error loading c:/winows/system32/gebcbxu.dll

Kad upalim mashinu izbaci mi -> error loading c:/winows/system32/gebcbxu.dll
i stalno mi pali i gasi START menu ili ga skroz izgasi, i svaki ROOT koji otvorim... isto!
Sjebali mi se tako i Nod i Zone... i ne mogu ni da ih instaliram ponovo.
Zna li ko sta o tome?

_{[Ovu poruku je menjao rkoms dana 02.02.2008. u 22:56 GMT+1]}

---

Okachi HiJackThis! log. Racunar ti je inficiran. Uradi pretragu za "HiJackThis!" ovde na "zastiti". Gore postoji dugme "pretraga" a u polje pored ukucas "HiJackThis!"... snacices se

postavi hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:31 PM, on 2/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\windows\mixer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Users\5eul\Desktop\sleepy\sleepy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\DVDGhost.EXE
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Video Wonder Pro II V2\HDTV.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=C:\windows\system32\userinit.exe,C:\windows\system32\secpol.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7C2A4E8A-092D-44F9-B183-4BD963D7F1EB} - C:\windows\system32\jkhfg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F} - C:\windows\system32\gebcbxu.dll (file missing)
O2 - BHO: (no name) - {CC3727AD-B5B7-4303-807F-B10F56CD1A7F} - C:\windows\system32\jkhfg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Sleepy] C:\Users\5eul\Desktop\sleepy\sleepy.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\windows\system32\gebcbxu.dll,#1
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [FreeRAM XP] "G:\PROGRAMI\Free RAM Xp Pro\FreeRAM Xp Pro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\DVDGhost.EXE
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{D00284B3-41B8-4ADE-B551-35F1165746A6}: NameServer = 212.200.191.166 212.200.190.166
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 6622 bytes

---

Hajde da probamo da ne diramo one skarabudzene toolbarove na vrhu. Stikliraj sledece i obrisi (pritisni fix checked):



Uradi ovo i okachi novi HJT! log. Takodje javi ako se problemi budu nastavili.

uradio sam to sad cu da ga restartujem pa da cemo videti...

evo ga i novi log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:42 PM, on 2/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\taskeng.exe
C:\windows\Explorer.EXE
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\windows\mixer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Users\5eul\Desktop\sleepy\sleepy.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D3790D63-67A1-4600-9E13-FF4DB8F9D29A} - C:\windows\system32\jkhfg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Sleepy] C:\Users\5eul\Desktop\sleepy\sleepy.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [FreeRAM XP] "G:\PROGRAMI\Free RAM Xp Pro\FreeRAM Xp Pro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [DVDXGhost] C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\DVDGhost.EXE
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{D00284B3-41B8-4ADE-B551-35F1165746A6}: NameServer = 212.200.191.166 212.200.190.166
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 4761 bytes

---

jbg, opet isto samo ne izbacuje vise onu gresku za onaj sistemski fajl...
mozda ja tu nisam nesto dobro brisnuo?

---

kapiram da taj "virus" ili sta god svaki put drugi sistemski fajl "zbuni",
ili je to upravo "virus" koji menja ime, jer je uvek neka druga greska prilikom ulogovanja...

---

Nisam mogao do sad da se ulogujem iz opravdanih razloga :) nisam ni sumnjao da ce posle prvog koraka biti problema. U pitanju je gadan malware koji mozda spada u Virtumonde familiju.. Pokusacemo da ga ukrotimo sa nekoliko alata. Kao prvo skini Vundofix na svoj Desktop sa ovog linka i prati instrukcije sa tog linka:

http://vundofix.atribune.org/

Ako Vundofix nista ne nadje idemo dalje. Infekcija smrdi na rootkit, trojanac kombinaciju... Rootkitovi su ti koji ti najverovatnije ne dozvoljavaju da instaliras NOD i ZA...

Vundo mi je nasao par "stvarcica", ja ih fixnuo, kad ono medjutim...
Pao mi sistem i mogu da mu pristupim samo iz safe moda.
Da li mu sad uopste ima pomoci?

---

Bilo bi lepo kad bih znao kako su se zvale te stvarcice...

Skini combofix u safe modu, pusti ga da odradi(restartuj ako zatrazi) i postuj nam log, ostavice ga u C:/ najverovatnije.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

---

evo ga Vundo log:

Listing files found while scanning....

C:\windows\System32\cbxuttq.dll
C:\windows\System32\ddaba.dll
C:\windows\System32\ddccc.dll
C:\windows\System32\ddcyx.dll
C:\windows\System32\gfhkj.ini
C:\windows\System32\gfhkj.ini2
C:\windows\System32\iiffcde.dll
C:\windows\System32\jkhfg.dll
C:\windows\System32\jkkigfd.dll
C:\windows\System32\nnnkhed.dll
C:\windows\System32\sstuttq.dll
C:\windows\System32\winefl32.dll
C:\windows\System32\winheb32.dll
C:\windows\System32\winjpq32.dll
C:\windows\System32\winony32.dll
C:\windows\System32\winvli32.dll

Beginning removal...

Beginning removal...

Attempting to delete C:\windows\System32\cbxuttq.dll
C:\windows\System32\cbxuttq.dll Has been deleted!

Attempting to delete C:\windows\System32\ddaba.dll
C:\windows\System32\ddaba.dll Has been deleted!

Attempting to delete C:\windows\System32\ddccc.dll
C:\windows\System32\ddccc.dll Has been deleted!

Attempting to delete C:\windows\System32\ddcyx.dll
C:\windows\System32\ddcyx.dll Has been deleted!

Attempting to delete C:\windows\System32\gfhkj.ini
C:\windows\System32\gfhkj.ini Has been deleted!

Attempting to delete C:\windows\System32\gfhkj.ini2
C:\windows\System32\gfhkj.ini2 Has been deleted!

Attempting to delete C:\windows\System32\iiffcde.dll
C:\windows\System32\iiffcde.dll Has been deleted!

Attempting to delete C:\windows\System32\jkhfg.dll
C:\windows\System32\jkhfg.dll Has been deleted!

Attempting to delete C:\windows\System32\jkkigfd.dll
C:\windows\System32\jkkigfd.dll Has been deleted!

Attempting to delete C:\windows\System32\nnnkhed.dll
C:\windows\System32\nnnkhed.dll Has been deleted!

Attempting to delete C:\windows\System32\sstuttq.dll
C:\windows\System32\sstuttq.dll Has been deleted!

Attempting to delete C:\windows\System32\winefl32.dll
C:\windows\System32\winefl32.dll Has been deleted!

Attempting to delete C:\windows\System32\winheb32.dll
C:\windows\System32\winheb32.dll Has been deleted!

Attempting to delete C:\windows\System32\winjpq32.dll
C:\windows\System32\winjpq32.dll Has been deleted!

Attempting to delete C:\windows\System32\winony32.dll
C:\windows\System32\winony32.dll Has been deleted!

Attempting to delete C:\windows\System32\winvli32.dll
C:\windows\System32\winvli32.dll Has been deleted!

Performing Repairs to the registry.
Done!

I POSLE SLEDECEG SKENIRANJA:

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 9:00:09 PM 2/6/2008

Listing files found while scanning....

No infected files were found.

---

A EVO GA I COMBO LOG:

ComboFix 08-02.05.3 - 5eul 2008-02-08 14:18:22.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.437 [GMT 1:00]
Running from: C:\Users\5eul\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\5.exe
C:\6.exe
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-05 03:01 . 2008-02-05 03:01 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-02-04 19:07 . 2008-02-04 19:07 <DIR> d-------- C:\Users\5eul\{7837d3a8-3f0b-4885-87ff-f1491baa733e}
2008-02-04 19:07 . 2002-07-12 09:33 1,581,056 --a------ C:\windows\mixer.exe
2008-02-04 19:07 . 2000-10-20 11:28 765,952 --a------ C:\windows\system\crlds3d.dll
2008-02-04 19:07 . 2001-11-23 05:08 712,704 --a------ C:\windows\System32\Audio3D.dll
2008-02-04 19:07 . 2002-07-16 03:58 379,726 --a------ C:\windows\System32\drivers\cmaudio.sys
2008-02-04 19:07 . 2002-07-11 04:24 139,264 --a------ C:\windows\cmuninst.exe
2008-02-04 19:07 . 2002-07-11 05:13 135,168 --a------ C:\windows\cmuninst.dat
2008-02-04 19:07 . 2002-07-16 14:47 36,924 --a------ C:\windows\cmijack.dat
2008-02-04 19:07 . 2002-03-29 07:52 32,768 --a------ C:\windows\System32\cmnprop.dll
2008-02-04 19:07 . 2002-07-16 13:33 20,333 --a------ C:\windows\cmaudio.dat
2008-02-04 17:46 . 2008-02-06 20:54 <DIR> d-------- C:\VundoFix Backups
2008-02-03 21:33 . 2008-02-03 21:33 8,704 --a------ C:\windows\System32\hcrstco.dll
2008-02-03 21:32 . 2008-02-03 21:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-03 20:45 . 2008-02-04 00:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-03 20:44 . 2007-11-05 17:22 690 --a------ C:\windows\win.tmp
2008-02-03 20:44 . 2007-09-07 00:15 250 --a------ C:\windows\system.tmp
2008-02-03 20:41 . 2008-02-03 20:41 <DIR> d-------- C:\Users\5eul\AppData\Roaming\PC Tools
2008-02-03 18:01 . 2008-02-03 18:01 512,096 --a------ C:\windows\System32\drivers\amon.sys
2008-02-03 18:01 . 2008-02-03 18:01 298,104 --a------ C:\windows\System32\imon.dll
2008-02-03 18:01 . 2008-02-03 18:00 15,424 --a------ C:\windows\System32\drivers\nod32drv.sys
2008-02-02 23:44 . 2008-02-02 23:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 21:28 . 2008-02-02 21:28 <DIR> d-------- C:\windows\System32\ZoneLabs
2008-02-02 21:28 . 2007-11-16 19:31 <DIR> d-------- C:\windows\Internet Logs
2008-02-02 21:28 . 2008-02-02 21:28 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-02 21:28 . 2008-02-02 21:28 31,547 --ah----- C:\windows\System32\vsconfig.xml
2008-02-02 21:12 . 2008-02-02 21:12 374,456 --a------ C:\windows\System32\mcupdate_GenuineIntel.dll
2008-02-02 21:11 . 2008-02-02 21:11 2,605,568 --a------ C:\windows\System32\SLsvc.exe
2008-02-02 21:11 . 2008-02-02 21:11 566,784 --a------ C:\windows\System32\SLCommDlg.dll
2008-02-02 21:11 . 2008-02-02 21:11 351,232 --a------ C:\windows\System32\SLUI.exe
2008-02-02 21:11 . 2008-02-02 21:11 268,288 --a------ C:\windows\System32\mcbuilder.exe
2008-02-02 21:11 . 2008-02-02 21:11 223,232 --a------ C:\windows\System32\SLC.dll
2008-02-02 21:11 . 2008-02-02 21:11 186,368 --a------ C:\windows\System32\SLLUA.exe
2008-02-02 21:11 . 2008-02-02 21:11 57,856 --a------ C:\windows\System32\SLUINotify.dll
2008-02-02 21:11 . 2008-02-02 21:11 39,936 --a------ C:\windows\System32\slcinst.dll
2008-02-02 21:11 . 2008-02-02 21:11 33,280 --a------ C:\windows\System32\slwmi.dll
2008-02-02 21:11 . 2008-02-02 21:11 11,776 --a------ C:\windows\System32\sbunattend.exe
2008-02-02 03:06 . 2008-02-02 03:06 414,208 --a------ C:\windows\System32\msscp.dll
2008-02-02 03:05 . 2008-02-02 03:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-02 03:02 . 2008-02-02 03:02 3,504,824 --a------ C:\windows\System32\ntkrnlpa.exe
2008-02-02 03:02 . 2008-02-02 03:02 3,470,520 --a------ C:\windows\System32\ntoskrnl.exe
2008-02-02 03:02 . 2008-02-02 03:02 130,048 --a------ C:\windows\System32\drivers\srv2.sys
2008-02-02 03:02 . 2008-02-02 03:02 101,888 --a------ C:\windows\System32\drivers\mrxsmb.sys
2008-02-02 03:02 . 2008-02-02 03:02 84,992 --a------ C:\windows\System32\drivers\srvnet.sys
2008-02-02 03:02 . 2008-02-02 03:02 58,368 --a------ C:\windows\System32\drivers\mrxsmb20.sys
2008-02-02 03:01 . 2008-02-02 03:01 2,048 --a------ C:\windows\System32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 23:41 --------- d-----w C:\Program Files\Windows Defender
2008-02-06 19:48 --------- d-----w C:\Program Files\SpeedFan
2008-02-06 19:47 --------- d-----w C:\Program Files\TrojanHunter 4.1
2008-02-06 19:37 --------- d-----w C:\Program Files\Crystal Player
2008-02-06 19:35 174 --sha-w C:\Program Files\desktop.ini
2008-02-06 19:17 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-05 02:03 --------- d-----w C:\Program Files\SlySoft
2008-02-04 18:34 --------- d-----w C:\Program Files\Native Instruments
2008-02-03 22:24 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-03 17:29 --------- d-----w C:\Program Files\ESET
2008-02-03 17:00 --------- d-----w C:\Program Files\MSN Messenger
2008-02-02 20:11 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-02 03:15 --------- d-----w C:\Program Files\Windows Mail
2008-02-02 02:01 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-01 17:47 --------- d-----w C:\Program Files\Gigabyte
2008-01-27 16:47 --------- d-----w C:\Program Files\everestultimate_build_1120_sqdkp3nm7xc
2007-11-25 17:26 819,200 ----a-w C:\windows\is-4C0P6.exe
2007-11-20 15:04 1,523,536 ----a-w C:\windows\FP_AX_CAB_INSTALLER.exe
2007-11-13 12:26 87,608 ----a-w C:\Users\5eul\AppData\Roaming\ezpinst.exe
2007-11-13 12:26 47,360 ----a-w C:\Users\5eul\AppData\Roaming\pcouffin.sys
2007-11-11 22:32 45,056 ----a-w C:\windows\NCUNINST.EXe
2007-11-11 22:32 40,960 ----a-w C:\windows\NCLAUNCH.EXe
2006-11-29 16:41 400 -c--a-w C:\Users\5eul\score.dat
2007-11-02 18:35 56 --sh--r C:\windows\System32\A75CBCF84A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13416D70-8111-4208-8DEA-63918477C68D}]
C:\windows\system32\jkhfg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-02-02 21:11 1232896]
"DVDXGhost"="C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\DVDGhost.EXE" [2006-01-18 14:59 1552384]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 16:30 249856]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-11-21 00:59 1625024]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-02-18 18:41 1992928]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"EVEREST AutoStart"="C:\Program Files\everestultimate_build_1120_sqdkp3nm7xc\everest.exe" [2007-09-04 17:28 2014816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sleepy"="C:\Users\5eul\Desktop\sleepy\sleepy.exe" [2001-07-23 21:48 94208]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-03 18:01 949376]
"C-Media Mixer"="Mixer.exe" [2002-07-12 09:33 1581056 C:\windows\mixer.exe]
"MSServer"="C:\windows\system32\jkkhiif.dll" [ ]
"THGuard"="C:\Program Files\TrojanHunter 4.1\THGuard.exe" [2004-12-22 11:51 1071616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-02-18 18:41 1992928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{569DAC0F-2791-46ab-8EFC-A54B77C04C20}"= C:\Program Files\DVD X Studios\DVD X Utilities 2.1\DVDGhost\ExecuteHooker.dll [2005-11-14 14:10 90112]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

S1 UBHelper;UBHelper;C:\windows\system32\drivers\UBHelper.sys [2004-12-17 17:14]
S2 27937;27937;C:\windows\system32\27937.sys [2006-12-22 22:44]
S2 LrWdm;Video Wonder Series PnP Controller;C:\windows\system32\Drivers\Lr25Wdm.sys [2000-05-25 11:00]
S2 Prvflder;Prvflder;C:\windows\system32\DRIVERS\prvflder.sys [2006-04-21 08:22]
S3 BT848;Video Wonder Pro II V2 WDM Video Capture;C:\windows\system32\drivers\BT848.sys [2002-04-01 11:00]
S3 BTTUNER;Video Wonder Pro II V2 WDM TvTuner;C:\windows\system32\drivers\BTTUNER.sys [2002-04-01 11:00]
S3 BTXBAR;Video Wonder Pro II V2 WDM Crossbar;C:\windows\system32\drivers\BTXBAR.sys [2002-04-01 11:00]
S3 Cap7134;Video Wonder Pro III WDM Video Capture;C:\windows\system32\DRIVERS\Cap7134.sys [2002-03-26 11:00]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\everestultimate_build_1120_sqdkp3nm7xc\kerneld.wnt [2007-08-19 13:38]
S3 GAGPDrv;GAGPDrv;C:\windows\system32\drivers\GAGPDrv.sys [2003-05-30 12:04]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]
S4 usbprint;Microsoft USB PRINTER Class;C:\windows\system32\drivers\usbprint.sys [2006-11-02 10:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6c7b3bb-56f9-11dc-89ac-806e6f6e6963}]
\shell\AutoRun\command - D:\ASUSACPI.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {BF35267B-8DF2-FEBF-ECE7-9D6CF8227273} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 19:08:32 C:\windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-06 19:01:00 C:\windows\Tasks\User_Feed_Synchronization-{43CA5BDC-267B-491B-8632-E0A6AF9074E3}.job"
- C:\windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 14:34:52
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-02-08 14:39:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 13:39:06
.
2008-02-06 18:56:17 --- E O F ---

---

Jel' mozes sad da udjes normalno u Vistu?

Ne...
A da pokusam da izbrisem neki od update-ova?
posto iz iskustva sa xp-om znam da nekad umeju da baguju...

---

Mozes da probas, ali ne garantujem da ces da uspes :) Mislim da je najbolje da ponovo instaliras Vistu. Radi se o tome da je ova verzija Virtumonde-a u kombinaciji sa nekim drugim malwareovima napala sistemske fajlove... Ako te mrzi da reformatiras i ponovo instaliras Vistu mozes uraditi Repair...

Znam da je to najbolje, ali problem je sto nemam vise instalaciju...
btw skinuo sam neki GMER, valja li to ista?

---

Probaj. To je za rootkitove. Moze biti od korisiti...

{edit}

Takodje prevuci zakacen fajl na Combofix ikonicu i pusti da uradi brisanje... Postuj novi Combofix log posle.

Nisam mogao vise da se smaram... formatirao sam hard i nabacio xp, dok ne dobijem vistu...
Hvala svakako na ukazanoj pomoci
e da... sta mi jos savetujes radi izbegavanja ovakvih ili sl. problema, pored NOD-a i ZA za "kao" sigurnu zastitu?

---