[ snenad_82 @ 04.02.2010. 12:51 ] @
Prvo da napomenem da sam iscitao sve sto mi je search naso na ovu temu i nije pomoglo,

Koristim Windows XP SP3 sa svim zakrpama. Od zastita na kompu imam Misrosoft Security Essentials i Zone Alarm Free koji rade non stop, a povremeno radi skeniranja pokrecem Spybot - Search and Destroy, SuperAntiSpyware Professional i Malwarebytes' Anti-Malware. Tako da sam prilicno siguran da na kompu nemam mailious software. Non stop sam povezan na net preko mrezne kartice i adsl modema. Procesor Sempron 2600+ i 1.5GB RAM-a.

E sad problem, kad ukljucim komp posle nekih 5 minuta podivlja svchost.exe i ubija procesor na 100% tada je ukljucuje i MsMpEng.exe (Microsoft Security Essentials) pa pretpostavljam da ima veze sa Automatic Update-om (jedini nacin da se upadate-uje MSE je da automatic update bude ukljucen) ali tako bude nekih pola minuta i ajde to mi treba pa nije problem (istrpecu) ali onda svchot nastavi da divlja jos nekih 10-ak minuta i nista sem njega od proseca.

U pitanju je svchost koji pokrece najvise services evo i slike services



Probao sam i da recim problem uz pomoc micosoft knowledge base i pokretao: fix_svchost.bat koji sadrzi
Code:
regsvr32 comcat.dll /s
regsvr32 shdoc401.dll /s
regsvr32 shdoc401.dll /i /s
regsvr32 asctrls.ocx /s
regsvr32 oleaut32.dll /s
regsvr32 shdocvw.dll /I /s
regsvr32 shdocvw.dll /s
regsvr32 browseui.dll /s
regsvr32 browseui.dll /I /s
regsvr32 msrating.dll /s
regsvr32 mlang.dll /s
regsvr32 hlink.dll /s
regsvr32 mshtmled.dll /s
regsvr32 urlmon.dll /s
regsvr32 plugin.ocx /s
regsvr32 sendmail.dll /s
regsvr32 scrobj.dll /s
regsvr32 mmefxe.ocx /s
regsvr32 corpol.dll /s
regsvr32 jscript.dll /s
regsvr32 msxml.dll /s
regsvr32 imgutil.dll /s
regsvr32 thumbvw.dll /s
regsvr32 cryptext.dll /s
regsvr32 rsabase.dll /s
regsvr32 inseng.dll /s
regsvr32 iesetup.dll /i /s
regsvr32 cryptdlg.dll /s
regsvr32 actxprxy.dll /s
regsvr32 dispex.dll /s
regsvr32 occache.dll /s
regsvr32 occache.dll /i /s
regsvr32 iepeers.dll /s
regsvr32 urlmon.dll /i /s
regsvr32 cdfview.dll /s
regsvr32 webcheck.dll /s
regsvr32 mobsync.dll /s
regsvr32 pngfilt.dll /s
regsvr32 licmgr10.dll /s
regsvr32 icmfilter.dll /s
regsvr32 hhctrl.ocx /s
regsvr32 inetcfg.dll /s
regsvr32 tdc.ocx /s
regsvr32 MSR2C.DLL /s
regsvr32 msident.dll /s
regsvr32 msieftp.dll /s
regsvr32 xmsconf.ocx /s
regsvr32 ils.dll /s
regsvr32 msoeacct.dll /s
regsvr32 inetcomm.dll /s
regsvr32 msdxm.ocx /s
regsvr32 dxmasf.dll /s
regsvr32 l3codecx.ax /s
regsvr32 acelpdec.ax /s
regsvr32 mpg4ds32.ax /s
regsvr32 voxmsdec.ax /s
regsvr32 danim.dll /s
regsvr32 Daxctle.ocx /s
regsvr32 lmrt.dll /s
regsvr32 datime.dll /s
regsvr32 dxtrans.dll /s
regsvr32 dxtmsft.dll /s
regsvr32 WEBPOST.DLL /s
regsvr32 WPWIZDLL.DLL /s
regsvr32 POSTWPP.DLL /s
regsvr32 CRSWPP.DLL /s
regsvr32 FTPWPP.DLL /s
regsvr32 FPWPP.DLL /s
regsvr32 WUAPI.DLL /s
regsvr32 WUAUENG.DLL /s
regsvr32 ATL.DLL /s
regsvr32 WUCLTUI.DLL /s
regsvr32 WUPS.DLL /s
regsvr32 WUWEB.DLL /s
regsvr32 wshom.ocx /s
regsvr32 wshext.dll /s
regsvr32 vbscript.dll /s
regsvr32 scrrun.dll mstinit.exe /setup /s
regsvr32 msnsspc.dll /SspcCreateSspiReg /s
regsvr32 msapsspc.dll /SspcCreateSspiReg /s
regsvr32 /s urlmon.dll
regsvr32 /s mshtml.dll
regsvr32 /s shdocvw.dll
regsvr32 /s browseui.dll
regsvr32 /s jscript.dll
regsvr32 /s vbscript.dll
regsvr32 /s scrrun.dll
regsvr32 /s msxml.dll
regsvr32 /s actxprxy.dll
regsvr32 /s softpub.dll
regsvr32 /s wintrust.dll
regsvr32 /s dssenh.dll
regsvr32 /s rsaenh.dll
regsvr32 /s gpkcsp.dll
regsvr32 /s sccbase.dll
regsvr32 /s slbcsp.dll
regsvr32 /s cryptdlg.dll
regsvr32 /s schannel.dll
regsvr32 /s oleaut32.dll
regsvr32 /s ole32.dll
regsvr32 /s shell32.dll
regsvr32 /s initpki.dll
regsvr32 /s msscript.ocx
regsvr32 /s dispex.dll
regsvr32 jscript.dll /s
del %temp% /Q /F
net stop wuauserv
ren %windir%\system32\catroot2 catroot2.old
cd /d %windir%\SoftwareDistribution
rd /s DataStore /Q
regsvr32 wuapi.dll /s
regsvr32 wups.dll /s
regsvr32 wuaueng.dll /s
regsvr32 wucltui.dll /s
regsvr32 wuweb.dll /s
regsvr32 msxml.dll /s
regsvr32 msxml2.dll /s
regsvr32 msxml3.dll /s
regsvr32 urlmon.dll /s
net start wuauserv
exit

i posle toga je trebalo pokrenuti WindowsXP-KB927891-v3-x86-ENU.exe medjutim tada dobijam poruku da su mi verzije fajlova novijeg datuma.

Nadam se da sam lepo objasnio svoj problem i da ce mi neko pomoci.
Unapred hvala
[ valjan @ 04.02.2010. 18:49 ] @
Citat:
snenad_82
Koristim Windows XP SP3 sa svim zakrpama. Od zastita na kompu imam Misrosoft Security Essentials i Zone Alarm Free koji rade non stop, a povremeno radi skeniranja pokrecem Spybot - Search and Destroy, SuperAntiSpyware Professional i Malwarebytes' Anti-Malware. Tako da sam prilicno siguran da na kompu nemam mailious software.


Ja bih se samo osvrnuo na ovaj citirani deo, jer se savrseno uklapa u nesto sto sam malo pre postovao. A kolege ce vec preuzeti dalje sa pokretanjem alata za analizu i sa pregledom logova i davanjem saveta...
[ snenad_82 @ 04.02.2010. 20:31 ] @
Ovako, koristim racunar nekih 10-12 godina i za sve to vreme sam samo jednom imao problema sa virusima,tacnije navukao sam trojan downloader koji uvukao u explorer.exe i jps neke sistemski bitne fajlove (sada ne mogu da se setim koje). Ne postoji anti-malware za koji sam tada znao da ga nisam pokrenuo u nadi da cu se otarasiti tog cuda, nazalost nijedan nije pomogao pa sam na kraju manualno overwritovao zarazene fajlove originalnim sa diska uz pomoc knopix live cd-a. Tako da konstatacija skoro sam siguran stoji (rec skoro je namerno stavljena jer nikad covek ne moze da bude siguran 100%.
Licno mislim da ovde problem u nekoj komponenti windowsa ili servisu ali ne mogu da provalim u kom. Nisam napomenuo da je ovo prilicno star OS, mislim da radi oko 3 godine uz konstantno istaliranje/uninstaliranje programcica i igrica (ja se igram programcicima a cura igricama).
[ magna86 @ 04.02.2010. 21:11 ] @
hello :)

Skini i pokreni HitMan Pro

http://www.surfright.nl/en/hitmanpro

Sacekaj da uspostavi konekciju sa internetom pa klikni next...sve sto nadje ukloni.

...............................................................

Skini DDS Program na Desktop
http://download.bleepingcomputer.com/sUBs/dds.com

Dvoklikom pokreni dds.scr

Kad zavrsi, DDS ce otvoriti dva loga:
1. DDS.txt
2. Attach.txt


Kopiraj mi DDS.txt
Kopiraj mi log od Malwarebytes AntiMalware-a (ako si ga pokretao i ako ga imas)
Reci mi stanje posle ovih skeniranja,i da li je HitMan Pro nasao nesto?
[ acoobradovic @ 05.02.2010. 08:07 ] @
Pored ostalog sto je predlozeno imam predlog da privremeno iskljucis microsoft update (neka windows update ostane ukljucen naravno). Onda provjeri dal ce doci do divljanja svchost procesa. Imao sam takav problem na nekoliko racunara i ako nije bilo do malware-a uvijek je to upalilo.
[ snenad_82 @ 07.02.2010. 14:57 ] @
Citat:
acoobradovic: Pored ostalog sto je predlozeno imam predlog da privremeno iskljucis microsoft update (neka windows update ostane ukljucen naravno). Onda provjeri dal ce doci do divljanja svchost procesa. Imao sam takav problem na nekoliko racunara i ako nije bilo do malware-a uvijek je to upalilo.


Neznam kako bih iskljucio microsoft update. Jedino mesto za koje ja znam da se razgranisavaju windows i microsof update su microsoft/windows upgate site?
[ snenad_82 @ 07.02.2010. 16:07 ] @
Citat:
magna86: hello :)

Skini i pokreni HitMan Pro

http://www.surfright.nl/en/hitmanpro

Sacekaj da uspostavi konekciju sa internetom pa klikni next...sve sto nadje ukloni.

...............................................................

Skini DDS Program na Desktop
http://download.bleepingcomputer.com/sUBs/dds.com

Dvoklikom pokreni dds.scr

Kad zavrsi, DDS ce otvoriti dva loga:
1. DDS.txt
2. Attach.txt


Kopiraj mi DDS.txt
Kopiraj mi log od Malwarebytes AntiMalware-a (ako si ga pokretao i ako ga imas)
Reci mi stanje posle ovih skeniranja,i da li je HitMan Pro nasao nesto?


HitMan Pro nije nasao nista (uplaoadovao neke sistemske fajlove koji su mu bili sumnjivi, ali nije nasao nista ni u njima)

Malwarebytes AntiMalware log

Code:
Malwarebytes' Anti-Malware 1.44
Database version: 3700
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

07/02/2010 16:45:37
mbam-log-2010-02-07 (16-45-37).txt

Scan type: Quick Scan
Objects scanned: 131307
Time elapsed: 10 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS.txt

Code:

DDS (Ver_09-12-01.01) - NTFSx86  
Run by Bombonica at 16:48:57,28 on 07/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1535.737 [GMT 1:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)   {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated)   {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: BitDefender Firewall *disabled*   {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: ZoneAlarm Firewall *enabled*   {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Raxco\PerfectDisk2008\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Raxco\PerfectDisk2008\PDEngine.exe
C:\WINDOWS\TWAIN_32\Vivid\VIVID.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Startup Faster\sfagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\HDD Health\HDDHealth.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Documents and Settings\Bombonica\Application Data\Mozilla\Firefox\Profiles\v8o61p83.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bombonica\Application Data\Mozilla\Firefox\Profiles\v8o61p83.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
D:\My Documents\Downloads\Firefox\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: SFCDisable=-99 (0xffffff9d)
uWindows: load=c:\windows\twain_32\vivid\VIVID.EXE
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FG2CatchUrl: {1f364306-aa45-47b5-9f9d-39a8b94e7ef1} - c:\program files\flashget\comdlls\bhoCATCH.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: QT Breadcrumbs Address Bar: {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun: [StartupFaster] "c:\program files\startup faster\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\all users\application data\microsoft\shortcuts\startupfaster\StartupFaster.ini
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: StartMenuLogoff = 1 (0x1)
uPolicies-explorer: MaxRecentDocs = 11 (0xb)
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &Download All by FlashGet - c:\program files\flashget\comdlls\Bhoall.htm
IE: &Download by FlashGet - c:\program files\flashget\comdlls\Bholink.htm
IE: Add to Banner Ad Blocker
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: English<->Serbian - c:\program files\lingvosoft\lingvosoft talking dictionary 2007 (english-serbian) for windows\plugins\IE.htm
IE: Se&nd to OneNote - /105
IE: { - c:\program files\messenger\msmsgs.exe
IE: {D23AEFC7-3668-BC4B-AE09-AEE099CAF67B} - c:\program files\lingvosoft\lingvosoft talking dictionary 2007 (english-serbian) for windows\plugins\IE.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\FlashGet.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-0016-0000-0007-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {543B5FE2-472F-46B2-8C16-69E9B805E3CB} = 212.200.191.166,212.200.190.166
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: qoMeDvUM - qoMeDvUM.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {F8B9E5C0-4DCC-CFCF-ABA5-00401D608516} -  
Hosts: 127.0.0.1    www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bombon~1\applic~1\mozilla\firefox\profiles\v8o61p83.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: keyword.enabled - false
FF - component: c:\documents and settings\bombonica\application data\mozilla\firefox\profiles\v8o61p83.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\bombonica\application data\mozilla\firefox\profiles\v8o61p83.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\bombonica\application data\mozilla\firefox\profiles\v8o61p83.default\extensions\{6ff1d3c4-61bc-4021-89b7-af8a8f784ebb}\components\snagitmozextension.dll
FF - component: c:\documents and settings\bombonica\application data\mozilla\firefox\profiles\v8o61p83.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\bombonica\application data\mozilla\firefox\profiles\v8o61p83.default\extensions\{e173b749-db5b-4fd2-ba0e-94ecea0ca55b}\components\npAFOM.dll
FF - component: c:\documents and settings\bombonica\application data\mozilla\firefox\profiles\v8o61p83.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\bombonica\application data\mozilla\firefox\profiles\v8o61p83.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\bombonica\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\bombonica\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPJPI141_01.dll
FF - plugin: c:\program files\java\j2re1.4.1_01\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFF12.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\nppl3260.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('capability.policy.localfilelinks.checkloaduri.enabled', 'allAccess');
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\all.js - pref("html5.enable", false);
i:\instalacije\portable apps\firefoxportable\app\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
i:\instalacije\portable apps\firefoxportable\app\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-7 20744]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-5 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-4-13 77312]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2006-1-13 15872]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-1-29 486280]
R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2008-8-2 243200]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-5-31 12672]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\PPSIO2.SYS [2008-8-2 22400]
R2 starwindserviceae;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 2753509;2753509;c:\windows\system32\drivers\2753509.sys --> c:\windows\system32\drivers\2753509.sys [?]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
S3 cpuz131;cpuz131;\??\c:\docume~1\bombon~1\locals~1\temp\cpuz131\cpuz_x32.sys --> c:\docume~1\bombon~1\locals~1\temp\cpuz131\cpuz_x32.sys [?]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2009-10-29 30603640]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-8-5 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-8-5 8320]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUPnPRenderer11.exe [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 vboxnetadp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-7-5 91408]
S3 vboxnetflt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]

=============== Created Last 30 ================

2010-02-07 15:34:25    178    ----a-w-    c:\windows\system32\bootdelete.lst
2010-02-07 15:34:25    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2010-02-07 14:59:15    15944    ----a-w-    c:\windows\system32\drivers\hitmanpro35.sys
2010-02-07 14:58:38    0    d-----w-    c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-02-07 14:57:50    0    d-----w-    c:\program files\Hitman Pro 3.5
2010-01-29 18:19:04    0    d-----w-    c:\program files\ODEON
2010-01-29 12:52:18    1238408    ----a-w-    c:\windows\system32\zpeng25.dll
2010-01-29 12:52:15    0    d-----w-    c:\windows\system32\ZoneLabs
2010-01-29 12:52:06    422437    ----a-w-    c:\windows\system32\vsconfig.xml
2010-01-29 12:52:03    0    d-----w-    c:\program files\Zone Labs
2010-01-29 12:51:25    0    d-----w-    c:\windows\Internet Logs
2010-01-23 11:51:50    1266056    ----a-w-    C:\WindowsXP-KB927891-v3-x86-ENU.exe
2010-01-23 11:48:01    3038    ----a-w-    C:\fix_svchost.bat
2010-01-18 20:36:01    0    d-----w-    c:\program files\iPod
2010-01-18 20:35:28    0    d-----w-    c:\program files\iTunes
2010-01-18 20:26:09    40448    ----a-w-    c:\windows\system32\drivers\usbaapl.sys
2010-01-18 20:26:09    2065696    ----a-w-    c:\windows\system32\usbaaplrc.dll
2010-01-12 00:39:59    552    ----a-w-    c:\windows\system32\d3d8caps.dat

==================== Find3M  ====================

2010-02-07 12:49:22    4212    ---ha-w-    c:\windows\system32\zllictbl.dat
2010-01-14 10:12:06    181120    ------w-    c:\windows\system32\MpSigStub.exe
2010-01-07 15:07:14    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07:04    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-01-03 01:08:19    0    ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-12-21 19:14:05    916480    ----a-w-    c:\windows\system32\wininet.dll
2009-11-29 15:16:41    6656    ----a-w-    c:\windows\system32\lpcio.dll
2009-09-24 18:59:33    25    ----a-w-    c:\program files\popcinfot.dat
2008-06-13 20:01:24    237056    ----a-w-    c:\program files\DocListUploader 1.0 for google docs.exe

============= FINISH: 17:04:40,67 ===============
[ acoobradovic @ 07.02.2010. 19:38 ] @
Citat:
snenad_82: Neznam kako bih iskljucio microsoft update. Jedino mesto za koje ja znam da se razgranisavaju windows i microsof update su microsoft/windows upgate site?

Kad odes na windows update ides na change settings i onda imas stavku na dnu stranice gdje se gasi microsoft update a ostavlja samo windows update.
[ kristi1 @ 07.02.2010. 19:43 ] @
AV: BitDefender Antivirus
AV: Microsoft Security Essentials
FW: BitDefender Firewall
FW: ZoneAlarm Firewall

Jel ti vidis ovu situaciju kod tebe
[ snenad_82 @ 07.02.2010. 21:16 ] @
Citat:
kristi1: AV: BitDefender Antivirus
AV: Microsoft Security Essentials
FW: BitDefender Firewall
FW: ZoneAlarm Firewall

Jel ti vidis ovu situaciju kod tebe


Iskren da budem, nisam uopste primetio, a kada sam video tvoj odgovor skroz sam se zbunio. Secam se da sam pre nekih godinu dana probao BitDefender, ali mi se uopste nije dopao, nekad sam bio NOD32 fan is svaki drugi AV mi je izgledao losije.
Sad sam skinuo Bit Defender unnistalation tool i nadam se da ce skinuti te ostatke sa sistema,cudno mi je da ih CClean do sada nije skinuo ali eto, sad znam da i CClean nije toliko dobar koliko sam mislio da jeste.
[ snenad_82 @ 10.02.2010. 12:36 ] @
Resio sam problem na koji mi je ukazao kristi1.
Promenio sam u podesavanjima sa microsoft update na windows update kako je predlozio acoobradovic.
Medjutim problem je i dalje osao isti.
[ mico91 @ 10.02.2010. 20:51 ] @
brate, jedino rješenje ti je combofix
evo ovde imaš upustvo: http://www.elitesecurity.org/t...e-programa-HijackThis-ComboFix

pokreni i skeniraj i vidjećeš da će obrisati taj virus (znam iz iskustva jer sam ga morao brisati par puta :@)
[ snenad_82 @ 13.02.2010. 12:16 ] @
Citat:
mico91: brate, jedino rješenje ti je combofix
evo ovde imaš upustvo: http://www.elitesecurity.org/t...e-programa-HijackThis-ComboFix

pokreni i skeniraj i vidjećeš da će obrisati taj virus (znam iz iskustva jer sam ga morao brisati par puta :@)


Hvala puno. Odradio sve i izgleda mi da je problem resen. Testiracu jos nekoliko dana pa javljam. Jos jednom hvala svima na pomoci
[ snenad_82 @ 18.02.2010. 19:40 ] @
Problem je resen. Hvala svima na pomoci
[ osimblog.net @ 19.02.2010. 20:56 ] @

Vidim da je problem rijesen ali samo da postavim link koji je meni pomogao sto se servisa tice i zauzeca resursa racunara

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
[ snenad_82 @ 20.02.2010. 21:02 ] @
Citat:
osimblog.net: Vidim da je problem rijesen ali samo da postavim link koji je meni pomogao sto se servisa tice i zauzeca resursa racunara

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx


Ne razumem kako ti je process explorer resio problem, ja sam ga koriostio da ustanovim prolem. btw prva slika u mom postu je iz process explorera.
[ osimblog.net @ 21.02.2010. 06:29 ] @
Pomogao mi je tako sto sam vidio koji tocno programi guse procesor preko nekog servisa. Nisam skuzio da je na slici process explorer sorry.


[ Aleksandar Maletic @ 21.02.2010. 10:55 ] @
Za ovakve slucajeve je ComboFix pravi alat...medjutim,nije mi jasno @snenad_82,kako si mogao da instaliras dva AV-a i dva Firewall-a... :))) To ti je dobrim delom napravilo zurku u kompjuteru... :)))
[ snenad_82 @ 22.02.2010. 14:03 ] @
Citat:
osimblog.net:
Pomogao mi je tako sto sam vidio koji tocno programi guse procesor preko nekog servisa. Nisam skuzio da je na slici process explorer sorry.


Tako sam i ja uradio. Gore na slici je properties za svchost koji me je gusio tj sevisi koje on pokrece.


Citat:
Aleksandar Maletic: Za ovakve slucajeve je ComboFix pravi alat...medjutim,nije mi jasno @snenad_82,kako si mogao da instaliras dva AV-a i dva Firewall-a... :))) To ti je dobrim delom napravilo zurku u kompjuteru... :)))


Naravno da nisam instalirao dva AV i dva Firewalla odjednom, nisam toliko lud. Kao sto sam vec gore napisao instalirao sam BitDefender samo da bih ga probao. Naravno pre toga uninstalirao NOD32 koji sam u to vreme koristio. Skinuo nakon oga BitDefender jer mi se nije svideo (osim opcije da proverava linkove u messengeru koju kod nijednog drugog av-a nisam nasao). Nakon toga sam bio instalirao/unistalirao jos gomilu av-a (u to vreme su svi izbacili nove verzije pa sam hteo da ih probam (mislim da jos imam ostatke kasperskog na sistemu jer nece da mi pokrene cloud kaspersky ali to me ne brine jer posle problema sa kasperskim na poslu nemam nameru da mu pridjem blizu vise nikad (bolje da imam viruse na kompu nego nortona ili kaspersy (sala naravno)). Trenutno koristim, kao sto se vidi, MSE + Zone Alarm Free na tri kompa (Comodo Firewall ima previse podesavanja za moj ukus) i prezadovoljan sam.
[ Aleksandar Maletic @ 22.02.2010. 14:16 ] @
Naravno,ZoneAlarm je i po meni mnogo kvalitetnije resenje od Comodo Firewall-a...nemoj mnogo da eksperimentises,ako vec nisi u mogucnosti da platis licencu za Nod ili sta ja znam,onda instaliraj Avast!5 i ZoneAlarm Free i bices miran... :)))
[ vuchko.vuchko @ 22.02.2010. 22:39 ] @
Nisam se previse udubljivao u ovu temu , ali sam ja problem sa tim cudom rijesio na sledeci nacin.

Control Panel -> Administrative Tools -> Services -> Automatic Updates

I u podesavanju jednostavno cekiram Disables (kao sto je na slici) i stalno stopanje mog jadnog racunara je prestalo

[ clean_Up @ 24.02.2010. 13:02 ] @
Pozz. Malo kasnim na ovu temu,drago mi je sto si rijesio problem. Prvo na com se instalira samo jedan antivirus i onda ga ubija u pojma mislim procesor ali radi. Drugo cini mi se da sam procitao gdje pise da je svchost virus A TO USTVARI nije nikakav virus. Trece postojalo je dosta jednostavnije rijesenje za taj problem REGEDIT baza i rijesio bih to za max 1min. Ako ima jos osoba da imaju isti problem neka mi se jave na PP o poslat cu im rijesenje u doc formatu, upustvo jednostavno i lako.
[ snenad_82 @ 15.03.2010. 12:26 ] @
Citat:
clean_Up: Pozz. Malo kasnim na ovu temu,drago mi je sto si rijesio problem. Prvo na com se instalira samo jedan antivirus i onda ga ubija u pojma mislim procesor ali radi. Drugo cini mi se da sam procitao gdje pise da je svchost virus A TO USTVARI nije nikakav virus. Trece postojalo je dosta jednostavnije rijesenje za taj problem REGEDIT baza i rijesio bih to za max 1min. Ako ima jos osoba da imaju isti problem neka mi se jave na PP o poslat cu im rijesenje u doc formatu, upustvo jednostavno i lako.


Za prvo i drugo nisi u pravu (procitaj celu temu pa ces videti zasto). Sto se tice treceg okaci resenje da ima za ubuduce, a i da ga provere ljudi koji znaju malo vise o registeri bazi.
Pozdrav
[ mirotovorac @ 23.02.2012. 09:48 ] @
imam slican problem malo me komp zeza tacnije startmeni mi se na trenutke vraca u prvobitnu formu startmenija win98.

Kada startam komp pojave mi se ovi problemi

http://imageshack.us/photo/my-images/444/67853999.jpg/

desava se u zadnjih 5 dana, a sada je pocelo i treca stavka da se pojavljuje

Jel postoji za mene neko drugo resenje sem combofix?

hitman je nasao neke stavke u inistalacionom fajlu veoh.exe. Mada ne znam kako je nasao nesto u intalacionom fajlu ako je skinut sa sajta cini mi se glavnog.
a to sam skidao kada sam instalirao Hotspot Shield


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 10:12:35 on 2012-02-23
Microsoft Windows XP Professional 5.1.2600.3.1250.387.1033.18.1023.351 [GMT 1:00]
.
AV: Anti-Virus *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: ZoneAlarm Free Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe
C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe
C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe
C:\Program Files\F-Secure\fshoster32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\apps\ComputerSecurity\Anti-Virus\FSGK32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\F-Secure\apps\ComputerSecurity\Common\FSMA32.EXE
C:\Program Files\F-Secure\apps\ComputerSecurity\Anti-Virus\fssm32.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\F-Secure\apps\ComputerSecurity\FWES\Program\fsdfwd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\MCShield\MCShieldRTM.exe
C:\Program Files\HitmanPro\hmpsched.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\bh\BabylonToolbar.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - No File
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\BabylonToolbarTlbr.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MCShield Monitor] c:\program files\mcshield\mcshieldrtm.exe
mRun: [ZoneAlarm] c:\program files\checkpoint\zonealarm\zatray.exe
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Download with &Media Finder - c:\program files\media finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254 81.93.64.9 81.93.64.1
TCP: Interfaces\{3A7E5017-844B-46DF-9B60-7A36481657D2} : DhcpNameServer = 192.168.1.254 81.93.64.9 81.93.64.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\z5rc9ibr.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=101641
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 50517e6b0000000000000013d4c6288d
FF - user.js: extensions.BabylonToolbar_i.hardId - 50517e6b0000000000000013d4c6288d
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15393
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.179:45:13
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2012-2-17 42672]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2012-2-17 82872]
R0 WRkrn;WRkrn;c:\windows\system32\drivers\wrkrn.sys --> c:\windows\system32\drivers\WRkrn.sys [?]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure\apps\computersecurity\hips\drivers\fshs.sys [2012-2-17 73192]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-12-18 525840]
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2012/02/12 13:50:04];c:\program files\cyberlink\powerdvd11\common\navfilter\000.fcl [2012-2-12 77296]
R2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\pe\NetworkLicenseServer.exe [2009-9-29 809736]
R2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\CLHNServiceForPowerDVD.exe [2012-2-12 83240]
R2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSMonitorService.exe [2012-2-12 70952]
R2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files\cyberlink\powerdvd11\common\mediaserver\CLMSServer.exe [2012-2-12 312616]
R2 fshoster;F-Secure Dll Hoster;c:\program files\f-secure\fshoster32.exe [2011-12-14 160424]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-2-23 98120]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-22 652360]
R2 ntk_PowerDVD;ntk_PowerDVD;c:\program files\cyberlink\powerdvd11\kernel\dmp\ntk_PowerDVD.sys [2012-2-12 71664]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\apps\computersecurity\anti-virus\minifilter\fsgk.sys [2012-2-17 148632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-16 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 WRSVC;WRSVC;"c:\program files\webroot\wrsa.exe" -service --> c:\program files\webroot\WRSA.exe [?]
S3 EverestDriver;FinalWire EVEREST Kernel Driver;c:\program files\lavalys\everest ultimate edition\kerneld.wnt [2012-2-12 27800]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-12-27 31124344]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-23 09:11:18 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-02-23 08:59:42 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-02-23 08:59:40 -------- d-----w- c:\program files\HitmanPro
2012-02-23 08:58:55 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-02-23 08:45:24 -------- d-----w- c:\documents and settings\administrator\application data\BabylonToolbar
2012-02-23 08:45:15 -------- d-----w- c:\program files\BabylonToolbar
2012-02-23 08:44:41 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Babylon
2012-02-23 08:44:40 -------- d-----w- c:\documents and settings\all users\application data\Babylon
2012-02-23 08:44:40 -------- d-----w- c:\documents and settings\administrator\application data\Babylon
2012-02-23 08:44:23 -------- d-----w- c:\program files\JEEFORemoval Tool
2012-02-23 08:28:00 -------- d-----w- c:\documents and settings\all users\application data\MCShield
2012-02-23 08:19:31 -------- d-----w- c:\documents and settings\administrator\application data\MCShield
2012-02-23 08:19:30 -------- d-----w- c:\program files\MCShield
2012-02-22 21:47:05 -------- d-----w- c:\windows\SiS
2012-02-22 21:45:56 32768 ----a-w- c:\windows\system32\drivers\sisnicxp.sys
2012-02-22 20:47:29 -------- d-----w- c:\documents and settings\administrator\application data\ABBYY
2012-02-22 20:35:37 -------- d-----w- c:\program files\common files\ABBYY
2012-02-22 20:31:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\ABBYY
2012-02-22 20:31:00 -------- d-----w- c:\program files\ABBYY FineReader 10
2012-02-22 20:31:00 -------- d-----w- c:\documents and settings\all users\application data\ABBYY
2012-02-22 17:43:26 -------- d-----w- c:\documents and settings\administrator\application data\3v
2012-02-22 17:26:45 -------- d-----w- c:\documents and settings\administrator\application data\DriverCure
2012-02-22 17:26:44 -------- d-----w- c:\documents and settings\administrator\application data\ParetoLogic
2012-02-22 17:26:24 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
2012-02-22 16:24:40 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-02-22 16:24:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-22 15:10:45 -------- d-----w- c:\documents and settings\administrator\application data\Media Finder
2012-02-22 14:57:25 -------- d-----w- c:\program files\MKVToolNix
2012-02-22 14:22:07 -------- d-----w- C:\Temp
2012-02-22 14:20:12 -------- d-----w- c:\program files\AviSynth 2.5
2012-02-22 14:04:42 -------- d-----w- c:\program files\eRightSoft
2012-02-22 13:26:50 -------- d-----w- c:\documents and settings\administrator\application data\mkvtoolnix
2012-02-21 16:53:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-21 16:53:39 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-02-21 16:38:49 -------- d-----w- c:\program files\Xvid
2012-02-21 16:32:42 -------- d-----w- c:\documents and settings\all users\application data\DivX
2012-02-18 20:35:15 -------- d-----w- c:\windows\system32\PreInstall
2012-02-18 20:33:46 -------- d--h--w- c:\windows\$hf_mig$
2012-02-18 14:22:18 193 ----a-w- c:\documents and settings\administrator\application data\12.tmp
2012-02-18 13:44:32 193 ----a-w- c:\documents and settings\administrator\application data\C.tmp
2012-02-18 13:44:26 193 ----a-w- c:\documents and settings\administrator\application data\A.tmp
2012-02-18 13:38:39 193 ----a-w- c:\documents and settings\administrator\application data\6.tmp
2012-02-18 13:38:38 193 ----a-w- c:\documents and settings\administrator\application data\5.tmp
2012-02-18 12:47:05 193 ----a-w- c:\documents and settings\administrator\application data\2BA.tmp
2012-02-17 15:07:56 42672 ----a-w- c:\windows\system32\drivers\fsbts.sys
2012-02-17 15:07:25 82872 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2012-02-17 15:01:36 -------- d-----w- c:\program files\F-Secure
2012-02-17 11:28:19 6912 ----a-w- c:\windows\system32\drivers\vulfnth.sys
2012-02-17 11:28:19 45056 ----a-w- c:\windows\system32\vusetup.dll
2012-02-17 11:28:19 11264 ----a-w- c:\windows\system32\drivers\vulfntr.sys
2012-02-17 11:10:12 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-02-16 22:25:29 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-16 21:26:35 -------- d-----w- c:\documents and settings\all users\application data\fssg
2012-02-16 21:25:47 -------- d-----w- c:\documents and settings\all users\application data\F-Secure
2012-02-15 13:05:30 -------- d-----w- c:\program files\IGI Subtitler
2012-02-14 01:42:46 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2012-02-14 01:42:46 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2012-02-14 01:41:40 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2012-02-14 01:40:37 -------- d-----w- c:\windows\LastGood.Tmp
2012-02-12 22:37:38 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-02-12 20:41:03 79360 ----a-w- c:\windows\system32\ff_vfw.dll
2012-02-12 20:41:03 48128 ----a-w- c:\windows\system32\ff_acm.acm
2012-02-12 20:41:01 -------- d-----w- c:\program files\ffdshow
2012-02-12 20:35:44 -------- d-----w- c:\program files\Haali
2012-02-12 19:33:39 497664 ----a-w- c:\windows\system32\ac3filter.acm
2012-02-12 19:33:38 -------- d-----w- c:\program files\AC3Filter
2012-02-12 14:14:55 3583 ----a-w- c:\windows\SiSport.sys
2012-02-12 14:14:55 32768 ----a-w- c:\windows\SIS_LIB.DLL
2012-02-12 14:14:55 106496 ----a-w- c:\windows\SiSUSBrg.exe
2012-02-12 14:13:30 36992 ----a-w- c:\windows\system32\drivers\SISAGPX.SYS
2012-02-12 14:11:09 -------- d-----w- c:\program files\SiSLan
2012-02-12 14:08:16 306688 ----a-w- c:\windows\IsUninst.exe
2012-02-12 14:07:28 -------- d-----w- c:\documents and settings\administrator\WINDOWS
2012-02-12 12:50:05 -------- d-----w- c:\documents and settings\all users\application data\PDVD
2012-02-12 12:49:31 -------- d-----w- c:\documents and settings\administrator\local settings\application data\MediaServer
2012-02-12 12:46:53 -------- d-----w- c:\documents and settings\all users\application data\install_clap
2012-02-12 12:00:55 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2012-02-12 12:00:55 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2012-02-12 12:00:55 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2012-02-12 12:00:55 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2012-02-12 12:00:54 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2012-02-12 12:00:53 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2012-02-12 12:00:52 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2012-02-12 12:00:48 -------- d-----w- C:\ATI
2012-02-12 11:58:04 10194 ------w- c:\windows\system32\PFMODNT.SYS
2012-02-12 11:18:27 -------- d-----w- c:\program files\Lavalys
2012-02-12 07:53:34 -------- d-----w- c:\windows\system32\NtmsData
2012-02-11 19:44:24 -------- d-----w- c:\windows\SxsCaPendDel
2012-02-08 16:56:28 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Conduit
2012-02-08 16:56:27 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
2012-02-08 16:56:25 -------- d-----w- c:\program files\Hotspot_Shield
2012-02-08 09:20:27 0 ----a-w- c:\windows\system32\wbem\TempWmicBatchFile.bat
2012-02-07 14:35:31 260608 ----a-w- c:\windows\system32\lame.ax
2012-02-07 14:34:51 -------- d-----w- c:\windows\system32\oodag
2012-02-07 14:33:38 -------- d-----w- c:\program files\CODES lameDS-3.99.4
2012-02-07 13:25:22 -------- d-----w- c:\documents and settings\administrator\local settings\application data\O&O
2012-02-07 13:23:06 -------- d-----w- c:\program files\OO Software
2012-02-07 11:46:33 -------- d-----w- c:\documents and settings\administrator\application data\CheckPoint
2012-02-07 11:46:01 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2012-02-07 11:41:26 -------- d-----w- c:\program files\CheckPoint
2012-02-06 21:52:57 -------- d-----w- C:\SLUZBENI GLASNIK REPUBLIKE SPRSKE
2012-02-06 18:55:42 -------- d-----w- c:\documents and settings\all users\Microsoft
2012-02-06 18:52:35 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-06 18:50:46 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-02-06 18:47:55 -------- d-----w- c:\windows\SHELLNEW
2012-02-06 18:46:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Microsoft Help
2012-02-06 17:16:14 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2012-02-06 15:13:12 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-02-06 15:11:36 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-02-06 15:11:35 -------- d-----w- c:\documents and settings\administrator\application data\TestApp
2012-02-06 14:45:13 -------- d-----w- c:\program files\Yamicsoft
2012-02-06 14:43:11 -------- d-----w- c:\program files\Microsoft WSE
2012-02-06 13:28:11 -------- d-----w- c:\program files\common files\PCSuite
2012-02-06 13:28:10 -------- d-----w- c:\program files\common files\Nokia
2012-02-06 13:27:58 21632 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2012-02-06 13:27:47 -------- d-----w- c:\program files\PC Connectivity Solution
2012-02-06 13:27:42 8064 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2012-02-06 13:27:41 8064 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2012-02-06 13:27:40 20864 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2012-02-06 13:27:33 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Identities
2012-02-06 13:27:32 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2012-02-06 13:27:32 17536 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2012-02-06 13:27:32 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2012-02-06 13:27:30 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2012-02-06 13:27:28 -------- d-----w- c:\program files\Nokia
2012-02-06 11:58:04 65024 ----a-w- c:\windows\system32\atimpc32.dll
2012-02-06 11:58:04 53248 ----a-w- c:\windows\system32\aticalrt.dll
2012-02-06 11:58:04 53248 ----a-w- c:\windows\system32\aticalcl.dll
2012-02-06 11:58:04 4358144 ----a-w- c:\windows\system32\aticaldd.dll
2012-02-06 11:58:04 188416 ----a-w- c:\windows\system32\atiadlxx.dll
2012-02-06 11:58:04 15900672 ----a-w- c:\windows\system32\atioglxx.dll
2012-02-06 11:58:04 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2012-02-06 11:58:04 118784 ----a-w- c:\windows\system32\atibtmon.exe
2012-02-06 11:57:47 -------- d-----w- C:\CIMTEMP
2012-02-06 11:52:38 12288 ----a-r- c:\windows\system32\drivers\EIO_XP.sys
2012-02-06 11:35:57 -------- d-----w- c:\documents and settings\all users\application data\Premium
2012-02-06 11:35:55 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2012-02-06 11:16:46 0 ----a-w- c:\windows\ativpsrm.bin
2012-02-06 11:16:42 311296 ----a-r- c:\windows\system32\atiiiexx.dll
2012-02-06 11:16:41 450560 ----a-r- c:\windows\system32\ATIDEMGX.dll
2012-02-06 11:07:49 91136 ----a-w- c:\windows\system32\kswdmcap.ax
2012-02-06 11:07:49 61952 ----a-w- c:\windows\system32\kstvtune.ax
2012-02-06 11:07:49 28672 ----a-w- c:\windows\system32\vidcap.ax
2012-02-06 11:07:47 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2012-02-06 11:07:47 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2012-02-06 11:07:46 43008 ----a-w- c:\windows\system32\ksxbar.ax
2012-02-06 11:07:00 102400 ----a-w- c:\windows\system32\NetVideo_SBS.ax
2012-02-06 11:03:39 -------- d-----w- c:\windows\system32\ReinstallBackups
2012-02-06 10:45:01 -------- d-----w- C:\Samsung
2012-02-06 10:35:28 -------- d-----w- c:\program files\ATI Technologies
2012-02-06 10:34:26 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2012-02-06 10:34:26 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2012-02-06 10:34:26 225280 ------w- c:\program files\common files\installshield\iscript\iscript.dll
2012-02-06 10:34:26 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2012-02-06 10:34:26 176128 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2012-02-06 10:25:30 -------- d-----w- c:\windows\system32\appmgmt
2012-02-05 23:01:59 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll
2012-02-05 23:00:32 -------- d-----w- C:\directx 9.0c
2012-02-05 22:21:47 -------- d-----w- c:\documents and settings\administrator\local settings\application data\ApplicationHistory
2012-02-05 22:14:44 -------- d-----w- c:\windows\system32\URTTEMP
2012-02-05 22:13:56 839680 ----a-w- c:\windows\system32\MpaDecFilter.ax
2012-02-05 22:13:56 438272 ----a-w- c:\windows\system32\Mpeg2DecFilter.ax
2012-02-05 22:12:01 -------- d-----w- c:\program files\Webteh
2012-02-05 22:05:51 -------- d-----w- c:\program files\Microsoft .NET Compact Framework 1.0 SP3
2012-02-05 20:36:31 5504 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2012-02-05 20:28:38 -------- d-----w- c:\program files\URUSoft
2012-02-05 15:35:01 -------- d-----w- c:\program files\MagicISO
2012-02-05 15:32:44 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2012-02-05 15:32:43 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2012-02-05 15:32:38 -------- d-----w- c:\windows\Logs
2012-02-05 15:32:19 -------- d-----w- c:\program files\Winamp Detect
2012-02-05 15:32:18 819200 ----a-w- c:\program files\windows media player\wmsetsdk.exe
2012-02-05 15:32:18 47616 ----a-w- c:\program files\windows media player\msoobci.dll
2012-02-05 15:31:47 -------- d-----w- c:\windows\RegisteredPackages
2012-02-05 15:29:01 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-02-05 15:28:54 -------- d-----w- c:\program files\DAEMON Tools Lite
2012-02-05 15:28:12 -------- d-----w- c:\documents and settings\administrator\application data\DAEMON Tools Lite
2012-02-05 15:28:10 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite
2012-02-05 15:11:45 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe
2012-02-05 15:10:49 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-05 14:50:11 737280 ----a-w- c:\windows\iun6002.exe
2012-02-05 14:50:07 -------- d-----w- c:\program files\Codec Pack - All In 1
2012-02-05 14:37:48 -------- d-----w- c:\program files\GRETECH
2012-02-05 14:24:34 -------- d-----w- c:\documents and settings\administrator\.swt
2012-02-05 14:24:31 -------- d-----w- c:\documents and settings\administrator\application data\Azureus
2012-02-05 14:22:52 -------- d-----w- c:\program files\Vuze
2012-02-05 14:22:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-05 14:14:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-05 14:07:57 -------- d-----w- c:\program files\AARONS CLIKER
2012-02-05 14:03:52 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2012-02-05 14:03:51 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2012-02-05 14:03:49 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2012-02-05 14:03:48 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2012-02-05 14:03:46 7552 ----a-w- c:\windows\system32\drivers\MSKSSRV.sys
2012-02-05 14:03:44 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2012-02-05 14:03:43 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2012-02-05 14:03:42 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2012-02-05 14:03:40 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2012-02-05 14:03:39 4992 ----a-w- c:\windows\system32\drivers\MSPQM.sys
2012-02-05 14:03:38 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2012-02-05 14:03:34 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2012-02-05 14:01:59 10624 -c--a-w- c:\windows\system32\dllcache\gameenum.sys
2012-02-05 14:01:59 10624 ----a-w- c:\windows\system32\drivers\gameenum.sys
2012-02-05 14:01:54 74240 ----a-w- c:\windows\system32\usbui.dll
2012-02-05 14:01:50 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2012-02-05 14:01:46 44672 ----a-w- c:\windows\system32\drivers\UAGP35.SYS
2012-02-05 14:01:42 32256 -c--a-w- c:\windows\system32\dllcache\sisnic.sys
2012-02-05 14:01:42 32256 ----a-r- c:\windows\system32\drivers\sisnic.sys
.
==================== Find3M ====================
.
2012-02-22 13:57:23 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2012-02-06 11:08:27 12288 ----a-w- c:\windows\system32\drivers\EIO64_xp.sys
2012-01-20 13:14:28 17280 ----a-w- c:\windows\system32\roboot.exe
2012-01-04 23:01:54 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2006-05-03 11:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
============= FINISH: 10:13:44.65 ===============
[ Aleksandar Maletic @ 23.02.2012. 10:50 ] @
Prvo i osnovno, Start→Control Panel→Add/Remove Programs, obriši sve bespotrebne programe i toolbar-ove, vidim da imaš i Babylon toolbar koji je klasičan adware.
Nakon toga preuzmi OSAM Autorun Manager 5.0, raspakuj ga i pokreni.
Nakon završene kompletne analize sačuvaj .html log, zatim ga prikači ovde
uz novu poruku.
[ mirotovorac @ 23.02.2012. 11:23 ] @
Babylon toolbar sam skidao u medjuvremenu, a pokupio sam ga sa JEEFORemovalTool


Report of OSAM: Autorun Manager v5.0.11926.0
http://www.online-solutions.ru/en/
Saved at 12:20:48 on 23.02.2012
OS: Windows XP Professional Service Pack 3 (Build 2600)
Default Browser: Mozilla Corporation Firefox 10.0

Scanner Settings
Rootkits detection (hidden registry)
Rootkits detection (hidden files)
Retrieve files information
Check Microsoft signatures

Filters
Trusted entries
Empty entries
Hidden registry entries (rootkit activity)
Exclusively opened files
Not found files
Files without detailed information
Existing files
Non-startable services
Non-startable drivers
Active entries
Disabled entries

Risk Name Publisher Full Path Status
Boot Execute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
|||||| "BootExecute" "O&O Software GmbH" C:\WINDOWS\system32\OODBS.exe File exists
|||||| "BootExecute" "SurfRight B.V." C:\WINDOWS\system32\bootdelete.exe File exists
Common
%SystemRoot%\Tasks
|| "WinXP Manager Live Update.job" "Yamicsoft" C:\Program Files\Yamicsoft\WinXP Manager\LiveUpdate.exe File exists
Control Panel Objects
%SystemRoot%\system32
|||||| "ac3filter.cpl" C:\WINDOWS\system32\ac3filter.cpl File exists
|||||| "FlashPlayerCPLApp.cpl" "Adobe Systems Incorporated" C:\WINDOWS\system32\FlashPlayerCPLApp.cpl File exists
"javacpl.cpl" "Sun Microsystems, Inc." C:\WINDOWS\system32\javacpl.cpl File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
|||||| "mlcfg32.cpl" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\MLCFG32.CPL File exists
|||||| "NokiaConnectionManager" "Nokia" C:\PROGRA~1\Nokia\NOKIAP~1\CONNEC~1.CPL File exists
Drivers
HKLM\SYSTEM\CurrentControlSet\Services
|||||| "Anchorfree HSS Adapter" (taphss) "AnchorFree Inc" C:\WINDOWS\System32\DRIVERS\taphss.sys File exists
|||||| "ap9hgl9g" (ap9hgl9g) "Microsoft Corporation" C:\WINDOWS\system32\drivers\ap9hgl9g.sys Hidden registry entry, rootkit activity | File signed by Microsoft
|||||| "ASUS Video3D Service" (Video3D) "ASUSTeK COMPUTER INC." C:\WINDOWS\System32\Drivers\Video3D32.sys File exists
|||||| "ASUS Virtual Video Capture Device Driver" (asusgsb) "ASUSTeK Computer Inc." C:\WINDOWS\System32\drivers\asusgsb.sys File exists
|||||| "ASUSTeK Virtual Capture Device" (ASUSVRC) "ASUSTeK COMPUTER INC." C:\WINDOWS\System32\DRIVERS\AsusVRC.sys File exists
|||||| "ati2mtag" (ati2mtag) "ATI Technologies Inc." C:\WINDOWS\System32\DRIVERS\ati2mtag.sys File exists
|||||| "EIO_XP" (EIO_XP) "ASUSTeK Computer Inc." C:\WINDOWS\system32\drivers\EIO_XP.sys File exists
|||||| "Enhanced Display Driver Helper Service" (asuskbnt) "ASUSTeK COMPUTER INC." C:\WINDOWS\System32\drivers\atkkbnt.sys File exists
"F-Secure Firewall Driver" (FSFW) "F-Secure Corporation" C:\WINDOWS\System32\drivers\fsdfw.sys File exists
"F-Secure Gatekeeper" (F-Secure Gatekeeper) "F-Secure Corporation" C:\Program Files\F-Secure\apps\ComputerSecurity\Anti-Virus\minifilter\fsgk.sys File exists
"F-Secure HIPS Driver" (F-Secure HIPS) "F-Secure Corporation" C:\Program Files\F-Secure\apps\ComputerSecurity\HIPS\drivers\fshs.sys File exists
|||||| "FinalWire EVEREST Kernel Driver" (EverestDriver) C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt File found, but it contains no detailed information
|||||| "fsbts" (fsbts) "F-Secure Corporation" C:\WINDOWS\System32\Drivers\fsbts.sys File exists
|||||| "MBAMProtector" (MBAMProtector) "Malwarebytes Corporation" C:\WINDOWS\system32\drivers\mbam.sys File exists
"mbr" (mbr) C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys Hidden registry entry, rootkit activity | File not found
|| "ntk_PowerDVD" (ntk_PowerDVD) "Cyberlink Corp." C:\Program Files\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD.sys File exists
|||||| "PfModNT" (PfModNT) "Creative Technology Ltd." C:\WINDOWS\system32\PfModNT.sys File exists
|||||| "Power Control [2012/02/12 13:50:04]" ({329F96B6-DF1E-4328-BFDA-39EA953C1312}) C:\Program Files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl File exists
|||||| "PxHelp20" (PxHelp20) "Sonic Solutions" C:\WINDOWS\System32\Drivers\PxHelp20.sys File exists
|||||| "sptd" (sptd) "Duplex Secure Ltd." C:\WINDOWS\System32\Drivers\sptd.sys File is exclusively opened, access blocked
|||||| "StarOpen" (StarOpen) C:\WINDOWS\system32\drivers\StarOpen.sys File found, but it contains no detailed information
|||||| "VIA USB Host Controller Lower Filter" (vulfnths) "VIA Technologies, Inc." C:\WINDOWS\System32\Drivers\vulfnth.sys File exists
|||||| "VIA USB Roothub Lower Filter" (vulfntrs) "VIA Technologies, Inc." C:\WINDOWS\System32\Drivers\vulfntr.sys File exists
"vsdatant" (Vsdatant) "Check Point Software Technologies LTD" C:\WINDOWS\System32\vsdatant.sys File exists
"WRkrn" (WRkrn) C:\WINDOWS\System32\drivers\WRkrn.sys File not found
Explorer
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
|||||| {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" "Microsoft Corporation" C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install File exists
HKLM\Software\Classes\Folder\shellex\ColumnHandlers
|||||| {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" "Adobe Systems, Inc." C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll File exists
HKLM\Software\Classes\Protocols\Filter
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {807573E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" "Microsoft Corporation" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL File exists
HKLM\Software\Classes\Protocols\Handler
|||||| {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" "Microsoft Corporation" C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
|||||| {B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{1F25C6E4-E60D-421A-863F-D0C76F6AB211} "BullGuard Backup" File not found | COM-object registry key not found
{9458E603-FF43-4134-9036-04B4C71791E3} "BullGuard Backup" File not found | COM-object registry key not found
|||||| {D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" "Microsoft Corporation" C:\Program Files\Microsoft Office\Office14\VISSHE.DLL File exists
{42071714-76d4-11d1-8b24-00a0c9068ff3} "Display Panning CPL Extension" deskpan.dll File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Encryption Context Menu" File not found | COM-object registry key not found
|||||| {bc5e1455-02ca-4b30-8eed-91d52a38da75} "FineReader10.FRContextMenu.1" "ABBYY." C:\Program Files\ABBYY FineReader 10\FRIntegration.dll File exists
|||||| {1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists
|||||| {99FD978C-D287-4F50-827F-B2C658EDA8E7} "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} "Groove Explorer Icon Overlay 2 (GFS Stub)" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {920E6DB1-9907-4370-B3A0-BAFC03D81399} "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {16F3DD56-1AF5-4347-846D-7C10C4192619} "Groove Explorer Icon Overlay 3 (GFS Folder)" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {2A541AE1-5BF6-4665-A8A3-CFA9672E4291} "Groove Folder Synchronization" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {6C467336-8281-4E60-8204-430CED96822D} "Groove GFS Context Menu Handler" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {A449600E-1DC6-4232-B948-9BD794D62056} "Groove GFS Stub Icon Handler" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {387E725D-DC16-4D76-B310-2C93ED4752A0} "Groove XML Icon Handler" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||||| {506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" "Microsoft Corporation" C:\Program Files\Microsoft Office\Office14\VISSHE.DLL File exists
|||||| {42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" "Microsoft Corporation" C:\Program Files\Microsoft Office\Office14\msohevi.dll File exists
|||||| {993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" "Microsoft Corporation" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll File exists
|||||| {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" "Microsoft Corporation" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll File exists
|||||| {0875DCB6-C686-4243-9432-ADCCF0B9F2D7} "Microsoft OneNote Namespace Extension for Windows Desktop Search" "Microsoft Corporation" C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL File exists
|||||| {00020D75-0000-0000-C000-000000000046} "Microsoft Outlook" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\MLSHEXT.DLL File exists
|||||| {416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} "Nokia Phone Browser" "Nokia" C:\Program Files\Nokia\Nokia PC Suite 7\phonebrowser.dll File exists
|||||| {48EAD1E1-ECF2-4a85-AA09-1C44FBEED451} "OODShellExtObj Class" "O&O Software GmbH" C:\PROGRA~1\OOSOFT~1\Defrag\oodsh.dll File exists
|||||| {0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" "Microsoft Corporation" C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL File exists
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shell extensions for file compression" File not found | COM-object registry key not found
|||||| {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" "Microsoft Corporation" C:\WINDOWS\system32\dfshim.dll File exists
|||||| {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" "Microsoft Corporation" C:\WINDOWS\system32\dfshim.dll File exists
|||||| {BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" "Microsoft Corporation" C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL File exists
|||||| {B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" "Alexander Roshal" C:\Program Files\WinRAR\rarext.dll File exists
|||||| {3D60EDA7-9AB4-4DA8-864C-D9B5F2E7281D} "Workspaces" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
Internet Explorer
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
"ITBarLayout" File not found | COM-object registry key not found
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}" File not found | COM-object registry key not found
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
{c95a4e8e-816d-4655-8c79-d736da1adb6d} "{c95a4e8e-816d-4655-8c79-d736da1adb6d}" File not found | COM-object registry key not found
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units
|||| {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_31"
http://java.sun.com/update/1.6...tall-1_6_0_31-windows-i586.cab "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\npjpi160_31.dll File exists
|||| {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} "Java Plug-in 1.6.0_31"
http://java.sun.com/update/1.6...tall-1_6_0_31-windows-i586.cab "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\npjpi160_31.dll File exists
|||| {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_31"
http://java.sun.com/update/1.6...tall-1_6_0_31-windows-i586.cab "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\npjpi160_31.dll File exists
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
|||||| {FFFDC614-B694-4AE6-AB38-5D6374584B52} "OneNote Lin&ked Notes" "Microsoft Corporation" C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll File exists
|||| {48E73304-E1D6-4330-914C-F5F514E3486C} "Send to OneNote" "Microsoft Corporation" C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll File exists
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
{c95a4e8e-816d-4655-8c79-d736da1adb6d} "Hotspot Shield Toolbar" File not found | COM-object registry key not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
|||||| {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" "Adobe Systems Incorporated" C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll File exists
|||||| {72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL File exists
|||| {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\jp2ssv.dll File exists
|||| {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "Java(tm) Plug-In SSV Helper" "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\ssv.dll File exists
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" "Sun Microsystems, Inc." C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File exists
|||||| {B4F3A835-0E21-4959-BA22-42B3008E02FF} "Office Document Cache Handler" "Microsoft Corporation" C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL File exists
{326E768D-4182-46FD-9C16-1449A49795F4} "{326E768D-4182-46FD-9C16-1449A49795F4}" File not found | COM-object registry key not found
{c95a4e8e-816d-4655-8c79-d736da1adb6d} "{c95a4e8e-816d-4655-8c79-d736da1adb6d}" File not found | COM-object registry key not found
Logon
%AllUsersProfile%\Start Menu\Programs\Startup
|||||| "desktop.ini" C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini File exists
%UserProfile%\Start Menu\Programs\Startup
|||||| "desktop.ini" C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini File exists
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|| "MCShield Monitor" "MyCity" C:\Program Files\MCShield\mcshieldrtm.exe File exists
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|||||| "Malwarebytes' Anti-Malware" "Malwarebytes Corporation" "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray File exists
|||| "OODefragTray" "O&O Software GmbH" C:\WINDOWS\system32\oodtray.exe File exists
"ZoneAlarm" "Check Point Software Technologies LTD" C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe File exists
Services
HKLM\SYSTEM\CurrentControlSet\Services
|||||| ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe File exists
|||||| "ABBYY FineReader 10 PE Licensing Service" (ABBYY.Licensing.FineReader.Professional.10.0) "ABBYY" C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe File exists
|||||| "ASP.NET State Service" (aspnet_state) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe File exists
|||||| "Ati HotKey Poller" (Ati HotKey Poller) "ATI Technologies Inc." C:\WINDOWS\system32\Ati2evxx.exe File exists
|||||| "ATK Keyboard Service" (ATKKeyboardService) "ASUSTeK COMPUTER INC." C:\WINDOWS\ATKKBService.exe File exists
|||||| "CLHNServiceForPowerDVD" (CLHNServiceForPowerDVD) C:\Program Files\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe File exists
|||||| "CyberLink PowerDVD 11.0 Monitor Service" (CyberLink PowerDVD 11.0 Monitor Service) "CyberLink" C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe File exists
|||||| "CyberLink PowerDVD 11.0 Service" (CyberLink PowerDVD 11.0 Service) "CyberLink" C:\Program Files\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe File exists
"F-Secure Anti-Virus Firewall Daemon" (FSDFWD) "F-Secure Corporation" C:\Program Files\F-Secure\apps\ComputerSecurity\FWES\Program\fsdfwd.exe File exists
"F-Secure Dll Hoster" (fshoster) "F-Secure Corporation" C:\Program Files\F-Secure\fshoster32.exe File exists
"F-Secure Management Agent" (FSMA) "F-Secure Corporation" C:\Program Files\F-Secure\apps\ComputerSecurity\Common\FSMA32.EXE File exists
|||| "InstallDriver Table Manager" (IDriverT) "Macrovision Corporation" C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe File exists
"Java Quick Starter" (JavaQuickStarterService) "Sun Microsystems, Inc." C:\Program Files\Java\jre6\bin\jqs.exe File exists
|||||| "MBAMService" (MBAMService) "Malwarebytes Corporation" C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe File exists
|||||| "Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe File exists
|||||| "Microsoft SharePoint Workspace Audit Service" (Microsoft SharePoint Workspace Audit Service) "Microsoft Corporation" C:\Program Files\Microsoft Office\Office14\GROOVE.EXE File exists
|||||| "NMSAccess" (NMSAccess) C:\Program Files\CDBurnerXP\NMSAccessU.exe File found, but it contains no detailed information
|||||| "O&O Defrag" (O&O Defrag) "O&O Software GmbH" C:\WINDOWS\system32\oodag.exe File exists
|||||| "Office Source Engine" (ose) "Microsoft Corporation" C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE File exists
|||||| "Office Software Protection Platform" (osppsvc) "Microsoft Corporation" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE File exists
|||||| "ServiceLayer" (ServiceLayer) "Nokia." C:\Program Files\PC Connectivity Solution\ServiceLayer.exe File exists
"TrueVector Internet Monitor" (vsmon) "Check Point Software Technologies LTD" C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe File exists
|||||| "Windows Presentation Foundation Font Cache 4.0.0.0" (WPFFontCache_v0400) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe File exists
"WRSVC" (WRSVC) "C:\Program Files\Webroot\WRSA.exe" -service File not found
Winlogon
HKCU\Control Panel\IOProcs
"MVB" mvfs32.dll File not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
|||||| "AtiExtEvent" "ATI Technologies Inc." C:\WINDOWS\system32\Ati2evxx.dll File exists

If You have questions or want to get some help, You can visit http://forum.online-solutions.ru



[ Aleksandar Maletic @ 23.02.2012. 12:31 ] @
Nisi ispratio upustsvo, rekao sam ti da prikačiš .html log. Prikači ga uz novu poruku.
Odradi ponovo analizu i kada se proces završi klikni na Save Log. Sačuvaj ga na Desktop, zatim prikači ovde.
[ mirotovorac @ 23.02.2012. 13:26 ] @
lele sta napravi
[ Aleksandar Maletic @ 23.02.2012. 14:55 ] @
U pitanju je rootkit. Isključi System Restore. Desni klik na ikonicu Computer pa Properties.
Na listi sa leve strane odaberi System Properties.
Pod karticom System Protection obeleži Local Disk C i klikni na Configure.
Selektuj opciju Turn off system protection i potvrdi sa Ok.

Preuzmi Kaspersky Virus Removal Tool.
Restartuj Windows i pritiskaj taster F8.
U meniju odaberi opciju Safe Mode.
Pokreni Kaspersky Virus Removal Tool 2011.
Štikliraj "I accept the license agreement" i klikni na Start.
Kada se program startuje, odaberi opciju Settings i pod karticom Scan scope štikliraj sve objekte.
Pod karticom Action obelezi Select action i proveri da li su štiklirane opcije:
*Disinfect;
*Delete if disinfection fails;

Zatim u gornjem levom uglu odaberi karticu Automatic Scan.
Klikni na Start scanning da bi pokrenuo skeniranje.
Proces će potrajati. Nakon završenog skeniranja restartuj Windows.


[ mirotovorac @ 23.02.2012. 18:54 ] @
prikazuje vecinom fajlove slicne ovome

7.TMP TROJAN.AGENT
[ Aleksandar Maletic @ 23.02.2012. 20:07 ] @
Obriši sve pomoću tog alata. Dostavi nakon toga novi log, ponovo pokreni OSAM Autorun Manager i odradi analizu.
[ mirotovorac @ 26.02.2012. 10:45 ] @
poz!
Resio sam se virusa, ali ne uz pomoc kasperskog samog jel me je za dva dana ispatio. Kada bi presao 60% resetuje se komp i opet ispocetka moram startati skeniranje.

onda sam i aktivirio malwarebytes uz pomoc njih sam uspio skinuti ostale viruse, a glavni sam uspio skinuti uz pomoc ovoga linka http://www.youtube.com/watch?v=yzZNcmOnjYA.

S Kasperskim sam nasao sve viruse kao i sa malwarebytes ali mi nije samo jasno sto ih nisu mogli ukloniti sa kompa.
Mogao sam ih iskljuciti iz procesa ali prilikom resetovanja opet se pojave.

aadrive32.exe
zabero
trojan.win32.Jorik.Tedroo.uv
pxdcdr.exe

premda mi nije jasno zasto je ovaj zadnji virus.

nije mi jasan proces ali4eyw1, nema ga nigdje u direktorijumu


Hvala na pomoci!