straaašno usporen internet

2

straaašno usporen internet

offline
  • Pridružio: 15 Dec 2008
  • Poruke: 166
  • Gde živiš: Beograd

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Obrisi rucno onaj restore.sys koji si mi poslao. Maliciozan je. To je deo neke infekcije koje si se ranije nekako vec resio.

Kazi mi kako se sada ponasa komp?
Ima li jos nekih simptoma?


Daces mi za kraj jos jedan svez log ComboFixa, da vidim da se infekcija nije vratila kojim slucajem.

offline
  • Pridružio: 15 Dec 2008
  • Poruke: 166
  • Gde živiš: Beograd

Obrisan restore.sys, surf je bolji, mada ne mogu baš da se hvalim, brzina je u zavisnosti od pojedinih stranica i bauzera, kod Chrome i Opere je brže, kod Firefoxa je znatno sporije, valja dok napuni kukije i kešove.
Koji je to đavo bio?

Ponovo je karantinu sveža fajla iz WINDOWS, TEMP, BN1.tmp i BN3.tmp, jutros čak i BN35.tmp. Jel to od značaja?



Combofix log pre brisanja restore.sys:


ComboFix 09-03-10.03 - RR 2009-03-11 18:10:08.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1461 [GMT 1:00]
Running from: c:\documents and settings\RR\Desktop\lecenje\ComboFix.exe
AV: AVG *On-access scanning disabled* (Outdated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ntndis.sys
.
---- Previous Run -------
.
c:\windows\system32\drivers\ntndis.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-11 18:04 . 2009-03-11 18:04 6,656 --a------ c:\windows\system32\drivers\restore.sys
2009-03-10 04:59 . 2009-03-10 04:59 <DIR> d-------- c:\documents and settings\RRR\Application Data\NesterSoft
2009-03-10 04:54 . 2009-03-10 04:56 <DIR> d-------- c:\documents and settings\RRR\Application Data\Winamp
2009-03-10 04:54 . 2009-03-10 04:54 <DIR> d-------- c:\documents and settings\RRR\Application Data\Skype
2009-03-10 04:50 . 2009-03-10 04:50 <DIR> d-------- c:\documents and settings\RRR\Application Data\ACD Systems
2009-03-10 04:10 . 2009-03-10 04:11 <DIR> d-------- C:\USBNoRisk
2009-03-08 16:51 . 2009-03-09 18:35 <DIR> d-------- c:\program files\SpeedBit Video Accelerator
2009-03-08 14:57 . 2009-03-08 14:57 <DIR> d-------- c:\documents and settings\RRR
2009-03-07 22:19 . 2009-03-07 22:19 <DIR> d-------- c:\program files\Software Informer
2009-03-07 04:43 . 2005-10-31 19:17 135,168 -r------- c:\windows\system32\RtlCPAPI.dll
2009-03-07 04:42 . 2005-05-03 19:43 69,632 -r------- c:\windows\Alcmtr.exe
2009-03-05 18:38 . 2009-03-05 18:38 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-03-03 16:20 . 2009-03-03 16:20 <DIR> d-------- c:\documents and settings\RR\Application Data\Thinstall
2009-03-03 16:16 . 2009-03-08 00:40 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-03 16:15 . 2009-03-07 04:33 <DIR> d-------- c:\program files\CBS Software
2009-03-03 16:14 . 2009-03-03 16:14 <DIR> d-------- c:\program files\TuneUp Utilities 2009 8.0.2000.35
2009-03-02 17:46 . 2009-03-02 17:46 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-28 19:51 . 2009-02-28 19:51 <DIR> d-------- c:\documents and settings\RR\Application Data\URSoft
2009-02-28 03:25 . 2009-03-06 12:59 <DIR> d-------- c:\program files\Breakaway
2009-02-28 02:00 . 2009-02-28 06:03 <DIR> d-------- c:\program files\Magic Video Converter
2009-02-28 02:00 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2009-02-25 03:18 . 2009-01-09 20:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-25 02:51 . 2009-02-26 03:17 <DIR> d-------- c:\program files\Total Video Converter
2009-02-25 02:50 . 2009-02-28 05:51 <DIR> d-------- c:\program files\Codec Pack - All In 1
2009-02-25 02:50 . 2009-02-28 05:51 737,280 --a------ c:\windows\iun6002.exe
2009-02-25 02:39 . 2009-03-02 01:30 <DIR> d-------- c:\program files\Amadis Software
2009-02-24 17:04 . 2009-02-24 17:04 <DIR> d-------- C:\ZCVideoConverter
2009-02-24 16:59 . 2009-02-24 17:00 <DIR> d-------- c:\program files\ZC Video Converter
2009-02-24 16:42 . 2009-02-24 16:42 <DIR> d-------- c:\program files\XviD
2009-02-24 16:39 . 2001-08-23 17:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2009-02-24 02:44 . 2009-02-24 02:44 <DIR> d-------- c:\program files\XP Codec Pack
2009-02-24 02:44 . 2008-07-09 09:05 421,888 --a------ c:\windows\system32\ac3filter.acm
2009-02-22 16:42 . 2009-02-22 16:43 <DIR> d-------- c:\program files\Any Video Converter
2009-02-22 16:42 . 2009-02-26 03:17 <DIR> d-------- c:\documents and settings\RR\Application Data\Any Video Converter
2009-02-22 16:14 . 2009-02-22 16:39 <DIR> d-------- c:\program files\Any Video Converter Professional
2009-02-22 16:14 . 2009-02-26 03:17 <DIR> d-------- c:\documents and settings\RR\Application Data\Any Video Converter Professional
2009-02-22 15:38 . 2009-02-22 15:39 <DIR> d-------- c:\program files\Media Convert Master
2009-02-22 15:38 . 2009-02-22 15:39 <DIR> d-------- c:\documents and settings\RR\Application Data\Vso
2009-02-22 15:38 . 2009-02-22 15:38 81,920 --a------ c:\documents and settings\RR\Application Data\ezpinst.exe
2009-02-22 15:38 . 2009-02-22 15:38 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-02-22 15:38 . 2009-02-22 15:38 47,360 --a------ c:\documents and settings\RR\Application Data\pcouffin.sys
2009-02-22 15:20 . 2007-02-07 20:05 269,824 --a------ c:\windows\system32\baksm.dll
2009-02-22 14:14 . 2009-02-22 14:14 <DIR> d-------- c:\program files\AviSynth 2.5
2009-02-22 14:14 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2009-02-22 14:14 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2009-02-22 14:14 . 2005-02-13 00:00 186,880 -r-hs---- c:\windows\system32\RLOgg.ax
2009-02-22 14:14 . 2005-02-06 00:00 92,672 -r-hs---- c:\windows\system32\RLVorbisDec.ax
2009-02-22 14:14 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\i420vfw.dll
2009-02-22 14:14 . 2005-02-13 00:00 67,584 -r-hs---- c:\windows\system32\RLTheoraDec.ax
2009-02-22 14:14 . 2005-02-13 00:00 51,712 -r-hs---- c:\windows\system32\RLSpeexDec.ax
2009-02-22 14:13 . 2005-01-18 00:26 179,200 -r-hs---- c:\windows\system32\DiracSplitter.ax
2009-02-22 14:13 . 2005-02-22 17:55 81,920 -r-hs---- c:\windows\system32\aac_parser.ax
2009-02-22 03:39 . 2009-02-22 03:39 <DIR> d-------- C:\ConverterOutput
2009-02-22 03:31 . 2009-02-22 03:31 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-02-20 20:39 . 2008-03-03 14:25 5,702 --ah----- c:\windows\nod32restoretemdono.reg
2009-02-20 20:39 . 2008-03-03 18:21 568 --ah----- c:\windows\nod32fixtemdono.reg
2009-02-20 20:33 . 2009-02-20 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-02-11 17:56 . 2009-02-11 17:56 <DIR> d-------- c:\program files\BillP Studios
2009-02-11 17:56 . 2009-02-12 02:23 <DIR> d-------- c:\documents and settings\RR\Application Data\WinPatrol
2009-02-11 17:45 . 2009-02-14 08:15 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 17:19 --------- d-----w c:\documents and settings\RR\Application Data\Skype
2009-03-11 17:04 --------- d-----w c:\documents and settings\RR\Application Data\skypePM
2009-03-11 16:49 --------- d-----w c:\program files\Everything
2009-03-11 07:58 --------- d-----w c:\program files\TimeLeft3
2009-03-11 04:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 16:35 --------- d-----w c:\documents and settings\RR\Application Data\uTorrent
2009-03-09 07:41 --------- d-----w c:\documents and settings\RR\Application Data\FrostWire
2009-03-08 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2009-03-08 15:49 --------- d-----w c:\program files\DAP
2009-03-08 15:08 --------- d-----w c:\documents and settings\RR\Application Data\Software Informer
2009-03-07 21:57 --------- d-----w c:\program files\Windows Live
2009-03-07 03:42 --------- d-----w c:\program files\Realtek
2009-03-07 03:23 --------- d-----w c:\program files\Foxit Software
2009-03-06 14:08 --------- d-----w c:\program files\Opera
2009-03-05 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-05 13:39 136,128 ----a-w c:\windows\system32\drivers\aec.sys
2009-03-05 13:36 182,656 -c--a-w c:\windows\system32\drivers\ndis.sys
2009-03-03 15:17 --------- d-----w c:\documents and settings\RR\Application Data\TuneUp Software
2009-03-03 15:16 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-01 16:06 --------- d-----w c:\program files\Glary Utilities
2009-02-27 21:31 --------- d-----w c:\program files\Total Video Player
2009-02-26 02:21 --------- d-----w c:\program files\IObit
2009-02-26 02:21 --------- d-----w c:\documents and settings\RR\Application Data\IObit
2009-02-25 02:25 --------- d-----w c:\documents and settings\RR\Application Data\LimeWire
2009-02-24 02:28 --------- d-----w c:\program files\Mv2Player
2009-02-20 19:36 --------- d-----w c:\program files\ESET
2009-02-20 12:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-15 01:30 --------- d-----w c:\program files\SpeedFan
2009-02-12 02:02 --------- d-----w c:\program files\Google
2009-02-09 01:01 --------- d-----w c:\program files\Common Files\Ahead
2009-02-09 01:01 --------- d-----w c:\program files\Ahead
2009-02-09 00:54 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-02-08 15:14 --------- d-----w c:\program files\DivX
2009-02-08 13:39 --------- d-----w c:\documents and settings\RR\Application Data\Ahead
2009-02-08 13:17 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2009-02-08 13:03 --------- d-----w c:\program files\Common Files\Nero
2009-02-07 23:41 --------- d-----w c:\documents and settings\RR\Application Data\Nero
2009-02-07 12:11 --------- d-----w c:\program files\FrostWire
2009-02-04 12:17 --------- d-----w c:\program files\Wise Registry Cleaner 3
2009-02-04 12:15 --------- d-----w c:\program files\Wise Disk Cleaner
2009-02-04 11:39 --------- d-----w c:\documents and settings\All Users\Application Data\3A3E
2009-02-04 11:08 --------- d-----w c:\program files\Common Files\Skype
2009-02-04 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-04 11:08 --------- d-----r c:\program files\Skype
2009-02-02 10:41 --------- d-----w c:\documents and settings\All Users\Application Data\23CB
2009-01-31 16:45 --------- d-----w c:\documents and settings\All Users\Application Data\F138
2009-01-31 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\2835B
2009-01-28 01:03 --------- d-----w c:\documents and settings\All Users\Application Data\3034B
2009-01-27 11:49 --------- d-----w c:\program files\Recuva
2009-01-25 01:40 17,920 -c--a-w c:\windows\WebFerretUninstall.exe
2009-01-25 01:40 --------- d-----w c:\program files\WebFerret
2009-01-23 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\3A138
2009-01-23 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\131F
2009-01-23 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\1B1F
2009-01-11 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\172E
2009-01-11 13:59 --------- d-----w c:\program files\Dictionary
2008-10-27 13:33 69,232 -c--a-w c:\documents and settings\RR\Application Data\GDIPFONTCACHEV1.DAT
2007-12-22 13:50 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2008-04-13 20:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-03-05 14:36 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-03-05 14:36 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-09_16.23.18.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-04 11:08:22 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2009-03-10 03:53:40 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
- 2009-03-09 07:12:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
+ 2009-03-09 19:08:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
- 2009-03-09 15:21:10 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-11 17:19:44 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-09 15:21:10 65,536 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-11 17:19:44 98,304 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-09 15:21:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009030920090310\index.dat
+ 2009-03-09 19:08:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009030920090310\index.dat
+ 2009-03-10 15:28:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009031020090311\index.dat
+ 2009-03-11 17:19:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009031120090312\index.dat
- 2009-03-09 15:21:11 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-11 17:19:44 65,536 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-10-05 03:24:04 235,936 -c--a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-12-29 14:03:34 84,661 -c--a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-03-10 16:55:17 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-03-11 17:19:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_714.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 c:\windows\RTHDCPL.exe]

c:\documents and settings\RRR\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-19 4742184]

c:\documents and settings\RR\Start Menu\Programs\Startup\
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft.exe [2007-12-22 1981112]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-19 4742184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.XVID"= xvid.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^RR^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RR^Start Menu^Programs^Startup^ppcb_32.lnk]
backup=c:\windows\pss\ppcb_32.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 01:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 12:13 133104 c:\documents and settings\RR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\WebFerret\\WebFerret.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-08-23 3584]
S3 EuMusDesignVirtualAudioCableWdm_lcs;Breakaway Pipeline (WDM);c:\windows\system32\DRIVERS\vaclcskd.sys --> c:\windows\system32\DRIVERS\vaclcskd.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-10-19 36928]
S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [2007-12-21 16925]
.
Contents of the 'Scheduled Tasks' folder

2009-03-11 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-02-23 17:38]

2009-03-11 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\ [2009-03-11 09:28]

2009-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-527237240-725345543-1003.job
- c:\documents and settings\RR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:13]

2009-03-02 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 18:15]

2009-03-02 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-02-26 03:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.krstarica.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Search - ?p=ZCfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\RR\Application Data\Mozilla\Firefox\Profiles\qq1l57ie.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\RR\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections-per-server - 6
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-11 18:19:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768-)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\snmp.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-03-11 18:23:10 - machine was rebooted [RR]
ComboFix-quarantined-files.txt 2009-03-11 17:23:07
ComboFix2.txt 2009-03-10 02:22:22
ComboFix3.txt 2009-03-09 15:25:00

Pre-Run: 19,861,860,352 bytes free
Post-Run: 19,801,325,568 bytes free

291

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Grrr... opet se vraca.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Desni klik na sred forme programa. Pojaviće se menij u kojem je potrebno otići na Options i tu štiklirati opciju Only non MS files
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao fajl file3.txt


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde fajl koji smo malopre snimili.

Dopuna: 11 Mar 2009 19:21

Daj mi na pregled sledece fajlove:
c:\windows\ServicePackFiles\i386\ndis.sys
c:\windows\system32\dllcache\ndis.sys
c:\windows\system32\drivers\ndis.sys

Upload uradi preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

offline
  • Pridružio: 15 Dec 2008
  • Poruke: 166
  • Gde živiš: Beograd

nešto se mučim sa kačenjem c:\windows\system32\drivers\ndis.sys, kao da neće da ga okači. Inače, postoje dve iste takve fajle, druga se zove ndis (2), a c:\windows\system32\dllcache\ndis.sys, kao da uošte ne postoji, ne vidim ga.



mycity.rs/must-login.png

mycity.rs/must-login.png

Dopuna: 12 Mar 2009 12:58

ovo je ndis (2) iz drivers

mycity.rs/must-login.png

Dopuna: 12 Mar 2009 13:08

u SerrvicePackFiles\i386, kao i u system32\npp postoji ndisnpp.dll, ali nigde ga nema dllcashe\ndis.sys

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

Driver::
ntndis
restore


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 15 Dec 2008
  • Poruke: 166
  • Gde živiš: Beograd

ComboFix 09-03-10.03 - RR 2009-03-12 14:45:52.16 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1405 [GMT 1:00]
Running from: c:\documents and settings\RR\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RR\Desktop\CFScript.txt
AV: AVG *On-access scanning disabled* (Outdated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ntndis.sys
.
---- Previous Run -------
.
c:\windows\system32\drivers\ntndis.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-12 14:39 . 2009-03-12 14:39 6,656 --a------ c:\windows\system32\drivers\restore.sys
2009-03-10 04:59 . 2009-03-10 04:59 <DIR> d-------- c:\documents and settings\RRR\Application Data\NesterSoft
2009-03-10 04:54 . 2009-03-10 04:56 <DIR> d-------- c:\documents and settings\RRR\Application Data\Winamp
2009-03-10 04:54 . 2009-03-10 04:54 <DIR> d-------- c:\documents and settings\RRR\Application Data\Skype
2009-03-10 04:50 . 2009-03-10 04:50 <DIR> d-------- c:\documents and settings\RRR\Application Data\ACD Systems
2009-03-10 04:10 . 2009-03-10 04:11 <DIR> d-------- C:\USBNoRisk
2009-03-08 16:51 . 2009-03-09 18:35 <DIR> d-------- c:\program files\SpeedBit Video Accelerator
2009-03-08 14:57 . 2009-03-08 14:57 <DIR> d-------- c:\documents and settings\RRR
2009-03-07 22:19 . 2009-03-07 22:19 <DIR> d-------- c:\program files\Software Informer
2009-03-07 04:43 . 2005-10-31 19:17 135,168 -r------- c:\windows\system32\RtlCPAPI.dll
2009-03-07 04:42 . 2005-05-03 19:43 69,632 -r------- c:\windows\Alcmtr.exe
2009-03-05 18:38 . 2009-03-05 18:38 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-03-03 16:20 . 2009-03-03 16:20 <DIR> d-------- c:\documents and settings\RR\Application Data\Thinstall
2009-03-03 16:16 . 2009-03-08 00:40 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-03 16:15 . 2009-03-07 04:33 <DIR> d-------- c:\program files\CBS Software
2009-03-03 16:14 . 2009-03-03 16:14 <DIR> d-------- c:\program files\TuneUp Utilities 2009 8.0.2000.35
2009-03-02 17:46 . 2009-03-02 17:46 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-28 19:51 . 2009-02-28 19:51 <DIR> d-------- c:\documents and settings\RR\Application Data\URSoft
2009-02-28 03:25 . 2009-03-06 12:59 <DIR> d-------- c:\program files\Breakaway
2009-02-28 02:00 . 2009-02-28 06:03 <DIR> d-------- c:\program files\Magic Video Converter
2009-02-28 02:00 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2009-02-25 03:18 . 2009-01-09 20:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-25 02:51 . 2009-02-26 03:17 <DIR> d-------- c:\program files\Total Video Converter
2009-02-25 02:50 . 2009-02-28 05:51 <DIR> d-------- c:\program files\Codec Pack - All In 1
2009-02-25 02:50 . 2009-02-28 05:51 737,280 --a------ c:\windows\iun6002.exe
2009-02-25 02:39 . 2009-03-02 01:30 <DIR> d-------- c:\program files\Amadis Software
2009-02-24 17:04 . 2009-02-24 17:04 <DIR> d-------- C:\ZCVideoConverter
2009-02-24 16:59 . 2009-02-24 17:00 <DIR> d-------- c:\program files\ZC Video Converter
2009-02-24 16:42 . 2009-02-24 16:42 <DIR> d-------- c:\program files\XviD
2009-02-24 16:39 . 2001-08-23 17:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2009-02-24 02:44 . 2009-02-24 02:44 <DIR> d-------- c:\program files\XP Codec Pack
2009-02-24 02:44 . 2008-07-09 09:05 421,888 --a------ c:\windows\system32\ac3filter.acm
2009-02-22 16:42 . 2009-02-22 16:43 <DIR> d-------- c:\program files\Any Video Converter
2009-02-22 16:42 . 2009-02-26 03:17 <DIR> d-------- c:\documents and settings\RR\Application Data\Any Video Converter
2009-02-22 16:14 . 2009-02-22 16:39 <DIR> d-------- c:\program files\Any Video Converter Professional
2009-02-22 16:14 . 2009-02-26 03:17 <DIR> d-------- c:\documents and settings\RR\Application Data\Any Video Converter Professional
2009-02-22 15:38 . 2009-02-22 15:39 <DIR> d-------- c:\program files\Media Convert Master
2009-02-22 15:38 . 2009-02-22 15:39 <DIR> d-------- c:\documents and settings\RR\Application Data\Vso
2009-02-22 15:38 . 2009-02-22 15:38 81,920 --a------ c:\documents and settings\RR\Application Data\ezpinst.exe
2009-02-22 15:38 . 2009-02-22 15:38 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-02-22 15:38 . 2009-02-22 15:38 47,360 --a------ c:\documents and settings\RR\Application Data\pcouffin.sys
2009-02-22 15:20 . 2007-02-07 20:05 269,824 --a------ c:\windows\system32\baksm.dll
2009-02-22 14:14 . 2009-02-22 14:14 <DIR> d-------- c:\program files\AviSynth 2.5
2009-02-22 14:14 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2009-02-22 14:14 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2009-02-22 14:14 . 2005-02-13 00:00 186,880 -r-hs---- c:\windows\system32\RLOgg.ax
2009-02-22 14:14 . 2005-02-06 00:00 92,672 -r-hs---- c:\windows\system32\RLVorbisDec.ax
2009-02-22 14:14 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\i420vfw.dll
2009-02-22 14:14 . 2005-02-13 00:00 67,584 -r-hs---- c:\windows\system32\RLTheoraDec.ax
2009-02-22 14:14 . 2005-02-13 00:00 51,712 -r-hs---- c:\windows\system32\RLSpeexDec.ax
2009-02-22 14:13 . 2005-01-18 00:26 179,200 -r-hs---- c:\windows\system32\DiracSplitter.ax
2009-02-22 14:13 . 2005-02-22 17:55 81,920 -r-hs---- c:\windows\system32\aac_parser.ax
2009-02-22 03:39 . 2009-02-22 03:39 <DIR> d-------- C:\ConverterOutput
2009-02-22 03:31 . 2009-02-22 03:31 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-02-20 20:39 . 2008-03-03 14:25 5,702 --ah----- c:\windows\nod32restoretemdono.reg
2009-02-20 20:39 . 2008-03-03 18:21 568 --ah----- c:\windows\nod32fixtemdono.reg
2009-02-20 20:33 . 2009-02-20 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 13:54 --------- d-----w c:\documents and settings\RR\Application Data\Skype
2009-03-12 11:45 --------- d-----w c:\program files\Everything
2009-03-12 03:08 --------- d-----w c:\documents and settings\RR\Application Data\skypePM
2009-03-11 07:58 --------- d-----w c:\program files\TimeLeft3
2009-03-11 04:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 16:35 --------- d-----w c:\documents and settings\RR\Application Data\uTorrent
2009-03-09 07:41 --------- d-----w c:\documents and settings\RR\Application Data\FrostWire
2009-03-08 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2009-03-08 15:49 --------- d-----w c:\program files\DAP
2009-03-08 15:08 --------- d-----w c:\documents and settings\RR\Application Data\Software Informer
2009-03-07 21:57 --------- d-----w c:\program files\Windows Live
2009-03-07 03:42 --------- d-----w c:\program files\Realtek
2009-03-07 03:23 --------- d-----w c:\program files\Foxit Software
2009-03-06 14:08 --------- d-----w c:\program files\Opera
2009-03-05 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-05 13:39 136,128 ----a-w c:\windows\system32\drivers\aec.sys
2009-03-05 13:36 182,656 -c--a-w c:\windows\system32\drivers\ndis.sys
2009-03-03 15:17 --------- d-----w c:\documents and settings\RR\Application Data\TuneUp Software
2009-03-03 15:16 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-01 16:06 --------- d-----w c:\program files\Glary Utilities
2009-02-27 21:31 --------- d-----w c:\program files\Total Video Player
2009-02-26 02:21 --------- d-----w c:\program files\IObit
2009-02-26 02:21 --------- d-----w c:\documents and settings\RR\Application Data\IObit
2009-02-25 02:25 --------- d-----w c:\documents and settings\RR\Application Data\LimeWire
2009-02-24 02:28 --------- d-----w c:\program files\Mv2Player
2009-02-20 19:36 --------- d-----w c:\program files\ESET
2009-02-20 12:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-15 01:30 --------- d-----w c:\program files\SpeedFan
2009-02-14 07:15 --------- dc----w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-12 02:02 --------- d-----w c:\program files\Google
2009-02-12 01:23 --------- d-----w c:\documents and settings\RR\Application Data\WinPatrol
2009-02-11 16:56 --------- d-----w c:\program files\BillP Studios
2009-02-09 01:01 --------- d-----w c:\program files\Common Files\Ahead
2009-02-09 01:01 --------- d-----w c:\program files\Ahead
2009-02-09 00:54 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-02-08 15:14 --------- d-----w c:\program files\DivX
2009-02-08 13:39 --------- d-----w c:\documents and settings\RR\Application Data\Ahead
2009-02-08 13:17 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2009-02-08 13:03 --------- d-----w c:\program files\Common Files\Nero
2009-02-07 23:41 --------- d-----w c:\documents and settings\RR\Application Data\Nero
2009-02-07 12:11 --------- d-----w c:\program files\FrostWire
2009-02-04 12:17 --------- d-----w c:\program files\Wise Registry Cleaner 3
2009-02-04 12:15 --------- d-----w c:\program files\Wise Disk Cleaner
2009-02-04 11:39 --------- d-----w c:\documents and settings\All Users\Application Data\3A3E
2009-02-04 11:08 --------- d-----w c:\program files\Common Files\Skype
2009-02-04 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-04 11:08 --------- d-----r c:\program files\Skype
2009-02-02 10:41 --------- d-----w c:\documents and settings\All Users\Application Data\23CB
2009-01-31 16:45 --------- d-----w c:\documents and settings\All Users\Application Data\F138
2009-01-31 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\2835B
2009-01-28 01:03 --------- d-----w c:\documents and settings\All Users\Application Data\3034B
2009-01-27 11:49 --------- d-----w c:\program files\Recuva
2009-01-25 01:40 17,920 -c--a-w c:\windows\WebFerretUninstall.exe
2009-01-25 01:40 --------- d-----w c:\program files\WebFerret
2009-01-23 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\3A138
2009-01-23 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\131F
2009-01-23 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\1B1F
2008-10-27 13:33 69,232 -c--a-w c:\documents and settings\RR\Application Data\GDIPFONTCACHEV1.DAT
2007-12-22 13:50 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2008-04-13 20:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-03-05 14:36 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-03-05 14:36 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-09_16.23.18.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-04 11:08:22 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2009-03-10 03:53:40 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
- 2009-03-09 07:12:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
+ 2009-03-09 19:08:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
- 2009-03-09 15:21:10 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-12 13:55:22 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-09 15:21:10 65,536 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-12 13:55:22 98,304 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-09 15:21:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009030920090310\index.dat
+ 2009-03-09 19:08:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009030920090310\index.dat
+ 2009-03-10 15:28:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009031020090311\index.dat
+ 2009-03-11 18:17:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009031120090312\index.dat
+ 2009-03-12 13:45:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009031220090313\index.dat
- 2009-03-09 15:21:11 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-12 13:55:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2007-06-11 21:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 17:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2008-10-24 23:12:54 268,600 -c--a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 18:09:39 268,600 -c--a-w c:\windows\system32\FNTCACHE.DAT
- 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-10-05 03:24:04 235,936 -c--a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-12-29 14:03:34 84,661 -c--a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-03-10 16:55:17 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2007-11-30 11:18:51 26,488 -c--a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 08:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys
- 2007-06-11 21:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 17:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 c:\windows\RTHDCPL.exe]

c:\documents and settings\RRR\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-19 4742184]

c:\documents and settings\RR\Start Menu\Programs\Startup\
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft.exe [2007-12-22 1981112]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-19 4742184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.XVID"= xvid.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^RR^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RR^Start Menu^Programs^Startup^ppcb_32.lnk]
backup=c:\windows\pss\ppcb_32.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 01:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 12:13 133104 c:\documents and settings\RR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\WebFerret\\WebFerret.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-08-23 3584]
S3 EuMusDesignVirtualAudioCableWdm_lcs;Breakaway Pipeline (WDM);c:\windows\system32\DRIVERS\vaclcskd.sys --> c:\windows\system32\DRIVERS\vaclcskd.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-10-19 36928]
S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [2007-12-21 16925]
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-02-23 17:38]

2009-03-12 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\ [2009-03-12 14:22]

2009-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-527237240-725345543-1003.job
- c:\documents and settings\RR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:13]

2009-03-02 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 18:15]

2009-03-02 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-02-26 03:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.krstarica.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Search - ?p=ZCfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\RR\Application Data\Mozilla\Firefox\Profiles\qq1l57ie.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\RR\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections-per-server - 6
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-12 14:55:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\snmp.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-03-12 14:58:21 - machine was rebooted [RR]
ComboFix-quarantined-files.txt 2009-03-12 13:58:18
ComboFix2.txt 2009-03-11 17:23:12
ComboFix3.txt 2009-03-10 02:22:22
ComboFix4.txt 2009-03-09 15:25:00

Pre-Run: 18,982,588,416 bytes free
Post-Run: 18,968,694,784 bytes free

308 --- E O F --- 2009-03-11 17:48:35

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

rradovane, morao sam da zamolim za pomoc autora programa Gmer.
Ustanovili smo sta ne valja, tj. gde je problem.

Posto iz loga ne vidim, kazi mi da li si instalirao Recovery Console onda kada ti je ComboFix to ponudio?

offline
  • Pridružio: 15 Dec 2008
  • Poruke: 166
  • Gde živiš: Beograd

Da, instalirala se sama još zimus kad sam prvi put koristio combofix iz sličnih razloga usporenja - sad pri svakom podizanju sistema, tokom dve sekunde crni monitor nudi da biram boot sa W-XP ili Recocery Console, ali ja ne znam kako ona može da koristi, tj. da li je OK.

Nedavno sam, naime, kad se komp pri paljenju po pet puta resetovao, pokušao da izaberem Recovery, ali je proces potom (ako se dobro sećam), tražio neku DOS komandu, pa nisam znao dalje.
Ovih dana Combofix ništa nije menjao,niti pitao oko Console.

Pomagajte majstori, ako boga znate.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Izvini, ja bas izlazim iz stana (moram do lekara).
Veceras moram da isprobam prvo kod sebe postupak, pa cu onda da ti napisem detaljno sta i kako da uradis.
Ne znam ni ja napamet mogucnosti Recovery Console, zato moram prvo da isprobam kod sebe.

Ne verujem da cu imati resenje pre 9 veceras.

Dopuna: 12 Mar 2009 20:05

Skini sledeci ZIP:
http://amf.mycity.rs/temp/rradovan.zip
Raspakuj ga na C: u sam root hard diska.

Onda restartuj racunar u Recovery Console.
Ako ti zatrazi admin pass, ukoliko je neki postavljen onda ga unesi.
Ako nisi postavljao admin pass, onda samo lupi Enter

Kada se pojavi prompt, kucaj sledece naredbe:
c:
cd \
start.bat


Kada se to zavrsi, restartuj ponovo komp, sada u normalan windows.
Imaces jedan log na sledecoj lokaciji:
c:\log1.txt
Otvori ga i iskopiraj mi ovde.
Nakon toga ponovo pusti ComboFix i postavi mi log ovde kada zavrsi.

Dopuna: 12 Mar 2009 20:07

Zaboravih malopre da kazem.
Moze se desiti da nakon ove popravke Windows ne bude vise hteo da se podigne. Rizik postoji.

Ko je trenutno na forumu
 

Ukupno su 961 korisnika na forumu :: 64 registrovanih, 7 sakrivenih i 890 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Rade, aboris, Apok, aramis s, arzak, Ben Roj, bigfoot, bojcistv, BSD, Bubimir, ccoogg123, croato, darionis, Dejan84, Djokislav, Don, dule10savic, FOX, Georgius, goxin, jovanjov90, laurusri, ljuba, manda87, Marko Marković, mercedesamg, Milan A. Nikolic, milimoj, Miskohd, nebojsag, nedeljkovici, nenad_l, niksa517, opt1, pein, Qwertyuio, rikirubio, RobinHood12, Rocker, saxone, Skakac7, slonic_tonic, Smiljke, solic, SOVO515, Srle993, Steeeefan, Tas011, teodorica, TheDictator, tmanda323, Toni, Username1000, Van, vathra, virked, ween, YU-UKI, zdrebac, zhuki8, zixmix, Zmaj001, znaisha, zxstole