Verovatno je virus.

U ".txt" fajl dodajte

i sacuvajte kao restoreHF.reg i pokrenite.

Posle toga skinite program HijackThis.
Kada ga preuzmete, preimenujte fajl u bilo sta, npr. “destruct0.exe”. Pokrenite ga i kliknite “Do a system scan and save a logfile”. Taj log iskopirajte ovde.

Možda se nekome to desilo, pa zna u čemu je fazon, ali ja bih na tvom mestu prvo instalirao TotalCommander pa probao iz njega da vidim hidden files. Ako ni s njim neće, onda dalje širimo priču.

^ Savet koji je dao Dashkes bi trebalo da završi posao, a od toga što TC može / ne može da prikaže hidden fajlove ovde baš i nije neka pomoć.
Nedavno sam čistio neki USB flash od virusa, koji je svim foderima dodeljivao atribut hidden / system i onda još isključivao mogućnost prikaza skrivenih i sistemskih fajlova. Potom je pravio lažne foldere kojima je uz originalni naziv dodavao i ekstenziju ".EXE"...
Srećom, uvoženjem reg fajla je sve ponovo proradilio, pomoću utility programčića "FileTools" sam brzo i jednostavno restovao atribute skrivenih foldera na njihove podrazumevane vrednosti... i onda se trajno se rešio gamadi!

e hvala puno, sacu da probam to da uradim sto si mi rekao...samo ne znam koluko cu biti uspjesan u tome!:)

izvini, ali samo ovo zadnje ne kapiram sto si mi rekao!!!
koji fajl da reimenujem u destruct0.exe???
i koji log da iskopiram gdje ovdje????

_{[Ovu poruku je menjao raboo_2 dana 18.06.2009. u 14:54 GMT+1]}

Verovatno se radilo o trojancu C:\Win\lsass.exe
Svaki folder u rootu drajva (USB memorija) je superhidden, a kreiran je istovetni exe fajl kao i folder koji je sakriven. Cak ima i ikonicu foldera i korisnik moze lako da se prevari i da klikne.
Znaci radi se o fajlu koji ima ikonicu foldera.

@raboo_2 HijackThis.exe u destruct0.exe
A postavices log koji dobijes kad pokrenes i skeniras sa HijackThis programom.

reimenovao sam, ali kad mi se instalira on se i dalje zove HijackThis!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:57:09, on 18.6.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\BisonCam\BisonHK.exe
C:\WINDOWS\BisonCam\BsMnt.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\System Control Manager\edd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [BisonHK] C:\WINDOWS\BisonCam\BisonHK.exe
O4 - HKLM\..\Run: [BsMnt] C:\WINDOWS\BisonCam\BsMnt.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/wi...t/wuweb_site.cab?1239123065441
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe

--
End of file - 7672 bytes

i sta sada????

Skini ovaj fajl na desktop, pokreni ga dvoklikom, yes pa ok. Restartuj racunar u safe mode. Ukljuci prikaz skrivenih fajlova i foldera.

1. Klikni Start taster (u levom donjem uglu).
2. Izaberi My Computer.
3. Selektuj Tools meni i klikni na Folder Options.
4. Selektuj View na vrhu, unutar Hidden files and folders grupe selektuj Show hidden files and folders.
5. Skini kvacicu sa Hide file extensions for known types.
6. Skini kvacicu sa Hide protected operating system files (recommended).
7. Klikni YES.
8. Klikni OK.

Nadji ovaj fajl i obrisi ga C:\WINDOWS\system32\olhrwef.exe

Stiklirajte sledece objekte i kliknite “Fix checked”
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe

Ako mozete fajl
C:\WINDOWS\system32\olhrwef.exe
da zapakujete u ".rar"/".zip" sa password-om "virus", upload-ujete na Rapidshare i posaljete mi link preko PP.

ovako, uradio sam ovo sto mi je Dashkes rekao i nije bilo rezultata! a da zapakujem olhrwef.exe ne mogu jer ga ne vidim posto je sakriven!

a onda sam uradio sto je napisao kristi1 i opet nista....cak sam i obrisao olhrwef.exe preko total comandera i nista...

nece pa nece da se rijesi prokleti problem.ne znam sta da radim

ovo je upalilo kod mene:

Otvori TC, i vidi kako ti se ti direktorijumi zovu, a zatim

1)Open a command prompt (start | programs | accessories | command prompt)

2) use CD to go to where one of those folders are

3) type attrib -s -r -h <folder>, where folder is the name of the folder you want to unhide.

ajmo ovako:
1. Klikni desnim tasterom na ikonicu Avire u donjem desnom uglu ekrana i unistikliraj
AntiVir Guard Enable

2. po ovom uputstvu skini Combofix.
znaci skini ga na Desktop i pokreni ga,ostavi ga da odradi skeniranje,a na kraju ce izbaciti log,e taj log kopiraj ovde i svez HJT log
taj log mozes naci na sledecoj lokaciji: C:\ComboFix.txt

uradio sve kako ste rekli, i evo logova :



ComboFix 09-06-18.02 - Admin 19.06.2009 17:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2638 [GMT 2:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1129045522-63375168-1442165692-1003
c:\recycler\S-1-5-21-2645212208-1526584180-797298841-1003
C:\Autorun.inf
c:\recycler\S-1-5-21-1129045522-63375168-1442165692-1003\desktop.ini
c:\recycler\S-1-5-21-1129045522-63375168-1442165692-1003\INFO2
c:\recycler\S-1-5-21-2645212208-1526584180-797298841-1003\desktop.ini
c:\recycler\S-1-5-21-2645212208-1526584180-797298841-1003\INFO2
C:\sm.exe
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrwef.exe
D:\Autorun.inf
D:\sm.exe
H:\Autorun.inf
H:\d1vmq.exe
H:\sm.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVPsys


((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-19 02:42 . 2009-06-19 02:57 -------- d-----w- c:\documents and settings\Admin\Application Data\BSplayer PRO
2009-06-19 02:42 . 2009-06-19 02:42 -------- d-----w- c:\program files\Webteh
2009-06-18 23:32 . 2009-06-18 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\KONAMI
2009-06-18 23:29 . 2009-06-18 23:29 -------- d-----w- c:\program files\KONAMI
2009-06-18 12:51 . 2009-06-18 12:51 -------- d-----w- c:\program files\Trend Micro
2009-06-17 23:51 . 2009-06-17 23:51 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-06-17 23:51 . 2008-11-12 14:44 27904 ----a-w- c:\windows\system32\uxtuneup.dll
2009-06-17 23:51 . 2009-06-17 23:51 362240 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-06-17 23:51 . 2009-06-17 23:51 -------- d-----w- c:\documents and settings\Admin\Application Data\TuneUp Software
2009-06-17 23:51 . 2009-06-17 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-06-17 23:51 . 2009-06-17 23:57 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-06-17 23:50 . 2009-06-17 23:50 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-05-23 23:06 . 2009-05-29 18:51 16 ----a-w- c:\windows\popcinfo.dat
2009-05-23 23:04 . 2009-05-23 23:04 -------- d-----w- c:\program files\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 02:33 . 2009-04-16 20:30 27839 ----a-w- c:\windows\system32\nvModes.dat
2009-06-17 20:42 . 2009-05-16 23:10 139360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-29 20:13 . 2009-04-13 08:29 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype
2009-05-18 19:34 . 2009-04-07 16:39 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-18 19:05 . 2009-05-18 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-05-17 00:02 . 2009-05-17 00:02 -------- d-----w- c:\documents and settings\Admin\Application Data\Nseries
2009-05-16 23:58 . 2009-05-16 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-05-16 23:58 . 2009-05-16 23:58 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-05-16 23:58 . 2009-05-16 23:58 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-16 23:56 . 2009-05-16 23:41 -------- d-----w- c:\documents and settings\Admin\Application Data\Nokia
2009-05-16 23:56 . 2009-05-16 23:14 -------- d-----w- c:\program files\Nokia
2009-05-16 23:53 . 2009-04-07 16:43 29096 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-16 23:52 . 2009-05-16 23:52 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Suite
2009-05-16 23:49 . 2009-05-16 23:49 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-16 23:40 . 2009-05-16 23:30 -------- d-----w- c:\program files\Common Files\Nokia
2009-05-16 23:40 . 2009-05-16 23:40 -------- d-----w- c:\program files\MSXML 6.0
2009-05-16 23:39 . 2009-05-16 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-05-16 23:38 . 2009-05-16 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2009-05-16 23:15 . 2009-05-16 23:15 -------- d-----w- c:\program files\DIFX
2009-05-16 23:10 . 2009-05-16 23:10 -------- d-----w- c:\program files\MSBuild
2009-05-16 23:10 . 2009-05-16 23:10 -------- d-----w- c:\program files\Reference Assemblies
2009-05-02 21:29 . 2009-04-16 14:46 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-02 21:29 . 2009-04-16 14:46 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-04-16 20:31 . 2009-04-16 20:31 315392 ----a-w- c:\windows\HideWin.exe
2009-04-13 11:11 . 2009-04-08 15:23 7156 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-13 08:45 . 2009-04-13 08:45 16608 ----a-w- c:\windows\gdrv.sys
2009-04-13 07:55 . 2009-04-13 07:55 10368 ----a-w- c:\windows\system32\drivers\pfc.sys
2009-04-11 09:35 . 2009-04-11 09:35 2974 ----a-w- c:\windows\opentargetdir.vbs
2009-04-08 15:24 . 2009-04-08 15:24 152576 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-08 15:22 . 2009-04-08 15:22 152576 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-04-08 15:02 . 2009-04-08 15:02 0 ----a-w- c:\windows\nsreg.dat
2009-04-07 16:37 . 2009-04-07 16:37 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2007-11-21 180224]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2007-03-15 32768]
"BsMnt"="c:\windows\BisonCam\BsMnt.exe" [2007-03-15 172032]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-02-26 2376992]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-09 1630208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-06-29 89541]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymedia.exe"=
"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymediaserver.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\Jelen Super Liga.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16.4.2009 16:46 108289]
R2 NishService;SCM Driver Daemon;c:\program files\System Control Manager\edd.exe [16.4.2009 16:37 40960]
R2 NTPCI;NTPCI;c:\windows\system32\drivers\ntpci.sys [16.4.2009 22:33 5632]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [18.6.2009 1:51 603904]
R3 MGHwCtrl;MGHwCtrl;c:\windows\system32\drivers\MGHwCtrl.sys [16.4.2009 16:37 9088]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [16.4.2009 22:33 51160]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [16.4.2009 22:33 43736]
S2 TwonkyMedia;TwonkyMedia;c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 --> c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 [?]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 11:31 98328]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-06-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 14:28]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Device Detector - DevDetect.exe


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 17:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ACD Systems\EN\DevDetect.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Nokia\PC Connectivity Solution\ServiceLayer.exe
c:\program files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-19 17:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 15:53

Pre-Run: 63.718.907.904 bytes free
Post-Run: 63.645.462.528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

193

evo i svezeg od HJTa :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:59:42, on 19.6.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\BisonCam\BisonHK.exe
C:\WINDOWS\BisonCam\BsMnt.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\System Control Manager\edd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [BisonHK] C:\WINDOWS\BisonCam\BisonHK.exe
O4 - HKLM\..\Run: [BsMnt] C:\WINDOWS\BisonCam\BsMnt.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/wi...t/wuweb_site.cab?1239123065441
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe

--
End of file - 7183 bytes

skripta je automacki ocistila ostatke malware-a ,i logovi su sad cisti

Start / Run kucaj sledece:
Combofix /u

kao na slici

http://www.techsupportforum.co...ools/tetonbob/combofix%20u.JPG

to bi trebalo da je to,kakvo je sad stanje? nadam se lepim vestima

PS: nagomilan ti je sturtup,imas tune up program,pomocu njega iskljuci nepotrebne stvari koje nemaju potrebe da ti se dizu sa sistemom

e hvala ti brate puno! sad radi sve! :))
car si nema sta!
imam samo jos jedan problem, imam neki trojanac virus koji mi se i sad javlja, pa se samo bojim da nije od njega sav ovaj haos nastao!!

zove se TR/Crypt.Xpack.Gen Trojan C:\System Volume Information\_restore{DA9D20A6-7EC8-44B6-A3F1-6BAED82C0A37}\RP21\A0003391.dll
a drugi TR/PSW.OnlineGames.AAHA.4 Trojan C:\System Volume Information\_restore{DA9D20A6-7EC8-44B6-A3F1-6BAED82C0A37}\RP19\A0002196.sys

jel znas mozda kako da se toga rijesim???

znas kako...combofix log je cist,ti trenutno nemas aktivne infekcije u racunaru. a to sto ti javlja,nebrini se za to nista,to je obicna heruistika,resetuj sistem restore

znaci i ako mi javlja tog trojanca na tom jestu, nakon sto sam odradio posao sa kombofixom, mislis da nista nije zarazeno???

e da,i kako da resetujem sistem restore?

nekapiras:
ako i jeste to inficirani fajl, poenta je da ne moze sam da se vrati odatle.
Moze da se vrati odatle samo ukoliko vratis Restore Point u kojem se nalazi i maliciozni fajl.
http://en.wikipedia.org/wiki/Heuristic_analysis

nema razloga za brigu,samo resestuj system restore i to bi trebalo da je to:

Start > Control Panel > System
idi na System Restore tub
* Na System Restore kartici, stikliraj opciju Turn off System Restore on all drives
i klikni Apply,na pitanje odgovori sa Yes

Ukljucujes je isto tako samo sto je potrebno skinuti kvacicu (unistiklirati) Turn off System Restore on all drives

http://www.leeindy.com/SysRest...stem_restore_box_unchecked.gif


PS: uninstaliraj Combofix po uputstvu,on ce ti resetovati SR

_{[Ovu poruku je menjao magna86 dana 20.06.2009. u 19:27 GMT+1]}

E ovako imao si virus i mnogi su.

Ipak mora da se korisiti neki kvalitetan antivirus.
Uzrok je neki .inf fajl koji je napravio .exe fajl koji je promenio kljuc za Show hidden fajl.
I ti zli fajlovi su 'S'ystem 'h'idden 'r'ead-only i da bi se obrisali moraju da im se skinu ti attrib-uti -h -s -r.
Posto je previse dugacak listing registacionih kljuceva, neko ko je pisao gore treba samo da kaze koji od tih gore kljuceva
postavlja HIDDEN FAJLOVE VIDLJIVE WINDOWS EXPLORERU (Slicno onome show hidden files, ali nije bas to)
I tj kjuc valda treba da se setuje na '0'.
Javite i meni koji je to kljuc. .-)

Evo prilažem uz poruku potrebne reg fajlove.
Dovoljno je kliknuti na njih (jedan ili dva puta, zavisi kako je podešeno kao podrazumevano na nivou Windowsa) da se potrebni ključevi uvezu u Registry. Nakon restarta će sve opcije za podešavanje postavki foldera i fajlova postati ponovo dostupne...