Trojanac nije ali negde se krije

Zasto kazem nije trojanac? Pa skenirao sam sa malware, sa supertrojan, sa Antispyware,.. pa onda sa NODom i jos nekim anti virus programom i nista nisam nasao..

zasto misli mda sam nesto zahvatio? pa ne mogu da idem samo na jedan sajt (mail provajder) i ne mogu da skidam mailove - sto je normalno kad ne mogu da otvorim njihov sajt. ne mogu ni na webmail...

pokusao sam ping tajsajt.com i dobio sam rezultat istog sekunda da za 30 hopova nije moguce doci do tog sajta

pokusao sam tracert tajsajt.com i isto...

proverio sam host fajl i on je uredan, bez icega dodatog u njemu. da budem siguran u to, prekopirao sam drugi host fajl sa drugog racunara u mrezi koji uredno otvara pomenuti sajt provajdera i skida/salje mailove.

da malo kazem o mrezi: workgrupa, ruter, u mrezi svi kompovi skidaju/salju mailove, koriste webmail, otvaraju sve web stranice... samo ovaj jadni mali laptop ne moze da otvori pomenutu stranicu. Osim tog sajta provajdera i slanja mailova, sve druge stranice otvara!

sad malo o prethodnim desavanjima sa tim laptopom: nekako je bio iskljucen system restore pa sam ga kroz gpedit aktivirao i pokusao da uradim vracanje sistema na prethodni datum. datum je odabran i pocela je procedura restore i nakon restarta i podizanja sistema, sistem restore mi kaze da restore nije uspesno uradjen. pokusao sam jos neki datum unazad i za svaki je ista poruka.

safe mode... neuspesno. otvara BS nakon toga.

uf... pomoc!

proverio sam host fajl u windows/system32/drivers/etc i sve je ok

ima li jos neko mesto gde bi se moglo uraditi slicno podesavanje, tj onemoguciti izlaz na neki sajt? osim blocked site u exploreru...

Da li si proverio DNS podešavanja u TCP/IP settings? Odradi i ipconfig /flushdns, neće škoditi. Kakav AV imaš instaliran? Neki AV sistemi imaju i parental control. Iz kog browsera pokušavaš da ideš na taj sajt? Internet Explorer recimo ima opciju Restricted Sites (do nje dolaziš preko Internet Options, kartica Security), a koliko se sećam i ostali imaju nešto slično.

DNS je namesten 192.168.1.1 kao DNS rutera, ali sam probao i sa automatic i identicno mi se ponasa. NOD je ukljucen i on nema nista sa tim. Od browsera IE8 i probao sam sa Mozilom - isto.

kad odem u safe mode + networking, mogu da odem na taj sajt i otvorim mailove. znaci definitivno nesto oko sistemskih fajlova.

od rootkit programa sam probao panda, NoHackMe, RootkitRevalver, i jos nesto i nista nije nadjeno.

pripremam se da pregazim Xp :(

Preuzmi DDS Program na Desktop
http://download.bleepingcomputer.com/sUBs/dds.com

Dvoklikom pokreni dds,kad zavrsi, DDS ce otvoriti dva loga:
1. DDS.txt
2. Attach.txt
Oba izvestaja sacuvaj na Desktop.
Kopiraj mi DDS.txt

(ako si vec krenuo da ga "gazis" onda ignorisi ovo)

---

volim izazove...

DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Beosport at 22:07:28.28 on 07.05.2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1979.1374 [GMT 2:00]
.
AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\inst\swsetup\sp42609\wdm\winxp\STacSV.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k UPHClean
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\deJavu'\aniazPOPUP\aniazPOPUP.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Beosport\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SuperCopier2.exe] c:\program files\supercopier2\SuperCopier2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [TNOD UP] "c:\program files\tnod user & password finder\TNODUP.exe" /i
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aniazp~1.lnk - c:\program files\dejavu'\aniazpopup\aniazPOPUP.exe
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {AE46F35F-2E0D-4008-BE25-2559F57BD061} = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2011-3-13 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2011-3-13 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2011-3-13 13616]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R1 SASDIFSV;SASDIFSV;c:\docume~1\beosport\locals~1\temp\hbcd\superantispyware\SASDIFSV.SYS [2011-5-6 12872]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-24 363344]
R2 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2011-3-24 241664]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2011-3-24 112128]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-3-24 227896]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2011-3-24 116224]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-24 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-07 20:04:17 -------- d-----w- c:\docume~1\beosport\locals~1\applic~1\Opera
2011-05-07 18:41:07 -------- d-----w- c:\windows\system32\PreInstall
2011-05-07 17:20:59 46592 -c--a-w- c:\windows\system32\dllcache\sspifilt.dll
2011-05-07 17:19:58 42496 -c--a-w- c:\windows\system32\dllcache\davcdata.exe
2011-05-07 17:10:38 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-05-07 17:10:38 13312 ----a-w- c:\windows\system32\irclass.dll
2011-05-07 17:10:37 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-05-07 17:10:37 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-05-07 17:10:27 16535 ----a-r- c:\windows\SET69.tmp
2011-05-07 17:10:26 1088840 ----a-r- c:\windows\SET5D.tmp
2011-05-07 17:10:24 1296669 ----a-r- c:\windows\SET5A.tmp
2011-05-07 16:37:50 55808 ----a-w- C:\devcon.exe
2011-05-07 16:37:50 335029 ----a-w- C:\DPsFnshr.exe
2011-05-07 16:37:50 291573 ----a-w- C:\DSPdsblr.exe
2011-05-07 16:37:50 281723 ----a-w- C:\pmtimer.exe
2011-05-07 16:37:50 20992 ----a-w- C:\makePNF.exe
2011-05-07 16:37:50 137728 ----a-w- C:\mute.exe
2011-05-07 16:37:39 -------- d-----w- C:\D
2011-05-07 16:19:21 -------- d-----w- c:\windows\setup.pss
2011-05-07 12:19:50 2 --shatr- c:\windows\winstart.bat
2011-05-07 12:19:38 -------- d-----w- c:\program files\UnHackMe
2011-05-06 09:28:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-06 09:28:14 -------- d-----w- c:\docume~1\beosport\applic~1\SUPERAntiSpyware.com
2011-05-06 08:40:48 -------- d-----w- c:\docume~1\beosport\applic~1\GlarySoft
2011-05-05 13:14:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-05-05 10:27:54 -------- d-----w- c:\program files\Bonjour
2011-04-30 09:27:08 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-04-30 09:27:07 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-04-30 09:27:06 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-04-19 11:00:27 -------- d--h--w- c:\windows\ShellNew
2011-04-14 10:01:12 -------- d-----w- c:\program files\TNod User & Password Finder
2011-04-14 09:03:00 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-04-13 08:03:38 241664 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mc.DLL
2011-04-13 08:03:37 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
.
==================== Find3M ====================
.
2011-03-23 18:26:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-23 18:26:01 423656 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-23 16:36:36 1614848 ----a-w- c:\windows\system32\sfcfiles.dll
2011-03-13 13:38:04 3186 ----a-w- c:\windows\system32\presetup.cmd
2011-03-13 13:27:24 24576 ----a-w- c:\windows\system32\nlsdl.dll
2011-03-13 13:27:24 23552 ----a-w- c:\windows\system32\normaliz.dll
2011-03-13 13:27:23 265720 ----a-w- c:\windows\system32\msdbg2.dll
2011-03-13 13:27:10 26112 ----a-w- c:\windows\system32\idndl.dll
2011-03-13 13:27:10 10240 ----a-w- c:\windows\system32\advpack.dll.mui
2011-03-13 13:25:10 282654 ----a-w- c:\windows\system32\msaud32.acm
.
============= FINISH: 22:08:16.82 ===============

DDS "kaze" da je sve u redu. Znaci,da je problem do browsera ili njegovih cookia. Ako ti je do igranja odradi sledece,trebalo bi da resi problem.
Preuzmi EZBecup. Pomocu njega napravi dva beckup-a. Prvi neka ti cuva bookmark a drugi backup sve. Pa sta ti bude valjalo...

Uninstaliraj Operu (Browser) pomocu RevoUninstaller ili jos bolje YourUninstalera ( ili ako te mrzi...klasicno )
Potom preuzmi i poguraj CCleaner i WiseRegistryCleaner. Iskoristi sve opcije Cleaner i Registry.

Potom pokreni TFC
http://www.geekstogo.com/forum...temp-file-cleaner-by-oldtimer/

pa onda instaliraj browser , ucitaj bookmarks ili ceo becup pa vidi jel radi.

Mozes obrisati DDS...

---

sve sam uradio i ista prica. sve sajtove otvaram osim tog jednog.

ne znam da li si procitao u gornjem postu, da kad odem u safe mode, mogu da otvorim taj sajt.

Koji je sajt u pitanju ?

ma nije bitan sajt jer ga uredno otvaram sa svih drugih racunara u mrezi, a nije me mrzelo pa sam racunar stavio kod sebe kuci na svoju mrezu i isto se ponasa, tj taj racunar ne moze da otvori samo tu stranicu a moj kucni moze...

Proveri http://novirus365.net/Infectedfile/660.html

Izbaci NOD, pa probaj, posebno ako je krekovan.

disejblovao sam NOD i Malware i iskljucio firewall i isto...

ovaj TNODUP.exe je "dodatak" za licence za NOD i radi odlicno. niko se nije zalio na njega do sada. taj programcic imam na dosta masina. ne verujem da on pravi problem. ipak, radi testa cu ga ukloniti, restartovati i probati da otvorim sajt. javljam za 1min.

edit:

deinstalirao, resetovao... ista prica :(

Proxy?
Gateway?

nije proxi niti gateway ...

malo sam se udubio u log HiJack-a i Autoruns-a. Nasao sam neku ptanju koja je pocinjala %sytemroot%..... obrisao sam je i pogledao koji fajl je startovan - neki drajver .exe za zvucnu karticu. usao sam u regedit i trazio runonce i run linije i video u jednoj da se pojavljuje taj fajl sa % putanjom, obrisao sam, resetovao komp i :) proradilo je. sajt se konacno otvarao.

medjutim, uradio sam restart kompa posle toga da vidim kako se ponasa i nakon ponovnog ukljucenja, sajt nije mogao da se otvara, tj ista prica kao na pocetku. sad, znajuci sta sam radio, opet sam uradio HiJack, Autoruns i regedit i nista nisam nasao od prethodno obrisanih stvari. Cak sam i obrisao fajlove sa diska, uradio clean sa CC... nista. Problem je ostao.

Obzirom da sam siguran da je neki trojan ili Rootkit kojeg nisam uspeo da detektujem, a nisam vise mogao da buljim u logove i fajlove, uradio sam format C i instal Xp... sad sve radi.