Okachi HiJackThis! log. Racunar ti je inficiran. Uradi pretragu za "HiJackThis!" ovde na "zastiti". Gore postoji dugme "pretraga" a u polje pored ukucas "HiJackThis!"... snacices se

postavi hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:31 PM, on 2/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\windows\mixer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Users\5eul\Desktop\sleepy\sleepy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\DVDGhost.EXE
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Video Wonder Pro II V2\HDTV.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe,C:\windows\system32\secpol.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7C2A4E8A-092D-44F9-B183-4BD963D7F1EB} - C:\windows\system32\jkhfg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F} - C:\windows\system32\gebcbxu.dll (file missing)
O2 - BHO: (no name) - {CC3727AD-B5B7-4303-807F-B10F56CD1A7F} - C:\windows\system32\jkhfg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Sleepy] C:\Users\5eul\Desktop\sleepy\sleepy.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\windows\system32\gebcbxu.dll,#1
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [FreeRAM XP] "G:\PROGRAMI\Free RAM Xp Pro\FreeRAM Xp Pro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\DVDGhost.EXE
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{D00284B3-41B8-4ADE-B551-35F1165746A6}: NameServer = 212.200.191.166 212.200.190.166
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 6622 bytes

Hajde da probamo da ne diramo one skarabudzene toolbarove na vrhu. Stikliraj sledece i obrisi (pritisni fix checked):



Uradi ovo i okachi novi HJT! log. Takodje javi ako se problemi budu nastavili.

uradio sam to sad cu da ga restartujem pa da cemo videti...

evo ga i novi log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:42 PM, on 2/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\taskeng.exe
C:\windows\Explorer.EXE
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\windows\mixer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Users\5eul\Desktop\sleepy\sleepy.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D3790D63-67A1-4600-9E13-FF4DB8F9D29A} - C:\windows\system32\jkhfg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Sleepy] C:\Users\5eul\Desktop\sleepy\sleepy.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [FreeRAM XP] "G:\PROGRAMI\Free RAM Xp Pro\FreeRAM Xp Pro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\DVDGhost.EXE
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{D00284B3-41B8-4ADE-B551-35F1165746A6}: NameServer = 212.200.191.166 212.200.190.166
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 4761 bytes

jbg, opet isto samo ne izbacuje vise onu gresku za onaj sistemski fajl...
mozda ja tu nisam nesto dobro brisnuo?

kapiram da taj "virus" ili sta god svaki put drugi sistemski fajl "zbuni",
ili je to upravo "virus" koji menja ime, jer je uvek neka druga greska prilikom ulogovanja...

Nisam mogao do sad da se ulogujem iz opravdanih razloga :) nisam ni sumnjao da ce posle prvog koraka biti problema. U pitanju je gadan malware koji mozda spada u Virtumonde familiju.. Pokusacemo da ga ukrotimo sa nekoliko alata. Kao prvo skini Vundofix na svoj Desktop sa ovog linka i prati instrukcije sa tog linka:

http://vundofix.atribune.org/

Ako Vundofix nista ne nadje idemo dalje. Infekcija smrdi na rootkit, trojanac kombinaciju... Rootkitovi su ti koji ti najverovatnije ne dozvoljavaju da instaliras NOD i ZA...

Vundo mi je nasao par "stvarcica", ja ih fixnuo, kad ono medjutim...
Pao mi sistem i mogu da mu pristupim samo iz safe moda.
Da li mu sad uopste ima pomoci?

Bilo bi lepo kad bih znao kako su se zvale te stvarcice...

Skini combofix u safe modu, pusti ga da odradi(restartuj ako zatrazi) i postuj nam log, ostavice ga u C:/ najverovatnije.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

evo ga Vundo log:

Listing files found while scanning....

C:\windows\System32\cbxuttq.dll
C:\windows\System32\ddaba.dll
C:\windows\System32\ddccc.dll
C:\windows\System32\ddcyx.dll
C:\windows\System32\gfhkj.ini
C:\windows\System32\gfhkj.ini2
C:\windows\System32\iiffcde.dll
C:\windows\System32\jkhfg.dll
C:\windows\System32\jkkigfd.dll
C:\windows\System32\nnnkhed.dll
C:\windows\System32\sstuttq.dll
C:\windows\System32\winefl32.dll
C:\windows\System32\winheb32.dll
C:\windows\System32\winjpq32.dll
C:\windows\System32\winony32.dll
C:\windows\System32\winvli32.dll

Beginning removal...

Beginning removal...

Attempting to delete C:\windows\System32\cbxuttq.dll
C:\windows\System32\cbxuttq.dll Has been deleted!

Attempting to delete C:\windows\System32\ddaba.dll
C:\windows\System32\ddaba.dll Has been deleted!

Attempting to delete C:\windows\System32\ddccc.dll
C:\windows\System32\ddccc.dll Has been deleted!

Attempting to delete C:\windows\System32\ddcyx.dll
C:\windows\System32\ddcyx.dll Has been deleted!

Attempting to delete C:\windows\System32\gfhkj.ini
C:\windows\System32\gfhkj.ini Has been deleted!

Attempting to delete C:\windows\System32\gfhkj.ini2
C:\windows\System32\gfhkj.ini2 Has been deleted!

Attempting to delete C:\windows\System32\iiffcde.dll
C:\windows\System32\iiffcde.dll Has been deleted!

Attempting to delete C:\windows\System32\jkhfg.dll
C:\windows\System32\jkhfg.dll Has been deleted!

Attempting to delete C:\windows\System32\jkkigfd.dll
C:\windows\System32\jkkigfd.dll Has been deleted!

Attempting to delete C:\windows\System32\nnnkhed.dll
C:\windows\System32\nnnkhed.dll Has been deleted!

Attempting to delete C:\windows\System32\sstuttq.dll
C:\windows\System32\sstuttq.dll Has been deleted!

Attempting to delete C:\windows\System32\winefl32.dll
C:\windows\System32\winefl32.dll Has been deleted!

Attempting to delete C:\windows\System32\winheb32.dll
C:\windows\System32\winheb32.dll Has been deleted!

Attempting to delete C:\windows\System32\winjpq32.dll
C:\windows\System32\winjpq32.dll Has been deleted!

Attempting to delete C:\windows\System32\winony32.dll
C:\windows\System32\winony32.dll Has been deleted!

Attempting to delete C:\windows\System32\winvli32.dll
C:\windows\System32\winvli32.dll Has been deleted!

Performing Repairs to the registry.
Done!

I POSLE SLEDECEG SKENIRANJA:

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 9:00:09 PM 2/6/2008

Listing files found while scanning....

No infected files were found.

A EVO GA I COMBO LOG:

ComboFix 08-02.05.3 - 5eul 2008-02-08 14:18:22.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.437 [GMT 1:00]
Running from: C:\Users\5eul\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\5.exe
C:\6.exe
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-05 03:01 . 2008-02-05 03:01 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-02-04 19:07 . 2008-02-04 19:07 <DIR> d-------- C:\Users\5eul\{7837d3a8-3f0b-4885-87ff-f1491baa733e}
2008-02-04 19:07 . 2002-07-12 09:33 1,581,056 --a------ C:\windows\mixer.exe
2008-02-04 19:07 . 2000-10-20 11:28 765,952 --a------ C:\windows\system\crlds3d.dll
2008-02-04 19:07 . 2001-11-23 05:08 712,704 --a------ C:\windows\System32\Audio3D.dll
2008-02-04 19:07 . 2002-07-16 03:58 379,726 --a------ C:\windows\System32\drivers\cmaudio.sys
2008-02-04 19:07 . 2002-07-11 04:24 139,264 --a------ C:\windows\cmuninst.exe
2008-02-04 19:07 . 2002-07-11 05:13 135,168 --a------ C:\windows\cmuninst.dat
2008-02-04 19:07 . 2002-07-16 14:47 36,924 --a------ C:\windows\cmijack.dat
2008-02-04 19:07 . 2002-03-29 07:52 32,768 --a------ C:\windows\System32\cmnprop.dll
2008-02-04 19:07 . 2002-07-16 13:33 20,333 --a------ C:\windows\cmaudio.dat
2008-02-04 17:46 . 2008-02-06 20:54 <DIR> d-------- C:\VundoFix Backups
2008-02-03 21:33 . 2008-02-03 21:33 8,704 --a------ C:\windows\System32\hcrstco.dll
2008-02-03 21:32 . 2008-02-03 21:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-03 20:45 . 2008-02-04 00:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-03 20:44 . 2007-11-05 17:22 690 --a------ C:\windows\win.tmp
2008-02-03 20:44 . 2007-09-07 00:15 250 --a------ C:\windows\system.tmp
2008-02-03 20:41 . 2008-02-03 20:41 <DIR> d-------- C:\Users\5eul\AppData\Roaming\PC Tools
2008-02-03 18:01 . 2008-02-03 18:01 512,096 --a------ C:\windows\System32\drivers\amon.sys
2008-02-03 18:01 . 2008-02-03 18:01 298,104 --a------ C:\windows\System32\imon.dll
2008-02-03 18:01 . 2008-02-03 18:00 15,424 --a------ C:\windows\System32\drivers\nod32drv.sys
2008-02-02 23:44 . 2008-02-02 23:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 21:28 . 2008-02-02 21:28 <DIR> d-------- C:\windows\System32\ZoneLabs
2008-02-02 21:28 . 2007-11-16 19:31 <DIR> d-------- C:\windows\Internet Logs
2008-02-02 21:28 . 2008-02-02 21:28 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-02 21:28 . 2008-02-02 21:28 31,547 --ah----- C:\windows\System32\vsconfig.xml
2008-02-02 21:12 . 2008-02-02 21:12 374,456 --a------ C:\windows\System32\mcupdate_GenuineIntel.dll
2008-02-02 21:11 . 2008-02-02 21:11 2,605,568 --a------ C:\windows\System32\SLsvc.exe
2008-02-02 21:11 . 2008-02-02 21:11 566,784 --a------ C:\windows\System32\SLCommDlg.dll
2008-02-02 21:11 . 2008-02-02 21:11 351,232 --a------ C:\windows\System32\SLUI.exe
2008-02-02 21:11 . 2008-02-02 21:11 268,288 --a------ C:\windows\System32\mcbuilder.exe
2008-02-02 21:11 . 2008-02-02 21:11 223,232 --a------ C:\windows\System32\SLC.dll
2008-02-02 21:11 . 2008-02-02 21:11 186,368 --a------ C:\windows\System32\SLLUA.exe
2008-02-02 21:11 . 2008-02-02 21:11 57,856 --a------ C:\windows\System32\SLUINotify.dll
2008-02-02 21:11 . 2008-02-02 21:11 39,936 --a------ C:\windows\System32\slcinst.dll
2008-02-02 21:11 . 2008-02-02 21:11 33,280 --a------ C:\windows\System32\slwmi.dll
2008-02-02 21:11 . 2008-02-02 21:11 11,776 --a------ C:\windows\System32\sbunattend.exe
2008-02-02 03:06 . 2008-02-02 03:06 414,208 --a------ C:\windows\System32\msscp.dll
2008-02-02 03:05 . 2008-02-02 03:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-02 03:02 . 2008-02-02 03:02 3,504,824 --a------ C:\windows\System32\ntkrnlpa.exe
2008-02-02 03:02 . 2008-02-02 03:02 3,470,520 --a------ C:\windows\System32\ntoskrnl.exe
2008-02-02 03:02 . 2008-02-02 03:02 130,048 --a------ C:\windows\System32\drivers\srv2.sys
2008-02-02 03:02 . 2008-02-02 03:02 101,888 --a------ C:\windows\System32\drivers\mrxsmb.sys
2008-02-02 03:02 . 2008-02-02 03:02 84,992 --a------ C:\windows\System32\drivers\srvnet.sys
2008-02-02 03:02 . 2008-02-02 03:02 58,368 --a------ C:\windows\System32\drivers\mrxsmb20.sys
2008-02-02 03:01 . 2008-02-02 03:01 2,048 --a------ C:\windows\System32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 23:41 --------- d-----w C:\Program Files\Windows Defender
2008-02-06 19:48 --------- d-----w C:\Program Files\SpeedFan
2008-02-06 19:47 --------- d-----w C:\Program Files\TrojanHunter 4.1
2008-02-06 19:37 --------- d-----w C:\Program Files\Crystal Player
2008-02-06 19:35 174 --sha-w C:\Program Files\desktop.ini
2008-02-06 19:17 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-05 02:03 --------- d-----w C:\Program Files\SlySoft
2008-02-04 18:34 --------- d-----w C:\Program Files\Native Instruments
2008-02-03 22:24 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-03 17:29 --------- d-----w C:\Program Files\ESET
2008-02-03 17:00 --------- d-----w C:\Program Files\MSN Messenger
2008-02-02 20:11 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-02 03:15 --------- d-----w C:\Program Files\Windows Mail
2008-02-02 02:01 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-01 17:47 --------- d-----w C:\Program Files\Gigabyte
2008-01-27 16:47 --------- d-----w C:\Program Files\everestultimate_build_1120_sqdkp3nm7xc
2007-11-25 17:26 819,200 ----a-w C:\windows\is-4C0P6.exe
2007-11-20 15:04 1,523,536 ----a-w C:\windows\FP_AX_CAB_INSTALLER.exe
2007-11-13 12:26 87,608 ----a-w C:\Users\5eul\AppData\Roaming\ezpinst.exe
2007-11-13 12:26 47,360 ----a-w C:\Users\5eul\AppData\Roaming\pcouffin.sys
2007-11-11 22:32 45,056 ----a-w C:\windows\NCUNINST.EXe
2007-11-11 22:32 40,960 ----a-w C:\windows\NCLAUNCH.EXe
2006-11-29 16:41 400 -c--a-w C:\Users\5eul\score.dat
2007-11-02 18:35 56 --sh--r C:\windows\System32\A75CBCF84A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13416D70-8111-4208-8DEA-63918477C68D}]
C:\windows\system32\jkhfg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-02-02 21:11 1232896]
"DVDXGhost"="C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\DVDGhost.EXE" [2006-01-18 14:59 1552384]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 16:30 249856]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-11-21 00:59 1625024]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-02-18 18:41 1992928]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"EVEREST AutoStart"="C:\Program Files\everestultimate_build_1120_sqdkp3nm7xc\everest.exe" [2007-09-04 17:28 2014816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sleepy"="C:\Users\5eul\Desktop\sleepy\sleepy.exe" [2001-07-23 21:48 94208]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-03 18:01 949376]
"C-Media Mixer"="Mixer.exe" [2002-07-12 09:33 1581056 C:\windows\mixer.exe]
"MSServer"="C:\windows\system32\jkkhiif.dll" [ ]
"THGuard"="C:\Program Files\TrojanHunter 4.1\THGuard.exe" [2004-12-22 11:51 1071616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-02-18 18:41 1992928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\ExecuteHooker.dll [2005-11-14 14:10 90112]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

S1 UBHelper;UBHelper;C:\windows\system32\drivers\UBHelper.sys [2004-12-17 17:14]
S2 27937;27937;C:\windows\system32\27937.sys [2006-12-22 22:44]
S2 LrWdm;Video Wonder Series PnP Controller;C:\windows\system32\Drivers\Lr25Wdm.sys [2000-05-25 11:00]
S2 Prvflder;Prvflder;C:\windows\system32\DRIVERS\prvflder.sys [2006-04-21 08:22]
S3 BT848;Video Wonder Pro II V2 WDM Video Capture;C:\windows\system32\drivers\BT848.sys [2002-04-01 11:00]
S3 BTTUNER;Video Wonder Pro II V2 WDM TvTuner;C:\windows\system32\drivers\BTTUNER.sys [2002-04-01 11:00]
S3 BTXBAR;Video Wonder Pro II V2 WDM Crossbar;C:\windows\system32\drivers\BTXBAR.sys [2002-04-01 11:00]
S3 Cap7134;Video Wonder Pro III WDM Video Capture;C:\windows\system32\DRIVERS\Cap7134.sys [2002-03-26 11:00]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\everestultimate_build_1120_sqdkp3nm7xc\kerneld.wnt [2007-08-19 13:38]
S3 GAGPDrv;GAGPDrv;C:\windows\system32\drivers\GAGPDrv.sys [2003-05-30 12:04]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]
S4 usbprint;Microsoft USB PRINTER Class;C:\windows\system32\drivers\usbprint.sys [2006-11-02 10:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6c7b3bb-56f9-11dc-89ac-806e6f6e6963}]
\shell\AutoRun\command - D:\ASUSACPI.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {BF35267B-8DF2-FEBF-ECE7-9D6CF8227273} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 19:08:32 C:\windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-06 19:01:00 C:\windows\Tasks\User_Feed_Synchronization-{43CA5BDC-267B-491B-8632-E0A6AF9074E3}.job"
- C:\windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 14:34:52
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-02-08 14:39:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 13:39:06
.
2008-02-06 18:56:17 --- E O F ---

Jel' mozes sad da udjes normalno u Vistu?

Ne...
A da pokusam da izbrisem neki od update-ova?
posto iz iskustva sa xp-om znam da nekad umeju da baguju...

Mozes da probas, ali ne garantujem da ces da uspes :) Mislim da je najbolje da ponovo instaliras Vistu. Radi se o tome da je ova verzija Virtumonde-a u kombinaciji sa nekim drugim malwareovima napala sistemske fajlove... Ako te mrzi da reformatiras i ponovo instaliras Vistu mozes uraditi Repair...

Znam da je to najbolje, ali problem je sto nemam vise instalaciju...
btw skinuo sam neki GMER, valja li to ista?

Probaj. To je za rootkitove. Moze biti od korisiti...

{edit}

Takodje prevuci zakacen fajl na Combofix ikonicu i pusti da uradi brisanje... Postuj novi Combofix log posle.

Nisam mogao vise da se smaram... formatirao sam hard i nabacio xp, dok ne dobijem vistu...
Hvala svakako na ukazanoj pomoci
e da... sta mi jos savetujes radi izbegavanja ovakvih ili sl. problema, pored NOD-a i ZA za "kao" sigurnu zastitu?

Za*ebi NOD. Vise je izvikan nego sto je dobar. Vidim da Kaspersky u zadnje vreme dobro resava probleme oko trojanaca poput ovih sto su tebe napali. Glavni problem kod tebe je bio taj da su izmenjeni neki unosi u registru, koji su pukli kad je Vundofix obrisao neke inficirane fajlove, a i Windows je otisao zajedno sa njima. To je sve verovatno moglo da se pokrpi ali bi trajalo poprilicno i smorilo bi i mene i tebe... Dosta koristim Kaspersky on-line scan u resavanju mnogih problema. Meni u sustini nije potrebno nista osim avasta i Spybot-a trenutno sto se tice zastite od gamadi, a kao firewall koristim najnoviji Sunbelt Kerio Personal Firewall koji me trenutno potpuno zadovoljava. Sve ostale probleme resavam sam uz pomoc ovih manjih alata kojima smo pokusali i tebi da pomognemo...

tnx braw
:)

I uvek imaj na umu sta god da skidas od ekstenzija koje se mogu pokrenuti kao izvrsni fajl i activex komponenti za ie, sa neoficijalnih sajtova moze imati neki spywere u sebi. Na razne nacine pokusavaju da uvale te gluposti.