Logicno bi bilo da obrises stavku u registri bazi, gde je upisano da se mom.exe startuje sa podizanjem Windowsa, pa te vise nece daviti (ako si ga vec uspesno ocistio iz sistema)

PS
Promasio si forum!
;)

_{[Ovu poruku je menjao Take 5 dana 16.04.2009. u 09:40 GMT+1]}

Za pocetak skini program HijackThis.

Kada ga preuzmes preimenuj fajl u bilo sta npr. blabla.exe. Pokreni ga i klikni na "Do a system scan and save a logfile". Taj log fajl iskopiraj ovde da vidimo.

Napomena:Ako ti upustvo nije najjasnije pogledaj ovaj link.

Znam da sam postavio post u krivu rubriku i izvinjavam se!
Log koji ste tražili izgleda ovako:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:10:16, on 16.4.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\T-Com Antidialer\T-Com Antidialer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [tcomantidialerrun] C:\Program Files\T-Com Antidialer\T-Com Antidialer.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: sysdiag.dll,c:\progra~1\ThunMail\testabd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe

--
End of file - 4719 bytes

Hajde za pocetak da pocitismo nepotrebne fajlove sa startup-a. Otvori ponovo HijackThis, odaberi Do a system scan only. Stikliraj sledece linije:

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - AppInit_DLLs: sysdiag.dll,c:\progra~1\ThunMail\testabd.dll

Kad stikliras navedene unose, pritisni Fix checked i restartuj racunar. Posle restartovanja uradi sledece:

• Preuzmi i instaliraj program Malwarebytes` Anti-Malware
• Pokreni ga i izvrsi update (Update > Check for Updates) i po zavrsetku potvrdi sa OK
• Posle update-a odaberi Scanner, oznaci Perform full scan i pritisni Scan
• Kada se skeniranje zavrsi pritisni OK, pa Show Results da vidis izvestaj.
• Proveri da li su svi pronadjeni fajlovi stiklirani (ako nisu selektuj ih), pritisni Remove Selected i potvrdi sa OK
• Program ce te upitati da restartujes racunar i ti to potvrdi
• Takodje posle ukljanjanje malware-a sa racunara dobices log fajl (izvestaj) koji ces iskopirati ovde

Ok. Sada radim , pa ću to napraviti navečer nakon svih obaveza.
Inače Malware program već imam i već sam ga apdejtao i pokretao ali ću svejedno poslušati savjet!

Ok. Preskoci onda MBAM, samo uradi ovo sa HijackThis-om i posle restarta postavi novi HijackThis log.

Evo upravo sam odradio sa hijackthis pa sam ipak updejtao malware program i upravo ga pokrenuo za svaki slučaj, pa dok mi to ne izvrti evo log fajla:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23:52, on 17.4.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\T-Com Antidialer\T-Com Antidialer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [tcomantidialerrun] C:\Program Files\T-Com Antidialer\T-Com Antidialer.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe

--
End of file - 4387 bytes

Ok. Okaci i izvestaj koji dobijes na kraju skeneranja, pa da vidim sta cemo dalje.

Evo:

17.4.2009 23:15:40
mbam-log-2009-04-17 (23-15-40).txt

Tip provjere: Kompletna Provjera (C:\|F:\|)
Provjerenih objekata: 160918
Vrijeme trajanja: 49 minute(s), 50 second(s)

Zaraženi procesi u memoriji: 0
Zaraženi moduli u memoriji: 0
Zaraženi ključevi u registru: 0
Zaražene vrijednosti u registru: 0
Zaraženi podaci u registru: 0
Zaraženi spremnici: 1
Zaražene datoteke: 3

Zaraženi procesi u memoriji:
(Zloćudne stavke nisu otkrivene)

Zaraženi moduli u memoriji:
(Zloćudne stavke nisu otkrivene)

Zaraženi ključevi u registru:
(Zloćudne stavke nisu otkrivene)

Zaražene vrijednosti u registru:
(Zloćudne stavke nisu otkrivene)

Zaraženi podaci u registru:
(Zloćudne stavke nisu otkrivene)

Zaraženi spremnici:
C:\Program Files\ThunMail (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

Zaražene datoteke:
C:\Program Files\ThunMail\testabd.dll (PassThief.WoW) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail\testabd.ex_ (Trojan.Agent2) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D0A33D74-D644-4BF3-B1C1-FCC877128385}\RP202\A0049311.exe (Trojan.Agent2) -> Quarantined and deleted successfully.

Predpostavljam da je stanje i dalje isto? Ugasi privremeno svu zastitu. Desni klik na Norton ikonicu -> pa na "Disable Auto-Protect."

Skini ComboFix na Desktop. Startuj ga i ne diraj prozor programa dok skenira. Sledi uputstva koja ti program zadaje. Kada se zavrsi proces skeniranja pojavice se izvestaj koji ces ovde iskopirati. Ako slucajno ugasis izvestaj on se nalazi na C:\ComboFix.txt.

Napomena: Ukoliko ti upustvo nije najjasnije pogledaj ovaj link.

hvala na svemu za večeras, moram gasiti pc zbog djece, sutra ujutro ću to napraviti pa doznačiti izvještaj. Nažalost svako skeniranje zahtjeva dosta vremena!
Laku noć!

Izvestaj prikacen uz poruku.

_{[Ovu poruku je menjao Nemanja Živanović dana 18.04.2009. u 11:39 GMT+1]}

Dok pogledam ovaj izvestaj, reci mi kakvo je sada stanje?

Isto!

Hajde da probamo nesto. Uninstaliraj drajvere za graficku, pa preuzmi nove sa Ati sajta i instaliraj ih. Takodje preuzmi i instaliraj Microsoft .NET Framework 2.0. Kada sve to uradis, javi da li se ponovo pojavljuje ta greska.

Već sam to probao, ali pokušat ću ponovo, neće me biti par sati pa ću se javiti kad sve obavim!

Ovde nema tragova malware-a. Hajde da uninstaliramo ComboFix:

Otvori Start > Run i ukucaj combofix /u

Program ce se automatski uninstalirati. Nemoj zaboraviti da ukljucis svu zastitu, posto si je gasio zbog rada ovog programa. Problem nije izazvan virusom, pa ce ova tema biti premestena u Windows desktop forum. Predlazem ti da uradis ono sto sam ti napisao u prethodnoj porucu, a sad cu da ponovim:

• Prvo obrisi stare drajvere za graficku (Control Panel — Add/Remove Program — pa tu nadje drajvere za Ati/Ati Control Center i sl.) i posle uninstalacije restartuj racunar
• Sada instaliraj nove drajvere za graficku sa zvanicnog Ati sajta i restartuj racunar
• Posle restartovanja preuzmi i instaliraj Microsoft .NET Framework 2.0 (videces dugme Download, pa klikni na njega da ga preuzmes)
• Posle ove instalacije restrtuj racunar, i javi kakvo je stanje sa racunarom sada

Rješeno!
Bravo majstore!
Zadnji puta sam samo napravio repair ati drivera, ali ih nisam deinstalirao, pa ponovo nainstalirao.
Svaka pohvala moderatoru a i cijelom forumu!

Drago mi je da smo resili problem. Hvala na pohvalama, tu smo da se pomazemo.

Veliki pozdrav za tebe.