trojanac i rootkit

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nisam uspjela zavrsit keniranje sa combofixom jer mi se opet pojavio plavi ekran kao i sinoc i morala sam restartovat kompjuter.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Upload-uj sledeći file: C:\WINDOWS\system32\user32.dll

Upload link: [Link mogu videti samo ulogovani korisnici]



-------------------------------------------------------------------------------------



Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Save ... dugme ispod i snimi negde taj file.

Priloži snimljeni file uz poruku (koristi opciju Prikači fajl).

Dopuna: 08 Maj 2008 19:44

Pitanje: imaš li Windows instalacioni CD?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

skidam gmer nisam jos zavrsila a cd imam

Dopuna: 08 Maj 2008 20:35

[Link mogu videti samo ulogovani korisnici]

Ovo je snimljeni scan sa gmer.exe.Morala sam ponovo restartovat kompjuter ali sam iz drugog puta uspjela zavrsit skeniranje.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Sudeći po uploadovanom file-u, izgleda da je ComboFix ipak uspeo da odradi što je trebalo.


U logovima postoje tragovi infekcije koja se prenosi putem USB flash drive-ova, stoga je potrebno da priključiš iste ukoliko poseduješ neki u toku narednog postupka.


Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.



skini sledeći file na Desktop:

[Link mogu videti samo ulogovani korisnici]

Dvoklik na njega i u obaveštenju koje se pojavi, klik na Yes.



-------------------------------------------------------------------------------------



Još jednom ćemo probati sa skeniranjem CF-om, ali pre toga odradi sledeće podešavanje u avast!-u:

avast! settings... pod Troubleshooting: čekiraj Disable avast! self-defense module.

Pokreni ComboFix i postavi log ukoliko skeniranje bude uspešno.



Pitanje: da li je problem da download-uješ nekih desetak MB? Hteo bih da odradimo skeniranje jednim AV programom.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ako pitas imam li onaj usb uredjaj za prenos podataka koji se prikljuci na kompjuter nemam pa ne znam trebam li pokretat taj flash program a skinucu sta god treba.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Da, na to mislim. Ipak odradi i deo sa Flash_Disinfector-om (veoma kratak postupak).

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uradila sam sve sa flash disinfectorom.Hocu li vratiti setting koji sam promjenila u avastu ili ostaviti?Evo i log fajla.

ComboFix 08-05-01.3 - irina 2008-05-08 21:26:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.84 [GMT 2:00]
Running from: C:\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\windf.EXE
C:\WINDOWS\system32\drivers\windf.hlp
C:\WINDOWS\xmg.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-08 20:14 . 2008-05-08 20:20 250 --a------ C:\WINDOWS\gmer.ini
2008-05-07 22:57 . 2008-05-07 23:04 <DIR> d-------- C:\Documents and Settings\irina\Application Data\MiniDm
2008-05-06 23:36 . 2008-05-06 23:36 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-06 23:36 . 2008-05-07 22:58 <DIR> d--hs---- C:\WINDOWS\system32\dllcache
2008-05-06 23:36 . 2008-05-06 23:36 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-06 23:02 . 2008-05-06 23:02 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-06 21:48 . 2008-05-06 22:19 <DIR> d-------- C:\Program Files\Panda Security
2008-05-06 18:49 . 2008-05-07 15:38 <DIR> d-------- C:\Documents and Settings\irina\Application Data\IEPro
2008-05-06 18:48 . 2008-05-06 18:49 <DIR> d-------- C:\Program Files\IEPro
2008-05-06 16:58 . 2008-05-06 16:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-05 20:44 . 2008-05-05 20:44 <DIR> d-------- C:\Program Files\Common Files\Raxco
2008-05-05 20:15 . 2008-05-05 20:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-05 19:49 . 2008-05-05 19:49 <DIR> d-------- C:\Documents and Settings\irina\.housecall6.6
2008-05-04 20:40 . 2008-05-04 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameHouse
2008-04-28 16:57 . 2008-04-28 16:57 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-04-28 16:56 . 2008-04-29 12:03 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\IE7Pro
2008-04-13 19:57 . 2005-11-01 09:52 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-04-13 19:57 . 2005-11-01 09:52 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-04-13 19:57 . 2005-11-01 09:52 5,632 --a------ C:\WINDOWS\system32\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 19:25 --------- d-----w C:\Documents and Settings\irina\Application Data\OnlineArmor
2008-05-08 19:20 --------- d-----w C:\Program Files\FlashGet
2008-05-08 19:16 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-05-06 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\GoBit Games
2008-05-06 16:48 --------- d-----w C:\Program Files\IE7Pro
2008-05-05 18:44 --------- d-----w C:\Program Files\Raxco
2008-04-05 17:12 --------- d-----w C:\Documents and Settings\irina\Application Data\IE7Pro
2007-10-24 16:01 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

------- Sigcheck -------

2005-11-01 10:55 502272 847c91b55752adee4cb76b8252ee5691 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-06 21:20:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 19:23:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-04-25 13:08:36 2,233,944 ----a-w C:\WINDOWS\Downloaded Program Files\msi.1.0.0.8.dll
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-05-08 18:14:34 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 18:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
+ 2005-11-01 08:52:56 1,852,928 ----a-w C:\WINDOWS\system32\dllcache\acgenral.dll
+ 2004-08-03 22:56:42 450,048 ----a-w C:\WINDOWS\system32\dllcache\aclayers.dll
+ 2004-08-03 22:56:42 244,736 ----a-w C:\WINDOWS\system32\dllcache\acspecfc.dll
+ 2004-08-03 22:56:42 116,224 ----a-w C:\WINDOWS\system32\dllcache\acxtrnal.dll
+ 2004-08-03 22:56:48 98,304 ----a-w C:\WINDOWS\system32\dllcache\ahui.exe
+ 2004-08-03 22:56:42 126,976 ----a-w C:\WINDOWS\system32\dllcache\apphelp.dll
+ 2008-05-08 18:14:34 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2008-05-08 19:24:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_57c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 23:10 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 23:57 1103480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-24 14:30 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"SoundMan"="SOUNDMAN.EXE" [2005-11-01 10:56 90112 C:\WINDOWS\SOUNDMAN.EXE]
"MagUninstall"="C:\Program Files\Ashampoo\Ashampoo Magical UnInstall\MagicalUnInstall.exe" [ ]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2007-11-04 02:38 4803136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-04 00:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-04 00:56 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2007-11-04 02:38 633344]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 NDISRD;NDISRD;C:\WINDOWS\system32\drivers\NDISRD.sys [2007-09-29 01:06]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2007-11-03 09:40]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2007-09-29 01:06]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 02:30:01 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2008-05-08 16:18:32 C:\WINDOWS\Tasks\User_Feed_Synchronization-{9504676A-6C34-4D3A-B2E5-9943296C7447}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-05-08 21:29:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-08 21:31:36
ComboFix-quarantined-files.txt 2008-05-08 19:31:31
ComboFix2.txt 2008-05-07 19:40:58
ComboFix3.txt 2008-05-06 21:32:49

Pre-Run: 34,437,558,272 bytes free
Post-Run: 34,448,900,096 bytes free

139 --- E O F --- 2008-05-08 17:01:30

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Poslednji log fino izgleda...


Podešavanje u avast!-u neka ostane kakvo jeste za sada.

Ovako ćemo... Odradićeš skeniranje dr.Web CureIt-om (sada ili sutra, po želji) i onda ćeš sutra poslepodne (ili kasnije, kad stigneš) da postaviš log dr.Web skeniranja i novi ComboFix log (poslednji, nadam se ).



Preuzmi Dr.Web CureIt (~10 MB).
Privremeno isključi svoj antivirus

Dvoklikom pokreni cureit.exe, nakon čega će se pojaviti uvodni prozor - klikni Start

Pojaviće se obaveštenje o započinjanju uvodnog skeniranja - klikni OK

Sačekaj nekoliko minuta da Dr.Web CureIt izvrši Express Scan; ukoliko malware bude pronađen, klikom na taster Yes to All u prozoru koji se pojavi dozvoli programu da izvrši dezinfekciju

Klikni Options > Change settings F9; u prozoru koji će se otvoriti, dečekiraj opciju Heuristic Analysis a zatim klikni OK

U glavnom prozoru obeleži opciju Complete scan a zatim klikni i Dr.Web CureIt će započeti skeniranje

Ukoliko malware bude pronađen, klikom na taster Yes to All u prozoru koji se pojavi dozvoli programu da izvrši dezinfekciju

Kada skeniranje bude završeno, klikni Select all taster (ukoliko je dostupan), a zatim klikni Cure i,
u meniju koji se otvori, klikni Move incurable:


Po završetku procesa, klikni File > Save report list i sačuvaj log na Desktopu

Iskopiraj sadržaj Dr.Web CureIt loga u temu na forumu (ili ga priloži uz poruku).

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

[Link mogu videti samo ulogovani korisnici]

Ovo je report list od scana sa DrWebom a evo i log file od combofixa.Jedno pitanje koji je dobar spyware program da se moze skinut s neta jer sam imala Lavasoft ali mi je pravio probleme pa nemam vec duze vrijeme nikakav antispyware program.

ComboFix 08-05-01.3 - irina 2008-05-09 19:08:03.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.85 [GMT 2:00]
Running from: C:\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 16:18 . 2008-05-09 19:05 <DIR> d-------- C:\Documents and Settings\irina\DoctorWeb
2008-05-08 20:14 . 2008-05-08 20:20 250 --a------ C:\WINDOWS\gmer.ini
2008-05-07 22:57 . 2008-05-07 23:04 <DIR> d-------- C:\Documents and Settings\irina\Application Data\MiniDm
2008-05-06 23:36 . 2008-05-06 23:36 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-06 23:36 . 2008-05-07 22:58 <DIR> d--hs---- C:\WINDOWS\system32\dllcache
2008-05-06 23:36 . 2008-05-06 23:36 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-06 23:02 . 2008-05-06 23:02 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-06 21:48 . 2008-05-06 22:19 <DIR> d-------- C:\Program Files\Panda Security
2008-05-06 18:49 . 2008-05-07 15:38 <DIR> d-------- C:\Documents and Settings\irina\Application Data\IEPro
2008-05-06 18:48 . 2008-05-06 18:49 <DIR> d-------- C:\Program Files\IEPro
2008-05-06 16:58 . 2008-05-06 16:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-05 20:44 . 2008-05-05 20:44 <DIR> d-------- C:\Program Files\Common Files\Raxco
2008-05-05 20:15 . 2008-05-05 20:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-05 19:49 . 2008-05-05 19:49 <DIR> d-------- C:\Documents and Settings\irina\.housecall6.6
2008-05-04 20:40 . 2008-05-04 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameHouse
2008-04-28 16:57 . 2008-04-28 16:57 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-04-28 16:56 . 2008-04-29 12:03 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\IE7Pro
2008-04-13 19:57 . 2005-11-01 09:52 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-04-13 19:57 . 2005-11-01 09:52 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-04-13 19:57 . 2005-11-01 09:52 5,632 --a------ C:\WINDOWS\system32\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 17:06 --------- d-----w C:\Program Files\FlashGet
2008-05-09 11:59 --------- d-----w C:\Documents and Settings\irina\Application Data\OnlineArmor
2008-05-08 19:16 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-05-06 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\GoBit Games
2008-05-06 16:48 --------- d-----w C:\Program Files\IE7Pro
2008-05-05 18:44 --------- d-----w C:\Program Files\Raxco
2008-04-05 17:12 --------- d-----w C:\Documents and Settings\irina\Application Data\IE7Pro
2007-10-24 16:01 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

------- Sigcheck -------

2005-11-01 10:55 502272 847c91b55752adee4cb76b8252ee5691 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-06 21:20:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 11:51:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-04-25 13:08:36 2,233,944 ----a-w C:\WINDOWS\Downloaded Program Files\msi.1.0.0.8.dll
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-05-08 18:14:34 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 18:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
+ 2005-11-01 08:52:56 1,852,928 ----a-w C:\WINDOWS\system32\dllcache\acgenral.dll
+ 2004-08-03 22:56:42 450,048 ----a-w C:\WINDOWS\system32\dllcache\aclayers.dll
+ 2004-08-03 22:56:42 244,736 ----a-w C:\WINDOWS\system32\dllcache\acspecfc.dll
+ 2004-08-03 22:56:42 116,224 ----a-w C:\WINDOWS\system32\dllcache\acxtrnal.dll
+ 2004-08-03 22:56:48 98,304 ----a-w C:\WINDOWS\system32\dllcache\ahui.exe
+ 2004-08-03 22:56:42 126,976 ----a-w C:\WINDOWS\system32\dllcache\apphelp.dll
+ 2008-05-08 18:14:34 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2008-05-09 11:52:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_578.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 23:10 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 23:57 1103480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-24 14:30 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"SoundMan"="SOUNDMAN.EXE" [2005-11-01 10:56 90112 C:\WINDOWS\SOUNDMAN.EXE]
"MagUninstall"="C:\Program Files\Ashampoo\Ashampoo Magical UnInstall\MagicalUnInstall.exe" [ ]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2007-11-04 02:38 4803136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-04 00:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-04 00:56 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2007-11-04 02:38 633344]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\IEPro\\MiniDM.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 NDISRD;NDISRD;C:\WINDOWS\system32\drivers\NDISRD.sys [2007-09-29 01:06]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2007-11-03 09:40]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2007-09-29 01:06]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 02:30:01 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2008-05-08 16:18:32 C:\WINDOWS\Tasks\User_Feed_Synchronization-{9504676A-6C34-4D3A-B2E5-9943296C7447}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-05-09 19:10:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-09 19:13:04
ComboFix-quarantined-files.txt 2008-05-09 17:12:46
ComboFix2.txt 2008-05-08 19:31:37
ComboFix3.txt 2008-05-07 19:40:58
ComboFix4.txt 2008-05-06 21:32:49

Pre-Run: 34,707,771,392 bytes free
Post-Run: 34,705,457,152 bytes free

135 --- E O F --- 2008-05-09 17:05:41

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Čist log...


Obriši folder: C:\Documents and Settings\irina\DoctorWeb



I, kakvo je sada stanje? Detektuje li AV nešto? Dolazi li i dalje do restartovanja? Nešto drugo što smatraš da bi trebalo da spomeneš?