Start => Programs => Accessories i pokreni CMD command prompt
otkucaj



Idi u C:\Documents and Settings\Tvoj user name, kopiraj sadržaj list.txt fajla i postuj ovde

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 928 N/A
csrss.exe 1008 N/A
winlogon.exe 1032 N/A
services.exe 1076 Eventlog, PlugPlay
lsass.exe 1088 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 1260 DcomLaunch, TermService
svchost.exe 1308 RpcSs
svchost.exe 1360 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
HidServ, lanmanserver, lanmanworkstation,
Netman, Nla, RasMan, Schedule, seclogon,
SENS, SharedAccess, ShellHWDetection,
srservice, TapiSrv, Themes, TrkWks, W32Time,
winmgmt, wscsvc, wuauserv, WZCSVC
btwdins.exe 1388 btwdins
svchost.exe 1460 Dnscache
svchost.exe 1536 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe 1816 Spooler
acs.exe 1864 ACS
explorer.exe 224 N/A
PDVDServ.exe 512 N/A
reader_sl.exe 520 N/A
igfxtray.exe 528 N/A
hkcmd.exe 536 N/A
igfxpers.exe 544 N/A
RTHDCPL.exe 552 N/A
ACU.exe 596 N/A
SynTPEnh.exe 624 N/A
TrueImageMonitor.exe 644 N/A
igfxsrvc.exe 652 N/A
TimounterMonitor.exe 668 N/A
schedhlp.exe 684 N/A
nod32kui.exe 692 N/A
AutorunRemover.exe 708 N/A
WMAAD.exe 736 N/A
OrderReminder.exe 764 N/A
ctfmon.exe 816 N/A
BTTray.exe 888 N/A
RtkBtMnt.exe 1620 N/A
aawservice.exe 1792 aawservice
schedul2.exe 1944 AcrSch2Svc
agrsmsvc.exe 1968 AgereModemAudio
LSSrvc.exe 1776 LightScribeService
MDM.EXE 1640 MDM
nod32krn.exe 696 NOD32krn
svchost.exe 1384 stisvc
TrueImageTryStartService. 1496 TryAndDecideService
alg.exe 2364 ALG
wuauclt.exe 3944 N/A
wmiprvse.exe 3912 N/A
cmd.exe 4084 N/A
tasklist.exe 2740 N/A
wmiprvse.exe 2784 N/A

evo ga

Skinite program HijackThis.
Kada ga preuzmete, preimenujte fajl u bilo sta, npr. “destruct0.exe”. Pokrenite ga i kliknite “Do a system scan and save a logfile”. Taj log iskopirajte ovde.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:40:49, on 24.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\AutorunRemover\AutorunRemover.exe
C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\DOCUME~1\Korisnik\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\Korisnik\Desktop\kk.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AutorunRemover.exe] C:\Program Files\AutorunRemover\AutorunRemover.exe -Hide
O4 - HKLM\..\Run: [WMAAD] C:\Program Files\Sony\WALKMAN Launcher\WMAAD.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Transfer by Image Converter 3 - C:\PROGRAM FILES\SONY\IMAGE CONVERTER 3\menu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{296E3704-1DBC-42B0-9EE3-17457210F6F2}: NameServer = 195.222.32.10,195.222.32.20
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Image Converter SCSI Service (ICScsiSV) - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe
O23 - Service: IcVzMonLauncher - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\IMAGE CONVERTER 3\IcVzMon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 7606 bytes


da kazem da sam probo sa combofix ne ide

Stiklirajte sledece objekte i kliknite “Fix checked”
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AutorunRemover.exe] C:\Program Files\AutorunRemover\AutorunRemover.exe -Hide(ako niste vi instalirali)

Pogledajte takodje http://www.elitesecurity.org/p2298558

• Preuzmite i instalirajte program Malwarebytes` Anti-Malware - http://www.malwarebytes.org/mbam-download.php
• Pokrenite ga i izvrsite update(Update > Check for Updates) i po zavrsetku potvrdite sa OK.
• Posle update-a odaberi Scanner, oznacite Perform full scan i pritisnite Scan.
• Kada se skeniranje zavrsi pritisnite OK, pa Show Results da vidite izvestaj.
• Proverite da li su svi pronadjeni fajlovi stiklirani(ako nisu selektujte ih), pritisnite Remove Selected i potvrdite sa OK.
• Program ce vas upitati da restartujes racunar i vi to potvrdite.
• Takodje posle ukljanjanje malware-a sa racunara dobicete log fajl(izvestaj) koji cete iskopirati ovde.

Preuzmite program Dr.Web CureIt!.

• Posle preuzimanja restartujte racunar u Safe Mode-u(dok se pali racunar pritiskajte F8 pa kada se pojavi meni odaberite Safe Mode).
• Kada se ucita Safe Mode pokrenite Dr.Web CureIt!.
• Kad se upali odaberite Start. On ce automatski poceti da skenira racunar. Pustiti da skenira(to je Express Scan).
• Kada zavrsi sa skeniranjem odaberite kompletno skeniranje - Complete scan i sa desne strane pritisnite dugme Start Scanning(izgleda kao Play dugme).
Moram da vas upozorim da kompletno skeniranje moze da potraje nekoliko sati!

Pokazite log CureIt!-a koji se nalazi u C:\Documents and Settings\USERNAME\DoctorWeb\

Malwarebytes' Anti-Malware 1.38
Database version: 2332
Windows 5.1.2600 Service Pack 2

25.6.2009 7:21:20
mbam-log-2009-06-25 (07-21-20).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 118597
Time elapsed: 14 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Korisnik\list.txt (Malware.Trace) -> Quarantined and deleted successfully.

a za ovaj drugi, pih ima ovoga koliko god hoces. uglavnom naso je 3 virusa, i ja sam delete.

hoces li ponovo hijackthis ? ?


_{[Ovu poruku je menjao bajic6 dana 25.06.2009. u 09:06 GMT+1]}

problem nije rijesen
jos da pitam imam image file, i kad bi uradio system restore, da li bi sve ovo uredu bilo ? novi sistem ?

_{[Ovu poruku je menjao bajic6 dana 25.06.2009. u 09:21 GMT+1]}

Ako image nije zarazen naravno da je resenje.

Ja sam se jedno vreme uporno borio sa svchost.exe pomocu Avire free. Kad god mi izbaci poruku da je svchost.exe, a ja njemu delete pa da vidimo ko ce dze da izdrzi. Jeste malo iritirajuce, ali ni na poslu ni kuci vise nemam problema.

Dakle ako ti se bas ne mili da vracas image ti probaj sa Avirom. Meni je pomogla.

Da li si onu listu aktivnih procesa izvukao dok si konektovan na ADSL ili ne? Moguce je da je u pitanju neki drajver ili neki proces koji se aktivira samo dok je aktivna konekcija, pa bi bilo dobro da odradis ono sto je Zoran Rodic predlozio i kad si prikacen i kad nisi, pa da uporedimo ima li razlike.

Inace, instrukcija na adresi X koja pokusava da upise podatak na tu istu adresu X mi zvuci kao jako lose napisan softver. Da li ti je taj ADSL modem prikacen preko USB-a ili preko UTP kabla i mrezne kartice. Vidjao sam jako mnogo losih drajvera za USB varijante i za ADSL i za kablovske modeme, pa ako koristis ovu varijantu pogledaj na sajtu prozivodjaca da li mozda ima neka novija verzija drajvera.

avire ?
meni je image file na e: particiji.
ovo mi se desava od kako sam zarazen usb ubacio,
adsl je preko kabla konektovan


ja sam laik za kompjutere, tako da ovaj jezik ne razumijem bas ;)

na e: particiji imam svega, oko 30 gb muzike, . da li moze biti izgubljeno nesto sa e: particije ?

da li moze biti zarazena ?

Ne znam koji deo treba da ti "prevedem" :-)

Prvi deo:

Kada nisi prikacen na ADSL, uradi sledece:



Kada se prikacis, ponovo uradi isto, pa da uporedimo te dve liste.

Drugi deo:

Da li ti je modem na racunar prikacen preko ovakvog kabla:

http://en.wikipedia.org/wiki/Usb

ili ovakvog:

http://en.wikipedia.org/wiki/Rj-45

Ako je onaj prvi, javi nam ko je proizvodjac tvog ADSL modema i koji je model (ako ne pise na gornjoj ili prednjoj strani uredjaja, onda sigurno postoji neka nalepnica sa donje strane).

ma nije preko USB.

preko ovog drugog hepeka
ode ovo daleko odo ja njega restore, ko mu be mater.

nije restore, greska, nego ghost

odo ja njega ghostirat, sve sto nevalja otice u pm ?
briste li se sve ?