. Osim ako nema kakvo razumno uputstvo

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

http://www.mycity.rs/Windows/Recovery-konzola-i-Re.....jenja.html

Pogledaj tu temu. Prvo ti ide postupak za Repair sistema, pa onda imas i postupak za ulazak u Recovery konzolu. Potrebno nam je samo ovo drugo.

Udji u Recovery konzolu, i tu ukucaj sledecu komandu:
fixmbr

Nakon toga restartuj racunar bez windowsovog instalacionog CD-a u drajvu, pa ponovi ono gore sa C:\mbr -f i prenesi nam ovde log.